Target Breach: 8 Facts On Memory-Scraping Malware

Target confirmed that malware compromised its point-of-sale systems. How does such malware work, and how can businesses prevent infections?

4. US-CERT hint: Dexter, Stardust RAM malware. What particular type of malware was used to attack Target or Neiman Marcus? So far, both retailers have declined to answer that question. But on January 2, 2014 -- roughly two weeks after Target confirmed that it had been breached, and one day after Neiman Marcus confirmed that it had been breached -- the US Computer Emergency Readiness Team (US-CERT) released a memory-scraping malware alert aimed at retailers.

In particular, the US-CERT alert named two types of malware that are designed to dump POS memory or intercept credit card data being transmitted on internal networks. "Dexter, for example, parses memory dumps of specific POS software-related processes looking for Track 1 and Track 2 data," it said. "Stardust, a variant of Dexter, not only extracts the same track data from system memory, it also extracts the same type of information from internal network traffic."

5. Likely attack vectors. How do attackers infect POS systems with malware? To answer that question, it helps to understand that POS devices are network-connected, and thus any system that touches that network might be an infiltration point. Likewise, unsecured wireless networks may also give attackers an entry point.

That's why POS devices are vulnerable to phishing attacks, as long as attackers can get their malware to jump from an infected PC to POS devices. Attackers might also hack their way into the production network -- perhaps by using weak default credentials in remote-desktop or remote-access software, or by exploiting known vulnerabilities in Internet-facing servers.

Since the attack against Target compromised personal information on 70 million customers -- beyond the 40 million credit and debit cards that were also compromised -- it suggests that attackers didn't just sneak malware onto POS devices, they also gained direct access to servers or Internet-connected databases of customer information, since that's where that type of customer data would have been stored.

6. POS malware is easy to hide. If attackers gain access to the production network to which POS devices are connected, detecting or intercepting related malware-dropping attacks aimed at those POS devices may be quite difficult to detect. That's because attackers can use antivirus evasion techniques or packing tools to give the malware executable a never-before-seen checksum. "Most of the time the code that most malware-scrapers use can be detected, but unfortunately, you can just apply encryption or antivirus-evasion tools to bypass that detection," said RSA's Elisan.

7. POS network must be secured. How can retailers block attacks that aim to sneak malware onto POS devices? The US-CERT warning recommends these six best-practices: use strong passwords to access POS devices, keep POS software up to date, use firewalls to isolate the POS production network from other networks or the Internet, employ antivirus tools, limit access to the Internet from the production network, and disable all remote access to POS systems.

That's a good start, but businesses must also pay careful attention to the security hygiene of the POS-related production network, and beware the threat that an infected laptop or desktop might be allowed to connect to that network. "You can have different firewalls installed, but if you introduce a compromised system into the network -- instead of using a protected server to serve all of the updates to the POS -- that could possibly be the infection vector that the malware needs to get into the system," said Elisan.

8. Can POS device security be verified? Once malware does successfully infect a POS device, shouldn't retailers such as Target be able to spot that the checksum associated with the POS system's disk image has changed? That's a pertinent question after Target's admission that its POS systems were infected with malware.

"It suggests that Target may have dropped the ball somewhat, not only in terms of verifying those devices but verifying that the image on those devices hasn't changed," said Cluley. "Even if you can't detect a specific piece of malware, could they not detect that something could have been fiddled with or changed?"

But Elisan said he's not aware of these types of security checks being employed, at least by large retailers. "For a big company that has, say, 100,000 systems, I'm not so sure if that's really being practiced," he said. "Most of the time there's this false sense of security that POS systems won't get infected, because they're seen as being isolated."

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

The complexity of enterprise IT systems and processes is growing, as are threats against organizations’ assets. Unfortunately, security budgets are not. Security pros must therefore play a high-stakes game of figuring out which problems to tackle and in what order. In this Dark Reading report, Using Risk Assessment To Prioritize Security Tasks And Processes, we explain how risk assessment techniques can inform the process of prioritizing security tasks and processes, and recommend steps security pros can take to apply data based on their own enterprise's risk profile. (Free registration required.)

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading