Sophos Cloud Optix
A recently-released data breach report identifies RAM scraping malware as one of the “top 15 threat action types”, defining this sort of threat to be “a fairly new form of malware designed to capture data from […] RAM”, and proclaiming it “difficult to classify as the functionality is rather new”. Although in the top 15, these scrapers apparently made up “less than 1%” of the data items in the sample set. (Quotes from report.)
Some in the computer security media certainly seem to be worried, with The Register inviting us to “forget keyloggers and packet sniffers”. These days, claims El Reg, it is RAM scrapers that are “all the rage amongst scammers”. (Quotes from article.)
From a sample set comprising less than 1% of data breach records to “all the rage” is a largish literary leap, but El Reg is at least able to quote a pair of experts to say that scrapers “are rarely detected by anti-virus programs”. But the author of the piece doesn’t say why they aren’t detected.
Perhaps they’ve only ever been seen where no anti-virus software is installed? Perhaps they only ever turn up where admin-level malcontents take the trouble to remove any security software before infecting? Or perhaps RAM scraping malware is so diabolical that it is too difficult for existing security technology?
Whatever the case, the stories emerging from this report seem to be leading people to believe that viruses or Trojans which peek directly into memory are:
- A completely new form of malware.
- A malware flavour which is beyond the capacity of anti-virus software to handle.
This isn’t true.
Also, the impression emerging is that these scrapers are affecting POS systems in general. Since POS means Point of Sale, my first thought was that this was an attack against the proprietary devices at shop tills – a form of software skimming, such as the recent scam in Western Australia. But the report’s RAM scraper case study details a malware infection on a back-end server.
An infected server sounds a lot easier to fix than a bunch of infected hardware devices, though it is no less disappointing. After all, you probably, and reasonably, expect back-end security of sufficient quality to prevent any sort of unexpected software on a payment-processing system, let alone malware, let alone a RAM scraper.
Malware which works directly with RAM instead of files or other system objects is not unusual. After all, most modern malware is packed. Packed files travel through the network in regular executable form, but with the contents scrambled. When launched off disk, a packed file scrapes the scrambled code directly out of its own process memory, unscrambles it, writes it directly into another region of memory, and runs it. So the decrypted internals of the malware never appear on disk.
Similarly, malware which uses process injection relies on tweaking memory directly; so does malware and shellcode which reads through memory to identify system functions by hash, not by name.
Threat writers often use Browser Helper Objects (BHOs) to examine and act upon web pages as they are rendered in memory in your browser. MBR rootkits watch memory as the system boots, actively modifying snippets of the kernel itself, infecting the kernel in RAM but leaving it untouched on disk. Screen-grabbing banking Trojans scrape pixels straight from the screen buffer to snapshot web form data before it’s encrypted and submitted.
Security software has for years been dealing with adware and malware which reads directly from memory to bypass disk and to see unencrypted secrets. And security software has, no less challengingly, been dealing for years with malware which writes directly to memory to frustrate detection and prevention.
RAM scrapers are therefore neither new, nor tricky to deal with, simply on account of being RAM scrapers.
So, if you want a Henny Penny question to pester your friends and colleagues with in the next few days, try this one as you prepare to load up your credit card with this year’s Christmas shopping: “What’s unexpected software of any sort doing on a POS server?”