ALIASES:

Microsoft: Alinaos; Symantec: Alina; Eset: Alinaos

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

ALINA or also known as Track, is a well-known malware that targets point-of-sale (PoS) systems. ALINA variants are known for scanning all running processes using regular expressions to retrieve card track data. However, it skips scanning system processes, browser and instant messaging-related processes.

ALINA continues to evolve having different versions released. This family is also capable of gathering affected system information.

The earliest version was discovered around October 2012.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Steals information, Connects to URLs/IPs

Installation

This Trojan drops the following copies of itself into the affected system:

  • %Application Data%\adobeflash.exe
  • %Application Data%\cmd.exe
  • %Application Data%\csrss.exe
  • %Application Data%\ctfmon.exe
  • %Application Data%\dasHost.exe
  • %Application Data%\defender.exe
  • %Application Data%\desktop.exe
  • %Application Data%\dwm.exe
  • %Application Data%\explorer.exe
  • %Application Data%\jucheck.exe
  • %Application Data%\jusched.exe
  • %Application Data%\rundll32.exe
  • %Application Data%\scvhost.exe
  • %Application Data%\services.exe
  • %Application Data%\svchost.exe
  • %Application Data%\Taskmgr.exe
  • %Application Data%\win-firewall.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This Trojan adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
adobeflash = "%Application Data%\adobeflash.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
cmd = "%Application Data%\cmd.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
csrss = "%Application Data%\csrss.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
ctfmon = "%Application Data%\ctfmon.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
dasHost = "%Application Data%\dasHost.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
defender = "%Application Data%\defender.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
desktop = "%Application Data%\desktop.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
dwm = "%Application Data%\dwm.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
explorer = "%Application Data%\explorer.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
jucheck = "%Application Data%\jucheck.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
jusched = "%Application Data%\jusched.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
rundll32 = "%Application Data%\rundll32.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
scvhost = "%Application Data%\scvhost.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
services = "%Application Data%\services.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
svchost = "%Application Data%\svchost.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
Taskmgr = "%Application Data%\Taskmgr.exe"

HKEY_CURRENT_USER\Software\Microsoft\
CurrentVersion\Run
win-firewall = "%Application Data%\win-firewall.exe"

Other Details

This Trojan connects to the following possibly malicious URL:

  • http://{BLOCKED}zus.com/forum/login.php
  • http://{BLOCKED}8.{BLOCKED}8.63.226/goose/push.php
  • http://{BLOCKED}bins.com/forum/login.php
  • http://www.{BLOCKED}zus.com/duck/push.php
  • http://{BLOCKED}8.{BLOCKED}8.63.226/uhgf/push.php