DEFCON 17: Malware Freak Show

Okay, thanks everybody. This is malware freak show. I'm going to run through briefly at the agenda here, so want to talk about who we are. How do we get the malware analysis outline? I'm gonna go through some samples on this. We're gonna see some demos. This is gonna be a. We have 50 slides and four demos to go through, so gonna be going through this rather quickly. Then we're gonna finish up with some conclusions and give you a list of some tools we like to use. So who we are: I'm Nick Percoco.

I'm the head of spider labs. I have about 14 years information security experience. My world of you know information security and things like that started about 1516 years ago and I started dabbling around and running EF net IRC servers back when I was in school, used to dabble around with IRC BOTS, wrote a bunch of bots that emulated. I'm Eliza and I'm trying to try and do the Turing test online. Even had a bot get asked out to prom. So in this is jibraan alias. I guess I'm to Brian, as you can read, I have done hundreds of security incident responses and just recently I got up. Masters are great from Northwestern University, so, as you can see, I'm a good boy and will be taking you on a ride. So hopefully everyone's ready go okay. So you know who's Spider Labs is. So basically, we're a team within Trustwave. We've done instant response, penetration, testing, application service for trust with clients and for the mass or the volume that we've done. We've done hundreds of security incidents we responded to. We've done, you know, thousands of ethical hacking exercises and in hundreds of business applications have been tested through our labs. So how do we get the malware? Now? You know we didn't set computers up on the internet and just allow malware to help people to hack him and get mail. We're on the computers.

The mail we're going to show in these in the next several slides is actual malware that we took out of environments that were there were compromised environments. Now these environments were confirmed compromised, the, the data was confirmed, taken from these environments and used for fraudulent purposes out in the real world. And so we're gonna take you through that and really the basic method of acquisition. We do a lot of field live analysis, memory dumps on disk imaging and then, of course, take all that stuff back to our labs either in Chicago or London and then in turn through it to be able to produce some results. So the analysis outline. We tried to organize each of these samples in sort of a, you know, sort of a cohesive manner. So basically, we're gonna go through the basic architectures and really be able to try to tell a story about the environment.

These were taken out of. So what did the architecture look like? What were the problems that we? We saw within the environment, what tools were found? And really, you know, you know what the hackers leave behind, what were the traces that we found? And then, of course, the installation factor had the tools get into the environment in the first place and then do some static, dynamic analysis, show you what we learned about the malware and how did data get out of the environment and, of course, on what you probably, you know, really looking forward to seeing, we're actually gonna demo this stuff live. So we'll jump in the sample a. So now, basically, this environment is was a casino club in Las Vegas, so it's some place not too far from this hotel, you know, visually, showing you the visual aspects of the environment so you can see what the environment looked like. You have sort of over on the, the right-hand side of that screen, you have the Internet, all right, everybody knows what that is. And then you have a firewall, you know, sitting out there and basically a back-of-the-house server.

This is a server that you know it basically is used for processing the data that's being transmitted, I mean used by the front, in front of the house systems. And so the POS terminals, you see, these are things that range from little, small, bulky calculator type devices that people are swiping cars through, up to your touch screen computers that are being used in clubs and in specifically in this environment. These were the touch screen systems. You know, when you go to a club, go to a bar, server takes your credit card, they swipe your card through the system, they type in what you have and a couple of beers, a martini, and they and off goes the data. And so that's what was being used here in this environment. So what were the problems that were found in this environment? So you know very, very basic stuff. So Remote Desktop was allowed from the internet into the club point-of-sale system. So the previous slide I showed you this point-of-sale server out there on remote desktop, you know, wide open from the internet, we found common passwords, weak passwords, the environment and specifically the point-of-sale system that was being used and the point-of-sale system name, and thus in the name of the system, was also used as the password and also you may even.

Basically, you know, it makes it very, very easy for the people who have- guess, you know the IT guys- to admin these systems, but it made it easy for the attackers to get in. We found out that antivirus hadn't been updated in the past on the point-of-sale systems for at least eight months. So that was. That was a big problem there. And then, of course, you know, basically the customer data we saw in the system was carried over from two previous owners. So if you think about this, you have it, you're running a restaurant or basically, in this case, you're running a run in a bar and you go out of business or you're gonna try to sell the stuff on eBay. And so this happened twice with these systems that we looked at. Someone sold them up on, sold them online, or they sold them to somebody else, and no one bothered to wipe the system. So we found customer data from two previous owners on their live on these systems. And, of course, this casinos network was very, very flat. The club that we investigated was connected right on the same exact flat network as the reservation systems, the same exact flat networks as the fast-food places that were in the lobby and and the gift shops wide open. Anybody, anybody who plugs into any of those networks could navigate to any of the systems in the environment tools we found in the environment. We're going to go into more detail. You probably can't read and read this anyways from the from after, after the third or fourth row, so we're gonna skip past this. Basically, the installation factor, how the attacker get into the environment: well, of course, remote desktop. I always- we already talked about that- the target account was POS user. The attackers that are that are launching these attacks. They have a whole laundry list of what the point-of-sale username passwords available to them.

