The Case of the Mistaken Malware

50 %
50 %
Information about The Case of the Mistaken Malware
Technology

Published on March 26, 2014

Author: SecurityMetrics

Source: slideshare.net

Description

In our line of work it’s quite common to be called in to investigate one piece of malware, and end up finding another. In this scenario, our forensic investigator was called in to investigate a piece of malware framed for stealing customer credit card data. While sifting through data, he found the real culprit. A memory scraper chameleon, capable of morphing into different versions to avoid anti-virus detection.

Forensic Files Series The Case of the Mistaken Malware

“I’ve found the best way to inspire better security practices is to show examples of true security blunders. Hopefully the security failures I’ve seen while investigating compromised businesses will help you realize some actions you should take to ensure your own business’ security.” David Ellis Director of Forensic Investigations GCIH, QSA, PFI, CISSP{ } Forensic Files Series

Business Background • Small retailer operates one main store, multiple satellite stores, and two corporate offices • All sites connected to the same card processing environment • During a routine anti-virus log review, in-house IT staff member finds Sirefef rootkit* at satellite store *A rootkit is a type of malicious software activated each time a system boots up. They are difficult to detect because they reside at the system‟s kernel level, and are activated before a system‟s operating system has completely booted up.

How Hackers Got In • Compromised the credentials for the remote access application, LogMeIn • Installed Sirefef, a sophisticated rootkit that can spread spam or capture sensitive information such as passwords or credit card data • After customers confront retailer of credit card fraud, retailer hires forensic investigator

Forensic Investigator Findings • Investigator finds the Sirefef rootkit did not actually steal customer credit cards • Further investigation revealed a memory scraper* called Alina in RAM (installed by the same hacker), designed specifically to capture payment information from POS terminals *A memory scraper is designed to capture, or „scrape‟ sensitive information from system memory (RAM) and return it back to the attacker. The Alina memory scraper can morph into newer versions to avoid detection, or automatically reinstall in different locations if deleted.

What the Business Did Wrong • Retailer didn‟t employ two-factor authentication* to secure remote access into their main store, satellites, and corporate offices • Although they regularly reviewed anti-virus logs, IT staff did not regularly update anti-virus program and system security patches • The credit card processing environment was not segmented away from routine Internet traffic *Two factor authentication is an extra layer of security that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately on hand—such as a physical token.

About SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for business of all size Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Case of Mistaken Identity | MalwareTips.com

For the last 2 weeks or so, I have been getting a very unusual email in my inbox on several occasions: The only guess I have is this taxi company is ...
Read more

A case of mistaken identity | Microsoft Malware Protection ...

There have been many instances where a virus infects an unintended target; this time it’s a variant of Virus:Win32/Huhk. As the name indicates ...
Read more

A Case Of Mistaken Identity? @ Cyber News Group

A look inside the role of BlackEnergy malware in the Ukrainian power grid disruption. Co-authored by Raj Samani, Chief Technology Officer of Intel Security ...
Read more

A case of mistaken identity? - hub-apac.insight.com

A case of mistaken identity? February 5, 2016 Christiaan ... Our malware zoo within McAfee Labs contains a wealth of data that can be used to identify the ...
Read more

A Case Of Mistaken Identity? - Dark Reading

A Case Of Mistaken Identity? The role ... significant speculation regarding the specific malware that was used ... case the impacted organization allowed ...
Read more

A case of mistaken identity? - Intel Security

Reports of electricity outages across the Ukraine earlier this year have led to significant speculation regarding the specific malware that was used to ...
Read more

Mistaken identity - Wikipedia, the free encyclopedia

Mistaken identity is a defense in ... A famous case of mistaken identity in the United ... The main argument is that a virus or malware is ...
Read more

ste williams – A Case Of Mistaken Identity?

A Case Of Mistaken Identity? Feb 05 ... significant speculation regarding the specific malware that was used ... case the impacted organization allowed us ...
Read more

A Case of Mistaken Identity? The Role of BlackEnergy in ...

Recent reports of electricity outages across the Ukraine has led to significant speculation regarding the specific malware that was used to disrupt ...
Read more