'Freakshow' Provides Inside Look At Real Malware Behind Big Breaches

Forensic specialists who investigated hacks of a hotel chain, casino, and restaurant share details on the sophisticated malware used to successfully steal confidential data
In the Las Vegas casino club's breach, the attackers planted an elusive keylogger that stole credit and debit card numbers. Even if the casino's IT staff had been running tools to look for suspicious programs, they wouldn't have found it, Ilyas says. "It was hidden from the system...we went in and found its processes running," he says. "The keylogger was just targeting the processed credit card transactions."

The casino had been hit by previous malware infections and thought they were clean after cleaning them up. But not so: "In this case, their systems got infected with a couple of other things, and they had written them off as benign," Ilyas says. "This happens quite often as viruses are always floating around in corporate networks...The casino administrator saw something [more] was going on."

In the restaurant breach in Michigan, the establishment's server was bot-infected and then used to help plant a malicious packet sniffer between the point-of-sale system and server. The restaurant didn't encrypt its internal point-of-sale application traffic, so it became an easy mark for the bad guys to steal its card data. They sent configuration files via Internet Relay Chat (IRC) for the malware.

The attack was more random than targeted -- the bad guys had discovered an open port at the site while scanning the geographic area. "This sniffer attack is unique because of the IRC capability -- usually people use commercial sniffers, but this one was custom-designed," Percoco says. And the sniffer required a Microsoft .NET framework, so the attackers downloaded .NET to the victim's machine.

"They had to upgrade the system to make it work."

Percoco and Ilyas, meanwhile, also plan to reveal a new, bleeding-edge generation of malware they call "credential malware," which is a rare but powerful tool for attacking kiosks, such as DVD rental machines. They wouldn't provide any details of the victim that was hit by the attack, but they used an example of a fictional video poker machine to illustrate it.

The attack initially requires physical contact with the kiosk: someone posing as a repairman, for instance, could install the malware, which is aimed at stealing data from these types of closed-network devices. "The chances of getting data out via the Internet from these machines are very slim. The only way to get the data you're looking for is to go face-to-face with that device, and they have limited interfaces and no keyboards," Percoco says.

So malware writers have created special code that can use the limited controls available in a kiosk machine. "The malware has a password file embedded in this, and when it sees a particular string of data, it activates," he explains.

The researchers will demonstrate how specially crafted paper vouchers, such as those you get when you cash out of a slot machine, act as the interface to the poker machine in order to steal credit and debit-card data. "We've seen in some cases criminals getting jobs to repair machines or work in a restaurant to get the malware onto the [kiosk] system," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.