They know exactly what the default passwords are. Scan out their fron row desktop, try the default username passwords and they're in the environment. Basically, once they are in, they download an SFX archive and basically, basically from a website that we- that we actually were able to, you know, navigate on to and it was still up and running when we're doing the investigation, but it was on drugs, eller, and we're not going to show you the rest of the name there.

But basically, SFX archive had a key logger and and putty executable within it. The other other interesting aspect is that the attacker then went and purchased, using the, using the, the bars computers, went online, purchased a SMTP server to install it on the club point-of-sale system. As noted, that was on the previous slide. Really, the only way into the environment was art, it was more desktop. The only way out of the environment was was through the point-of-sale system, the point-of-sale server, the front end terminals had no, no, no ability to get out of the environment, and then, of course, they used VNC to manage those systems, because the point-of-sale terminals had no keyboard, really no mouse, and so if they needed to manage it or do upgrades, the, the IT folks would just VNC from the component pal server and that's how they would get in the environment. Here's a. Here's a listing of the directory. I'm gonna take this sure. So, as you can see, we got into their server and we see a lot of interesting tools. Basically, these are some of them are key logger, executables, Semih farm, our remote desktop crackers, and so forth. So- and this is a screen shot, as Nick just told you that they actually bought an SMTP server from the, the merchants machine, so that's a screen shot for that- at $69 that they spent and anyone want to guess whose credit card they used, the that's from the merchants. All right, so what does xxx dot exe do? Alright, so what they do? This is basically a Packer impact SFX archive. So when they installed it, they installed it in a folder- that's, you know that, in Program Files, outlook folder, so they could get hidden from. You know IT administrators and you know security administrators were looking for malware. So, as you can see, Windows security is one of the other folders that didst all the things in Steven DOS system 32 malware favorite. And then other one, you know the attack, the hackers that are lazy.

They basically install it in C, program files, bpk folder. So basically, this key logger has, you know, ability to hide from cache manager, Start menu, system tray. So all you know, if a regular person, like IT person, takes a look at it, you, what, if you were to take a look at it, you wouldn't be able to tell that a key logger is running on the system and basically, the file that they store, the credit card track data that they steal from the system's- it's actually an encrypted, statically encrypted file which could only be opened by key loggers- log viewer, and that's a great way to hide the data. So you know a regular person is looking at bpk to that file and even if you try to open it with notepad, you won't be able to see the contents because it's all encrypted. Key logger. You know, that's one of the more interesting things of the key logger. When we were investigating it, it takes the screenshots at regular intervals. So basically, not only that, it had you know my screenshot. You know activities of my activities. It also had attackers activity. So when the attackers were going into their website it was taking screenshots every 30 seconds and I was storing in a hidden directory, right? So basically, now I'm gonna show you some of the options of this key logger. As you can see, it's it's a commercially available key logger, but they had it. They had a very customized version of this key logger. As you can see, you can hide this program icon and there's a, there's a key combination that only that hacker knows to get the this up options menu up, and you could even hide it from Control, Alt, Delete, and basically you can run on Windows startup so that the key logger comes up even when you boot up the systems. Alright, that's another screen. That's basically for the visual surveillance that I was talking about, you know it's didn't even spare attackers activities, so they were taking screenshots every 15 minutes and mediresolution didn't want anything big, they're kind of nice.

This is for the emailing of the key, the logs, the key logger output and basically what this is saying that every 30 minutes they were sending logs via email. That's another screen. Now the attackers- basically they could have monitored every single key typed on the keyboard on the hacked computer, but they they wanted to cut their work, so they basically started monitoring just applications that contain credit card data. So on a point-of-sale system, they only put in one application that was known to process credit card transactions. So as next, that if you go to a bar, you swipe at a credit card, the application that actually processes those transactions, that's the application that they were monitoring and these are some of the logs that we collected. Basically, this is, you know, from this key logger. We need to block those out, but those are actually tracked data logs from the, from the actual swipes that were going on instead of inside this bar.

