The Case of the Mistaken Malware


Published on

In our line of work it’s quite common to be called in to investigate one piece of malware, and end up finding another. In this scenario, our forensic investigator was called in to investigate a piece of malware framed for stealing customer credit card data. While sifting through data, he found the real culprit. A memory scraper chameleon, capable of morphing into different versions to avoid anti-virus detection.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • HQ in Orem, UtahAssisted over 1 million businessesWe are 1 of 2 companies certified to provide all PCI DSS servicesData security and compliance solutions
  • The Case of the Mistaken Malware

    1. 1. Forensic Files Series The Case of the Mistaken Malware
    2. 2. “I’ve found the best way to inspire better security practices is to show examples of true security blunders. Hopefully the security failures I’ve seen while investigating compromised businesses will help you realize some actions you should take to ensure your own business’ security.” David Ellis Director of Forensic Investigations GCIH, QSA, PFI, CISSP{ } Forensic Files Series
    3. 3. Business Background • Small retailer operates one main store, multiple satellite stores, and two corporate offices • All sites connected to the same card processing environment • During a routine anti-virus log review, in-house IT staff member finds Sirefef rootkit* at satellite store *A rootkit is a type of malicious software activated each time a system boots up. They are difficult to detect because they reside at the system‟s kernel level, and are activated before a system‟s operating system has completely booted up.
    4. 4. How Hackers Got In • Compromised the credentials for the remote access application, LogMeIn • Installed Sirefef, a sophisticated rootkit that can spread spam or capture sensitive information such as passwords or credit card data • After customers confront retailer of credit card fraud, retailer hires forensic investigator
    5. 5. Forensic Investigator Findings • Investigator finds the Sirefef rootkit did not actually steal customer credit cards • Further investigation revealed a memory scraper* called Alina in RAM (installed by the same hacker), designed specifically to capture payment information from POS terminals *A memory scraper is designed to capture, or „scrape‟ sensitive information from system memory (RAM) and return it back to the attacker. The Alina memory scraper can morph into newer versions to avoid detection, or automatically reinstall in different locations if deleted.
    6. 6. What the Business Did Wrong • Retailer didn‟t employ two-factor authentication* to secure remote access into their main store, satellites, and corporate offices • Although they regularly reviewed anti-virus logs, IT staff did not regularly update anti-virus program and system security patches • The credit card processing environment was not segmented away from routine Internet traffic *Two factor authentication is an extra layer of security that requires not only a password and username but also something that only, and only, that user has on them, i.e. a piece of information only they should know or have immediately on hand—such as a physical token.
    7. 7. About SecurityMetrics We Protect Business Services PCI, HIPAA, & data security solutions for business of all size Qualifications Global provider of ASV, QSA, PFI, PA QSA, P2PE services Experience Assisted over 1 million organizations with compliance needs