Targeted Malware Infects Windows-based Cash Registers

by


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A serious, targeted threat from customized malware that steals credit card magnetic strip track data could literally bankrupt your business. That’s the message two security researchers from Trustwave gave at their talk during the Defcon computer security conference Saturday.

The researchers, Jibran Ilyas and Nicholas Percoco of Trustwave Spider Labs, respond to calls for help when businesses find malware in critical systems. When banks field reports of credit card fraud, they try to find the earliest common location or business where all the victims used their card. When they do, the bank calls the business, who then call in the researchers.

In their talk, Malware Freak Show 3, the researchers reported on several types of malware all of which are designed to steal the so-called Track 1 data — the information encoded on the magnetic strip on the back of the card — when a salesperson or waiter swipes the credit card attached to the cash register.

The malware may reside on the register (a device that, in many cases, is simply a custom-configured Windows computer) or on a server in the back room of the business that’s used to process credit card transactions. Once the malware has the Track 1 data, it transmits the string of numbers to remote locations, where the data can be used to produce fake, but functional, physical credit cards. The thieves can then sell or use the cards to purchase valuable merchandise.

Unfortunately for some businesses, the credit card processing banks can, and sometimes do, charge the hapless store owner for losses incurred due to fraud. In some cases, these penalties can put establishments out of business, even in cases where the business leases either the point-of-sale (POS) device — the register — or the card processing server, or both. Business owners normally cannot patch or otherwise protect the POS machines or servers they don’t own themselves, and rely on the company they’re leasing the devices from to maintain them.

Percoco and Ilyas described a common scenario where they’re called in to respond to such an incident and find that the point-of-sale system is set up to be remotely managed by the service provider, but the service provider used weak (or in some cases, no) passwords to protect the device. That’s almost always how the malware ends up on the system, Ilyas explained.

Jibran Ilyas demos the malware in the after-talk Q&A room

The malware is rarely detected with antivirus products because it is highly specialized — it doesn’t try to steal other kinds of data, for instance — and also because of the way it is distributed, deliberately pushed to specially targeted POS systems. Samples of these kinds of Trojans don’t make their way to the antivirus research community as often as your typical rogue antivirus, for example.

The researchers described three different varieties of malware made to steal Track 1 data, and demonstrated how they function in a live demo. The classification follows the methods the malware use to steal the data: There are memory sniffers, process dumpers, and network sniffers.

Memory sniffing malware steal the data by reading the specific location in memory where the credit card processing software temporarily records the Track 1 data after the clerk swipes the card. The stolen data immediately is sent onward to a remote Web server, and is never written to the hard drive.

A sample of the fake Track 1 data used by Trustwave researchers to goad the malware into action

Network sniffers hook themselves into the networked devices chain in the infected computer, then sit and listen to everything that traverses the wire for the distinctive pattern of data that indicates the presence of Track 1 data. When the Track 1 data passes through the sniffer, the program extracts the data and sends it onward.

Process dumpers monitor the files used by many of the most common card processing applications. When the card processing program becomes active,  such as when a card transaction takes place, the memory dumper retrieves the contents of the memory space used by the card processing program, dumps it to disk, then parses those contents looking for Track 1 data.

The prospect for business owners is not very rosy. Targeted malware attacks such as these are on the rise, and with few (if any) using security software on their POS systems, the issues seem likely to continue for some time. We’ll work with companies like Trustwave to obtain samples and other data that will help our products detect and remove these types of malware.Webroot blog stats