Trojan-Spy.Win32.SPSniffer

Posted: February 14, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	2/10
Infected PCs:	73

First Seen:	February 14, 2012
OS(es) Affected:	Windows

Trojan-Spy.Win32.SPSniffer is a dangerous Trojan, otherwise known as the 'Chupa Cabra' malware (literally a 'goat sucker') that attacks payment devices. Trojan-Spy.Win32.SPSniffer or Chupa Cabra malware is used by scammers to steal and copy credit card information. Chupa Cabra is a mythical beast rumored to live in some parts of the Americas. Recently it has been supposedly noticed in Puerto Rico, where it was first mentioned, Mexico and the United States, especially in the latter's Latin American communities. The name Chupa Cabra has also been used by Brazilian carders to call skimmer devices, installed on ATMs. This name is used because the Chupa Cabra will 'suck' the information from the victim's credit card. The Brazilian media regularly displays videos of scammers installing their Chupa Cabra onto an ATM. The idea of the Chupa Cabra malware is simple. In order to avoid risk of getting caught red-handed with an ATM skimmer, the scammers are establishing and installing their malicious code on Windows PCs. They are looking to hijack communications from PIN Pads. These pads are things used at supermarkets, gas stations, anywhere that takes card payments.

Chupa Cabra malware was first found in Brazil late in December 2010 as Trojan-Spy.Win32.SPSniffer and has 4 variants (A, B, C and D) was dealt between Brazilian cybercriminals for 5 thousand dollars. Trojan-Spy.Win32.SPSniffer is highly concentrated and spread to specific objects in the US, and possibly elsewhere in the world. PIN pads are kept safe; hardware and security features are implemented to assure that security keys are removed if someone attempts to intrude into the device. In fact, the PIN is encrypted immediately on entry using a variety of encryption schemes and symmetric keys. Most often this is a triple DES encoder, making it difficult to crack the PIN. But there's a problem: these devices are always connected to a computer via a USB or serial port which communicates with the EFT (Electronic Funds Transfer) software. Older and outdated PIN pad devices, still used in Brazil, are vulnerable currently.

The Track 1 data and the public data existent in your card's chip are not encrypted in the hardware of these old devices. That generally involves your card number, expiration date, service code and selective data such as the CVV – shortly, almost everything a criminal needs to spend your money. As this data isn't encrypted, it goes to the computer in plain-text mode. Gathering this data is enough to copy your credit card. Chupa Cabra malware installs a simple USB or serial port sniffer driver, generally adjusted from commercial software, detecting all the data sent between the PIN pad and the computer. The first versions of the Chupa Cabra malware also installed a DLL that can monitor and steal network traffic from all devices connected to any COM port. The newest versions use the TVicCommSpy driver to gather USB traffic, with the same goal. The malicious DLL grabs all keystrokes on the keyboard (keylogger). All the Track 1 data stolen is saved to a file that involves all the grabbed data, together with information about the victim's PC, and forwards it to the cybercriminal, generally via an email. To assure the data is transmitted to the cybercriminals in a 'safe' way, Chupa Cabra malware has a crypto symmetric system with an interesting Unicode key name.

Trojan-Spy.Win32.SPSniffer

Threat Metric

Leave a Reply