Tantalizing Clues in Dexter Malware Lead to Mystery Man…and Zeus

The Dexter malware is getting some media attention this week – and not just because the malware shares its name with Showtime’s popular drama about a serial killer by the same name. (Not that those of us tasked to write catchy headlines don’t love stuff like that – ’cause we do.)

No, the Dexter virus caught the attention of malware analysts because it infects point of sale (POS) systems like electronic cash registers, kiosks and automatic teller machines (ATMs), rather than run of the mill laptops and desktops. It has also generated some interest because it uses a form of memory dump parsing to steal sensitive data from infected POS terminals, and because its POS malware that is part of a botnet – communicating back to a command and control system and receiving commands – that’s quite unusual and, while its kind of insider baseball for malware geeks, it makes Dexter worthy of some extra lab time spent analyzing Dexter.

According to an analysis by Seculert, the custom malware has been circulating in recent months and has infected “hundreds POS systems” including those operated by “big-name retailers, hotels, restaurants and even private parking providers.” The logic here is simple. Dexter isn’t the first POS malware. In fact, more and more malicious programs are ascribing to the Willie Sutton philosophy of online theft: you infect POS systems because “that’s where the money is,” or – at least – the data that you need to get the money. “Instead of going through the trouble of infecting tens of thousands of consumer PCs or physically installing a skimmer,” Seculert writes, “an attacker can achieve the same results by targeting just a few POS systems with specially crafted malware.”

But it turns out that Dexter may not be so new or different. A detailed analysis by Verizon’s RISK team suggests that Dexter has been in active development for some months and may be a creation of a group responsible for the ubiquitous Zeus banking Trojan.

Verizon said that it has identified at least four “Dexter” variants dating back to September, 2012. The last of those appeared in late October and has served as the basis for most of the analysis of the malware. By analyzing the earlier proof-of-concept Dexter variants, Verizon concluded that the IP addresses used for Dexter’s command and control were also used to host Zeus related domains and several domains for Vobfus, also known as  “the porn worm,” which has been used to deliver the Zeus malware.

Dexter Showtime

Beyond the revelations that Dexter may be tied up with the Zeus malware, Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew running the malware. Though many of the web domains that serve as command and control nodes for Dexter are privately registered, at least one was not, and Verizon was able to link that to an online handle, “hgfrfv,” used to post a number of suggestive help requests in technical forums (“need help with decrypting a table encrypted with EncryptByKey”…hmm…) as well as shell account on the outsourcing web site freelancer.com, which lists “hgfrfv” as an individual residing in the Russian Federation. The handle is also linked to the e-mail addresses Mark.Jacobs@live.com. Attempts by Security Ledger to contact the e-mail addresses went unanswered.

What does this mean? Everything and nothing. Connections back to Zeus domains aren’t that surprising. That password stealing malware is the punchline to countless online scams and attacks. The links to “Mr. Jacobs” are tantalizing – and could ultimately lead to someone with their hands on Dexter getting dox’d. But even that’s not unusual – Brian Krebs has made a habit of out-ing big time botmasters, and “Mr. Jacobs” almost certainly isn’t that.

So, what is interesting (I think) is that there are links between a novel POS bot and more established, pedestrian online banking malware. That suggests that those behind run of the mill online banking scams – the kind that infect your PC, wait for you to visit Bank of America, then steal your password – are moving into new territory: the vast array of point of sale terminals that collect sensitive financial data from consumers. Stay tuned for more on that trend in the year ahead!


  1. Would seem like a go idea to infect POS machines. The software we run at the company I work for is so old it bound to be full of holes and they never pay for any updates.

  2. Pingback: ‘Berucht botnet infecteert kassasystemen’ | Webinteresse

  3. Pingback: Avoid a nightmare before Christmas | Kaseya Blog – United Kingdom

  4. Pingback: Dexter malware’s source still unknown, connection to Zeus disputed | Exploit Archive