Target Breach: 8 Facts On Memory-Scraping Malware

Target confirmed that malware compromised its point-of-sale systems. How does such malware work, and how can businesses prevent infections?

Mathew J. Schwartz, Contributor

January 14, 2014

8 Min Read

9 Notorious Hackers Of 2013

9 Notorious Hackers Of 2013

9 Notorious Hackers Of 2013 (click image for larger view and for slideshow)

What is memory-scraping malware, and how can it be stopped?

Malware that attacks the RAM inside point-of-sale (POS) devices -- the fancy name for digital cash registers used by everyone from retailers and restaurants to hoteliers and hospitals -- leapt into the spotlight this week after it was tied to the recent breach of Target, and by extension, breaches involving Neiman Marcus and other as-yet-unnamed retailers.

"There was malware installed on our POS registers; that much we have established," Target chief executive Gregg Steinhafel said Sunday in an interview with CNBC, referring to a breach that began on November 28 and lasted until December 15. That breach resulted in up to 110 million people having their credit card information or personal details compromised. A related investigation remains underway.

In the wake of Target's admission, here's what businesses and their customers should know about RAM-scraping malware and how to stop it.

1. Memory-scraping malware isn't new. Memory-scraping attacks date from at least 2011, when security researchers first spotted an advanced version of the Trackr (a.k.a. Alina) malware, which can be controlled via a botnet. "One of the earliest serious POS RAM scraper attacks that we observed was back in November 2011 when we found that a university and several hotels had their PoS systems compromised," said Numaan Huq, a security researcher at SophosLabs Canada, in a July 2013 blog post. "Later we saw varied targets, including an auto dealership in Australia infected with Trackr."

Retailers aren't the only organizations vulnerable to having their POS systems targeted by memory-scraping malware. "Although retailers can be affected by these kinds of things, there have been food service companies, healthcare, hotels and tourism companies being targeted by RAM scraping in the past," said security researcher Graham Cluley, speaking by phone.

But the Target breach appears to set a new high in terms of the number of records that the attackers were able to successfully compromise. "Because of the scale of the Target breach, this is probably one of the biggest incidents, if not the biggest incident, that has occurred," Cluley said.

[For more on the expanding Target data breach, see Neiman Marcus, Target Data Breaches: 8 Facts.]

2. POS malware routes around encryption. Memory-scraping malware is typically designed to target Track 1 and Track 2 data -- including a cardholder's name, card number, expiration date, and the card's three-digit security code (a.k.a. CVV or CVC) -- at the place where it's most vulnerable to being intercepted: in memory, where it's in plaintext format.

"There is that opportunity to steal the credit card information when it is in memory, perhaps even before your payment has even been authorized, and the data hasn't even been written to the hard drive yet," said Cluley. "In some ways, it's understandable that the bad guys did this because the Payment Card Industry Data Security Standards -- PCI DSS -- tell retailers that if you write this [card] information to a hard disk or any other type of media it has to be strongly encrypted so nothing can grab it, and if you transmit it must be strongly encrypted, so nothing can intercept it in transit."

Figure 1:

3. Security wrinkle: plaintext realities. Unfortunately, it's not feasible to encrypt data in POS system memory. "No matter how strong your encryption is, if the system needs to process data or process the code, everything needs to be decrypted in memory," explained Chris Elisan, principal malware scientist at security firm RSA, a division of EMC, speaking by phone.

Furthermore, RAM-scraping malware is purpose-built to act only when that information capture or decryption occurs. "Let's say it wants to steal credit card numbers," Elisan said. "The moment it sees new data being loaded into memory -- the moment it sees 16 characters with a zero or special character at the end, indicating that it's a card number -- it would just intercept that."

4. US-CERT hint: Dexter, Stardust RAM malware. What particular type of malware was used to attack Target or Neiman Marcus? So far, both retailers have declined to answer that question. But on January 2, 2014 -- roughly two weeks after Target confirmed that it had been breached, and one day after Neiman Marcus confirmed that it had been breached -- the US Computer Emergency Readiness Team (US-CERT) released a memory-scraping malware alert aimed at retailers.

In particular, the US-CERT alert named two types of malware that are designed to dump POS memory or intercept credit card data being transmitted on internal networks. "Dexter, for example, parses memory dumps of specific POS software-related processes looking for Track 1 and Track 2 data," it said. "Stardust, a variant of Dexter, not only extracts the same track data from system memory, it also extracts the same type of information from internal network traffic."

5. Likely attack vectors. How do attackers infect POS systems with malware? To answer that question, it helps to understand that POS devices are network-connected, and thus any system that touches that network might be an infiltration point. Likewise, unsecured wireless networks may also give attackers an entry point.

That's why POS devices are vulnerable to phishing attacks, as long as attackers can get their malware to jump from an infected PC to POS devices. Attackers might also hack their way into the production network -- perhaps by using weak default credentials in remote-desktop or remote-access software, or by exploiting known vulnerabilities in Internet-facing servers.

Since the attack against Target compromised personal information on 70 million customers -- beyond the 40 million credit and debit cards that were also compromised -- it suggests that attackers didn't just sneak malware onto POS devices, they also gained direct access to servers or Internet-connected databases of customer information, since that's where that type of customer data would have been stored.

6. POS malware is easy to hide. If attackers gain access to the production network to which POS devices are connected, detecting or intercepting related malware-dropping attacks aimed at those POS devices may be quite difficult to detect. That's because attackers can use antivirus evasion techniques or packing tools to give the malware executable a never-before-seen checksum. "Most of the time the code that most malware-scrapers use can be detected, but unfortunately, you can just apply encryption or antivirus-evasion tools to bypass that detection," said RSA's Elisan.

7. POS network must be secured. How can retailers block attacks that aim to sneak malware onto POS devices? The US-CERT warning recommends these six best-practices: use strong passwords to access POS devices, keep POS software up to date, use firewalls to isolate the POS production network from other networks or the Internet, employ antivirus tools, limit access to the Internet from the production network, and disable all remote access to POS systems.

That's a good start, but businesses must also pay careful attention to the security hygiene of the POS-related production network, and beware the threat that an infected laptop or desktop might be allowed to connect to that network. "You can have different firewalls installed, but if you introduce a compromised system into the network -- instead of using a protected server to serve all of the updates to the POS -- that could possibly be the infection vector that the malware needs to get into the system," said Elisan.

8. Can POS device security be verified? Once malware does successfully infect a POS device, shouldn't retailers such as Target be able to spot that the checksum associated with the POS system's disk image has changed? That's a pertinent question after Target's admission that its POS systems were infected with malware.

"It suggests that Target may have dropped the ball somewhat, not only in terms of verifying those devices but verifying that the image on those devices hasn't changed," said Cluley. "Even if you can't detect a specific piece of malware, could they not detect that something could have been fiddled with or changed?"

But Elisan said he's not aware of these types of security checks being employed, at least by large retailers. "For a big company that has, say, 100,000 systems, I'm not so sure if that's really being practiced," he said. "Most of the time there's this false sense of security that POS systems won't get infected, because they're seen as being isolated."

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

The complexity of enterprise IT systems and processes is growing, as are threats against organizations’ assets. Unfortunately, security budgets are not. Security pros must therefore play a high-stakes game of figuring out which problems to tackle and in what order. In this Dark Reading report, Using Risk Assessment To Prioritize Security Tasks And Processes, we explain how risk assessment techniques can inform the process of prioritizing security tasks and processes, and recommend steps security pros can take to apply data based on their own enterprise's risk profile. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights