Shortly after news of the Target attack hit the net, someone posted a listing for a virus called POSWDS or Reedum onThreatExpert.com. Shortly thereafter the listing was pulled but not before it was analyzed. Krebs and his sources found that the version of the software that appeared on Target computers had been specially designed to hide itself from anti-virus software and was “customized to avoid detection and for use in specific environments.”

According to Krebs, the software has been traced to a programmer called Antikiller who put it up for sale on hacker forums. The person or group responsible for selling the cards after the breach also infected Target’s computers, initially accessing the system via a compromised web server and then “hoovering up” the data as it came in.

“Further analysis of the attack has revealed the following: On December 2, the malware began transmitting payloads of stolen data to a FTP server of what appears to be a hijacked website. These transmissions occurred several times a day over a 2 week period. Also on December 2, the cyber criminals behind the attack used a virtual private server (VPS) located in Russia to download the stolen data from the FTP. They continued to download the data over 2 weeks for a total of 11 GBs of stolen sensitive customer information. While none of this data remains on the FTP server today, analysis of publicly available access logs indicates that Target was the only retailer affected. So far there is no indication of any relationship to the Neiman Marcus attack.”

http://krebsonsecurity.com/wp-content/uploads/2014/01/POSWDS-ThreatExpert-Report.pdf

company plug: if only Target had some itSoftware installed on its POS devices. 

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POSWDS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POSWDS\0000

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_POSWDS

\0000\Control

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\POSWDS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\POSWDS\Security

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\POSWDS\Enum

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POSWDS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root

\LEGACY_POSWDS\0000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POSWDS

\0000\Control

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\POSWDS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\POSWDS\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\POSWDS\Enum

What are the chances that the VPS was in Russia to throw off the trail of where the criminals actually are?