In the wake of the credit card data breaches at Target, Neiman Marcus, and possibly several other retailers around the country, much of the discussion has focused on point-of-sale malware, RAM scrapers in particular.
On January 12th, it was confirmed that the attackers behind the massive Target data breach had installed malware on Point of Sale (PoS) systems at retail locations across the country.
Over the past few days, a number of security vendors, along with the US government, have uncovered more details on the types of malware connected to these PoS attacks, including the breach at Target.
Piecing together analysis from various researchers reveals that the cyber-crime ring behind these attacks used a highly sophisticated set of tools to first intercept the payment data and then transfer the stolen information to servers controlled by the criminals. While it is still not known how the attackers broke into Target's network, or other retailers for that matter, in the first place, details are emerging about what steps the memory-parsing software took once inside.
“A new piece of malicious software, KAPTOXA, has potentially infected a large number of retail information systems,” said iSight Partners, a cyber-forensics company working with the U.S. Secret Service.
Scraping Memory For Data
RAM scrapers are different from other types of malware in that they look for data as they are stored temporarily in the computer's memory. In the case of a point-of-sale terminal, the malware can see and grab the data stored on the credit or debit card’s magnetic stripe the exact moment the shopper swiped the card through the card reader. Under the Payment Card Industry-Data Security Standard rules (PCI-DSS), payment card data has to be encrypted as quickly as possible so that the data is protected both at rest, such as on the hard drive, and in transit, when it is sent to the back-end servers for processing. The malware injects itself into running processes to identify credit card track data and copy it during that narrow window of opportunity before it is scrambled.
In Target's case, the malware began collecting data as soon as it infected the retailer's PoS terminals, but stayed under the radar for six days, said Aviv Raff, CTO of Seculert. The data was consolidated onto another compromised machine within Target's network.
It appears that around Dec. 2, a machine began transmitting the stolen information to a FTP server belonging to a hijacked website. The transmissions occurred several times a day, usually during prime business hours, over a period of two weeks, Seculert found. The criminals then downloaded the data files, which Seculert has estimated to be about 11 GB in size, onto another server based in Russia. That estimate comes from information found on the FTP access logs, Raff told SecurityWeek.
“The attackers were able to plant point-of-sale malware and intercept approximately 110,000,000 records worth of payments, transactions, and other personally identifiable data,” McAfee noted in its own analysis.
While more people may be paying attention now because of the recent attacks, malware targeting point-of-sale terminals have actually been making the rounds for several years. The Verizon Data Breach Investigation Report highlighted attacks on point-of-sale systems as a major threat. The threat is also not limited to just retailers, as virtually any organization that deals with customer payment card data is vulnerable, such as hospitality and education sectors.
In an earlier story, SecurityWeek listed some recent breaches that leveraged memory-parsing malware. Sophos generally detects PoS RAM scrapers malware under the family name Trackr. Other PoS malware include ones such as Alina, Dexter and VSkimmer. According to researchers from McAfee, vSkimmer is a successor to Dexter and has more functionality than Dexter.
In January 2013, researchers from Sophos even found the Citadel crimeware targeting PoS systems, though Citidel uses screen captures rather than RAM Scraping techniques.
The increasing popularity of RAM scrapers and other memory-parsing malware among cyber-criminals is directly related to the fact that organizations are getting better about encrypting sensitive data, said Michael Sutton, vice-president of security research at Zscaler. “It's an arms race. We throw up a roadblock and the attackers adapt and look for other ways to grab the data," he said.
How POS Malware Works
Because PoS terminals are essentially just computers, many of them running versions of Microsoft Windows, there are many ways they can be infected. Considering most retailers generally have these systems on the same corporate network as all the other computers, the attacker can compromise any computer in order to reach the PoS system. This could have been Web-based attack or a malicious email attachment. It's too early to rule out the possibility of a rogue insider, where someone inside the company triggered the initial infection, as well.
The part where PoS malware, especially RAM scrapers, differ from run-of-the-mill malware is what it does once in the network.
