MWZLesson

MWZLesson is a Point of Sale (PoS) Trojan that is used to take money from the population by gathering credit card data at the credit card terminal directly. PoS Trojans like MWZLesson are extremely threatening because they have the potential to collect credit card credentials from large numbers of users. While a traditional banking Trojan will compromise a single computer user's credit card data, a PoS Trojan like MWZLesson may collect the credit card credentials of hundreds or even thousands of customers that use the infected terminal during the period in which it is infected. MWZLesson and other PoS Trojans are not widespread, but they do pose a severe threat. MWZLesson was developed by using pieces of code from different, existing infections. If you suspect that your PoS system has been infected with MWZLesson, you should take appropriate security measures to ensure that customers' data is not exposed.

A Brief Analyze of MWZLesson and Other PoS Trojans

MWZLesson was designed by reusing the code of several popular PoS Trojan infections. The main contributors to the MWZLesson code are Dexter, a popular PoS Trojan and Neutrino, a backdoor Trojan infection. Using code from Dexter, MWZLesson is able to collect data from point of sale terminals. The contribution from Neutrino allows MWZLesson to infect terminals and relay data to a remote server easily. A MWZLesson infection has a singular goal: to gather credit card data. To do this, MWZLesson will scan the affected computer and then relay the collected information to its command and control server. MWZLesson is specifically designed to infect point of sale terminal payment stations at retail stores or similar services.

How MWZLesson may Collect Credit Card Data

MWZLesson scrapes the RAM memory of the infected terminal in search for credit card numbers and other information. Using the HTTP protocol, MWZLesson connects to its Command and Control server and relays credit card data using GET and POST requests. MWZLesson can intercept POST and GET requests from Web browsers on the infected computer (including Internet Explorer, Google Chrome and Mozilla Firefox). These requests are then delivered to the Command and Control server. Apart from these operations, MWZLesson can receive updates, download and execute other files, search for specific files on the victim's computer and a variety of other options. In fact, MWZLesson may be used to carry out DdoS attacks and similar operations from an infected terminal.

How MWZLesson Protects Itself from Detection

One particularly threatening aspect of MWZLesson is that this Trojan can avoid detection and removal. MWZLesson uses a variety of tactics to find out whether it is being observed and then attempts to interfere with these kinds of operations in order to make it more difficult for PC security researchers study and remove MWZLesson. MWZLesson can perform a check to ensure that MWZLesson is not being run in virtual environments like the ones that may be used by PC security researchers to investigate threats. MWZLesson also can check for debuggers and other typically used programs by PC security researchers. MWZLesson will also gather information about the computer where MWZLesson is being run. If MWZLesson detects that it is running on a virtual environment, MWZLesson can remove itself and other programs on the infected computer, making it difficult for malware researchers to determine exactly how MWZLesson operates.

MWZLesson poses a severe threat to computer users. Business owners and managers that operate Point of Sale systems must take care to ensure that their terminals are completely protected from threats. A reliable security application designed for businesses and these kinds of environments is essential to ensure that customers are protected from MWZLesson and other PoS threats.