Security Protection – Harry Waldron MVP Rotating Header Image

Point-of-Sale RAM scraping malware – Latest developments

Additional links found in research below (1st link is excellent on inner workings for this class of malware) … While root cause of recent attacks is still unknown, there are truly vulnerabilities in POS software and malicious agents that have advanced in sophistication (moving from hacker having to physically retrieve data, to command-and-control botnet style attacks)

http://labs.bromium.com/2014/01/13/understanding-malware-targeting-point-of-sale-systems/

http://grahamcluley.com/2014/01/ram-scraping-malware-installed-target-tills/

http://www.us-cert.gov/ncas/alerts/TA14-002A

QUOTE: Back in 2009 several companies (including Visa and Verizon) published threat reports describing a new kind of malware – RAM scrapers (Verizon report, Visa report). These are malicious programs that search memory of point-of-sale (POS) systems for bank card information. After that a number of blog entries appeared, but neither of them (to our best knowledge) reveal the inner workings of RAM scrapers. Recently this issue has come back into the limelight with the recent Target breach. The exact details of the Target malware are still unknown but it is important to understand how RAM scrapers work and why they’re a big risk to the retail industry.

The most challenging part of a RAM scraper is the search algorithm. It must be able to detect bank card information in a huge chunk of data (and do it as reliably as possible). A number of approaches can be used for this purpose, but the most popular one is based on regular expressions.  The simplest search algorithm was implemented in Dexter. It looks for ‘=’ character and then checks 16 bytes before and 20 bytes after it. If all the bytes are ASCII or Unicode digits then check 16 byte sequence (allegedly a card number) with the Luhn algorithm, which is widely used to check the correctness of bank card numbers. Here is the implementation of the Luhn algorithm in the Dexter sample.

The earlier versions of RAM scrapers required a person to retrieve a text file containing the stolen data from the infected machine (as it is implemented in Reedum) – it was mostly an insider tool and did not have any networking capabilities. However newer samples tend to use the Web for the data delivery. The complexity of networking component varies from simple submitting of data to the server to full functional C&C components

Comments are closed.