Security researchers recently discovered something very "meta" inside a point-of-sale computer: a virus that had infected a banking Trojan without corrupting either one's code.
The infector was Sality, an old, well-known and easily removed virus that replicates itself, infects machines and establishes peer-to-peer botnets. It also can download other forms of malware.
"This malware wasn't something that should be considered part of a targeted attack on a point of sale system," wrote SpiderLabs researcher Josh Grunzweig in a blog posting. "This is more of the type of malware you'd expect to see on your Aunt Sally's computer after she went to some link she saw in an email."
The banking Trojan, by contrast, was an unfamiliar piece of malware that would not have been detected, Grunzweig said, if not for the presence of the virus.
The banking Trojan had been installed on the point-of-sale machine to steal financial information. (Grunzweig did not name the client.) Its placement and its functionality as an executable program made it a target for the virus.
The Trojan's identity was discovered by security researchers not through signature scans, but because it was looking for credit-card information. When researchers scanned the Trojan, it was classified as a cousin of Sality — but Sality doesn't go after credit cards.
That's what tipped SpiderLabs off. It used anti-virus software on the package and was left with a perfect version of the banking Trojan, sans Sality.
"In some strange coincidence, both the banking malware and Sality wound up infecting this system," Grunzweig wrote. "So what we are left with is malware that is infected with other malware."
Since, unlike viruses, banking Trojans don't replicate themselves, once the Trojan was removed the machine was totally clean.
SpiderLabs didn't investigate further to see how the Sality malware got onto the point-of-sale machine, but said the Trojan was likely put there by someone with either physical access to the machine or unrestricted remote administrative controls.