Even though most PoS malware tend to follow the same workflow, RAM scrapers are “surprisingly diverse” in how they are implemented, wrote Vadim Kotov, a security researcher at Bromium. Regardless of type, memory-parsing malware first grabs everything in the computer's memory, and then performs a search through the dumped memory to identify what looks like payment card details.
Considering the number of PoS systems that have been compromised, it is likely the criminals accessed the update or control server for these systems, said Jeff Debrosse, director of security research at Websense.
"These attackers definitely used an ‘infect once, deploy everywhere’ strategy that was incredibly effective," Ken Westin, a security researcher with Tripwire, told SecurityWeek.
Generally a scraper has either a hardcoded list of processes to scan or a blacklist of processes, Kotov wrote. Once the memory or buffer has been dumped, the malware's search algorithm takes over to detect the valuable bankcard data. There are many approaches, but Kotov noted that Dexter simply searched for the ‘=’ character and then looked at 16 bytes before and 20 bytes after to identify the data, Kotov said. Once the data is found, the malware copies it on to its own list. After that, it's just a matter of transferring the list out of the network into the criminals' hands.
“Hiding and transmitting collected payment card information to evade antivirus detection is a relatively staple exercise for modern malware,” Debrosse said.
Based on Existing Crimeware
Just like any other malware type, PoS malware can be customized and tricked out with more features than a garden-variety Trojan, but some are created from toolkits and have off-the-shelf capabilities. The malware that infiltrated Target appears to be related to BlackPOS, a “relatively crude but effective” cybercrime kit sold in underground forums, according to security writer Brian Krebs.
Researchers from security intelligence firm IntelCrawler believe the author of the BlackPOS crimeware kit is a 17-year old living in Russia.
The “budget” version of the crimeware costs $1,800 in underground market, while the “full” version costs $2,300 and has more features, such as the ability to encrypt stolen data, according to Krebs, However, the malware was customized for the specific environment, and obfuscated to avoid detection. In fact, as of Thursday, none of the 40+ tools listed on VirusTotal detect the two malicious files used in the Target attack, Krebs noted.
Even if the organization has antivirus installed on endpoint systems—which they have to in order to comply with PCI-DSS—the fact that attackers are utilizing advanced techniques to evade detection means some infections aren't detected right away.
"Updating antivirus is reactive and simply will not stay ahead of malware threats that create 250,000 new malware variants a day," said Anup Ghosh, CEO of Invincea. PCI-DSS standards need to be updated so that it doesn't emphasize antivirus so heavily, he said.
Even US-CERT was still advising retailers to update their antivirus signatures in its alert just a little more than a week ago.
“What this compromise points to is that detecting the threat on the network is no longer sufficient to prevent breach of data,” Ghosh said.
Looking for Signs of a Breach
Signs are pointing to the fact that this was a broad and highly sophisticated attack, and Target was just one of the victims. Retailers—actually, anyone with a PoS system and processing payments—may have been compromised and need to investigate their networks.
On Thursday, CrowdStrike released Yara and Snort indicators and signatures to detect known components of BlackPOS malware used to steal the payment card details from PoS systems as well as the exfiltration tools that was used to transfer the stolen data. These rules are designed to detect generic variants of the malware and not just the specific version used for Target.
Tripwire’s has also developed and released rules for Tripwire Enterprise customers that will check for known markers of compromise of the point-of-sale malware they classify as Trojan.POSRAM and Infostealer.Reedum that has retailers.
This is "actionable intelligence that potential other victims can use to detect signs of similar breaches on their network," said Dmitri Alperovitch, CTO of Crowdstrike.
An advisory from the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service, FS-ISAC and iSIGHT Partners, includes technical analysis of PoS Malware along with indicators to assist network defenders.
"While some components of the POS data breaches were not technically sophisticated, the operational components were," the group report concluded. "The cyber criminals displayed innovation and a high degree of skill in orchestrating the various components of the breaches."