In the last day or so, we’ve seen several articles and web chatter on RAM scraping malware as described in our 2009 Data Breach Investigations Supplemental Report. Some of this discussion seems to be heading in a bit of a sensationalist direction. Others suggest that some of the information we present is inaccurate. We’d like to head this off with some quick Q&A for clarification.

Q: Why do we say RAM scrapers are “a fairly new form of malware”?
A: Because their occurrence is fairly new among breach investigations in our caseload. We aren’t suggesting the concept itself is new.

Q: Is this the end of the Internet or data security as we know it?
A: No, of course not.

Q: Does wider use of RAM scraping malware present new challenges?
A: Yes. It is clearly another tool by which attackers can circumvent protection measures and compromise sensitive data.

Q: Why do we believe RAM scrapers “are rarely detected by anti-virus programs”?
A: Because each occurrence has been customized (repacked and/or modified), making it unknown to AV programs. Though particularly true for RAM scrapers, this trend is true for all malware. Since 2008, we’ve see more customized malware than generic/known/unaltered strains. Furthermore, the main infection vector for RAM scrapers observed within our caseload (installation by the attacker after he owns the system) effectively bypasses AV. RAM scrapers are also using innocuous file extensions, and attaching themselves to legitimate processes and services.

Q: Is AV a waste of time and money?
A: No, of course not. AV is an important layer of defense and one of the main reasons we investigate so few cases involving email or network worms. However, it is not the only layer of defense. It is more efficient to resist the insertion of RAM scrapers (and any malware, really) than to try and detect it and remove it after the fact.

Q: “What’s unexpected software of any sort doing on a POS server?”
A: Good question. We could also ask “what are default credentials doing on a POS server?” The answer, of course, is that neither of these *should* be on a POS server (or any other asset for that matter). IR professionals don’t investigate what *should* be true; they collect evidence to determine what *is* true. Among the cases in scope for the 2009 DBIR, it *is* true that RAM scrapers were installed on POS servers and went undetected by AV controls.

Q: How does unexpected software circumvent OS-level policies and controls?
A: Many times the POS vendor will install and support their software with Administrator level access.  This poses a serious security risk, by allowing the software, and any other tools/applications to execute with SYSTEM level privileges.

Tags: Computer Crime, Cybercrime, Data Breach Report, Data Breaches, Data Compromise, forensics, Information Security, malicious code, Malware, RAM scraper

This entry was posted on Friday, December 11th, 2009 at 3:46 am and is filed under 2009 Data Breach Report, Studies & Whitepapers. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.