A new botnet has been discovered by security researchers, who observed that it uses the infected machines to scan for the presence of point-of-sale systems and gain access to the information through brute-force attacks.

Los Angeles-based cyber threat intelligence firm IntelCrawler says that the name of the botnet project was released on the underground forums in May 2014.

According to the company, the malware it uses “collected indicators like subnet IP ranges and commonly used operators, supervisor, and back office administrator logins, some of which are default manufactures passwords for famous Point-of-Sale equipment.”

Some technical documentation provides the default credentials for initial access to the systems, and has been added to the dictionary used by the cybercriminals for the brute-force attacks.

Because of the botnet distribution, the operators behind it are capable of scanning multiple IPv4 network ranges of certain TCP ports, as well as using the brute-force technique to determine the log-in credentials for remote administration services like VNC, Microsoft RDP, and PCAnywhere.

In a recent incident that affected a reseller of POS systems, the crooks used stolen credentials for the LogMeIn account to gain unauthorized access to information related to POS transactions.

IntelCrawler says that in the case of “@-Brt,” the malicious software includes multi-threading support, a feature that permits running through the dictionary database at a much faster pace.

The company detected that several prominent merchants have been affected by the malware and scanning of IPv4 ranges of large ISPs (Internet Service Providers), AT&T Internet Services, Sonic.net and SoftLayer Technologies being among them.

Multiple variants of the malicious software exist, with modifications that may aim at increased optimization and could have been written by different authors.

A list of commonly used passwords for the compromised POS terminals includes simple and easy to crack text strings, such as “posrn,” “terminal,” “admin12345,” “manager,” “hotel,” “operator,” “posadmin,” and “pos12345.”

It appears that administrators used numerous variants of “aloha” as the access restriction password, the “aloha12345” passcode being used in 13% of the cases, followed by “micros” (10%), “pos12345” (8%), “posadmin” (7%), and “javapos” with 6.30%. All of these are extremely weak passwords that can be cracked in a matter of minutes, depending on the specifications of the machine used.

As far as the geographical spread of the botnet is concerned, the security company provides a chart showing infected computers in Germany, Japan, Mexico, Bulgaria, India, Jordan, Hong Kong, Antilles, Philippines, and Korea.
Kepler Reviewed by Kepler on . Botnet Targets Point-of-Sale Systems http://i1-news.softpedia-static.com/images/news-700/Botnet-Targets-Point-of-Sale-Systems.jpg A new botnet has been discovered by security researchers, who observed that it uses the infected machines to scan for the presence of point-of-sale systems and gain access to the information through brute-force attacks. Los Angeles-based cyber threat intelligence firm IntelCrawler says that the name of the botnet project was released on the underground forums in May 2014. According to Rating: 5