But basically you know they're that the key log was then emailing us off to an email address on Montana. Email address, Montana. You know, in at a very, very had a free email domain. Here's some other screenshots here. One thing interesting is that you can see the attacker was actually also tripped up in their own key logger. I mean, when they're logging into their own FTP site. We were able to obtain their password and the other. Another thing: here you could see where they were actually copying and pasting the UM, the, the, the serial code or the, or the, the serial key for the, for the key logger itself, and when they're not for the key logger front but for the smtp KP.

Here's some other logs we obtained from the smtp gateway. You can see some things going on where they're actually sending that data out, sending it out to, you know, various, to the two email address, wait, a black blackout, a lot of things, service or protecting innocent, but, but you could see sort of the data going back and forth. So right now we're gonna jump into a live demo and Gibran's going to take you through sort of the installation and the execution of the specific piece of malware.

Alright, alright, so we're gonna do a live demo for you in our lemur machine. Okay, one thing that we didn't mention was that the POS terminals themselves- they weren't able to go online. So what they had to do to get data out was to install. They installed an SMTP server on the back of house server because they had internal communications. So the extra- the SMTP server was running on a private IP address and that back-of-house server, which had connection to the internet, that's that was acting as an email proxy to send data out. All right, okay, you guys couldn't see everything, okay, all right, so we're gonna jump right into the malware. It's a keylogger malware demo that we're doing. So if you see this icon, who wants to guess what this application looks like? So it's an office gated application. Putty.

There you go. So on the face of it it looks like a putty application, but you know, behind the scenes, your, I'm gonna show you what it does. So basically, when this malware runs, it installs a key logger and you would actually see an SFX archive, you know, being cracked there.

So I'm gonna open two folders, basically I'm the one is gonna be a temp folder and one's going to be C Windows security folder, and that's the folder where the key logger installed its files in. So here's the key, the security folder where the files are gonna go.

So I'm just gonna run this and then minimize this folder. So, as you can see, as you guessed it, it's a putty on the front end. You don't know what happened in the background, right? So if I close this, you'll see that the key logger files are put in the security folder and this temp directory where the SFX archive was kind of extracting. You can see, this is this: has the putty application, alright. So what we're gonna do is we're gonna show how attackers take the data, as I mentioned earlier that they were only monitoring the POS application. So I'm actually gonna go to the folder where the POS POS application resides, and that is this bin folder. Now, just so you know, if I put something in notepadexe, it won't detect because it's not monitoring notepadexe. So what I have to do is basically copy notepad from system32 folder, all right, so I'm gonna copy note prep from system32 folder, I'm gonna place it in this bin folder, because this is one of the processes that they're monitoring, and I'm gonna change its name to payment application and then I'm gonna open this up and I'm gonna free track data to this file. So this, this is basically. You know, we're kind of tricking the malware to think that this notepadexe is a point-of-sale application. So anything that I swipe in here, so these magnetic stripe readers that you guys see on bars, these are basically keyboard input. So when you swipe credit cards here, it based the computer basically takes it as a keyboard input and that's how it logs. So I'm gonna strike a credit card here, alright. So one thing I want to show you is that you know, once when we looked at this file, this folder before the bpk dot, that file wasn't there. And as you can see, you know, as I swipe a credit card here, you'll actually see basically this, this bpk dot, that file, file, it's gonna grow. So right now it's only one KB and I'm just gonna keep swiping the card, hopefully dark, tangent doesn't mind. Yeah, all right, I think we got enough of it.

Maybe you could memorize it, okay. So now we're gonna go back to that folder where the keyboard key logger is putting its output file, and this is the security folder. As you can see, it's two kilobytes right now. So I'm gonna try to open this with the notepad first, just to kind of show you that you know, if you're a regular security administrator, what you're gonna see in this output file. So here we go and open it with WordPad and all you see is just garbage. So all this data is encrypted in the keyloggers format, okay, so what we're gonna have to do to actually see the data is actually install the key logger, and we're gonna install a religion in a bit in that legit version is in my supporting tools, so I'm gonna install a trial version. This is basically a five-day trial. Don't try this at home, obviously. All right, I have to agree to the terms and I'm gonna call it a legit key logger, all right. So we're gonna just install, you know, launch the installed program so we can view the log file that the attacker created and, as you can see, they want to thank you for being attacked. And there we go. We're gonna go to options, logging, view log and, as I mentioned before, all the output is being stored in C, windows security folder. So I'm gonna go ahead and open this log file in C, Windows security folder and there you go. So it's a. The key logger is basically monitoring two processes: explorerexe and IB er exe, which I mentioned. This is a point-of-sale application process. We basically just tricked it, trick that malware to think that notepadexe is actually IBRD at Exe. So all this track data that you can see, they're taking it home, and that's basically how they take the data.

Now, one one thing I want to mention here is that, now that security controls are being widely adopted and the data bases of these point-of-sale applications are being encrypted- and the data is being encrypted in transit- well, what I mean by that is from a random house machine to the back of house machine- the only way for them to take the data is the in transit, and this keylogger is a perfect way to do it, because as soon as you swipe, you know it's intercepting the track data.

So that's basically concludes the keylogger demo, and you can actually save this file as HTML or whatever you want when you have it on-site, and then they basically sell these great cards to the black markets. All right, all right. So I'm just basically gonna go to my snapshot and, as you can see, my snapshots name is Colin Sheppard. It's probably around somewhere. He's my boss. Thank You, Colin. Alright, so while it restored, we're gonna jump on the second piece of malware that we found. We're going to demo that as well later on, but for now we're just gonna suspend this machine and take it when Nick is that ready.

Okay, so now the second piece of malware we obtained from a hotel in New York. It's going to go through that example here. So, basically, the architecture as you see here looks rather similar to what we saw in the casino, the casino club, but one- one minor, minor difference here is actually a major difference- is that this was a chain of hotels and so there was more than more than one environment connected here, and so you sort of see that the router there leading up to corporate. That's a key aspect of sort of how this compromise took place. But then you also see we also have multiple machines here. We have a gift shop, a restaurant, a bar, central processing server. Now, one thing to note: when we, when we are sort of looking at the problems here, when we have, when we've done these investigations, we've often, you know, stay at the same hotel that these investigations are taking place and in the in people on our team who actually note notice that when you plug into the hotel room, oftentimes you're actually able to reach all these, all these servers that are around the environment.

So, you know, the, the IT administrators probably made one major mistake by actually plugging the switches in the wrong in the wrong place. So keeping keep that in mind when you're- when you're actually using hotel, hotel wire hotel internet access.

We've also seen that the wireless internet access plugged into the same exact network as they as a reservation systems in a lot of the hotels. But basically the problems we saw here on the firewall was a consumer-level firewall. So this is sort of a major, major hotel that was using a consumer layer, the consumer great firewall for their, for their firewall, but basically allowed RDP in and to many, many systems into the, into the environment. A couple of things: hotel management systems and the point-of-sale systems hadn't been patched in a number of number of years and base.

In this specific case, since 2004 and 2006 they had not run any updates in the environment week username passwords- actually the, the administrator password was nimda in the environment, which made things probably easy for the IT guy to remember, but it also made it very easy for anybody who's trying to guess that password. They had no antivirus and no anti-malware. Anything running on in these systems really didn't matter much because you know, like you've seen in Gibran's demo- I mean what you'll see in some of the other demos- a lot of the malware that we find his is his, was custom created or just just compiled directly before they actually put him in the environment.

So you know, having heavy hami antivirus in environment really wouldn't help there. I'm gonna get a no network segmentation between any of the environments at all tools found. You know some things to note here. You know basically the stuff that's highlighted in blue. We're gonna show you some things more detail about it. But there are some other tools you know, basic. They were associated with with us attack as well. So installation factor. Again, this was Remote Desktop, remote dissect, live on the Internet. I'm basically a targeted to different accounts. Your administrator account on the backup account was targeted and then SQL debugger account was was targeted as well. Again, they downloaded the attacker, attacked our toolkit and then and then basically one key difference here is that they didn't just target the one environment. When they got into the environment they actually- you know basically you were able to connect to all the other environments and in this chain of hotels and they used on PS exec to to deploy their, to deploy this malware. One thing to note: you know this malware PL we're talking about here is actually a memory dumper malware. So it's it's a bit different than the keystroke logger I may actually targets memory. So we're gonna- we're going to show you more of that. Some static analysis. Now there's two components to this malware package. There was a communication component and basically this, this, this, this, this service or this piece of the malware, actually ran as a service. It can makes an ssl connection over up to a system in south korea and basically had some anti debunking features built into it. So basically, if you try to run it through explorer, it would do things like try to lock the workstation, try to, you know, terminate any processes that are running and close all terminal sessions and basically try to disrupt what you're trying to do. If you're trying to run it as a it, run it through explorer. I would also check to see if it's running in DM. So it sort of shows the thoughts, the things that we're doing here.

So we're actually not going to demo this aspect of it because we're using vm as a demo. But basically, if it detects vm running in the environment that actually tries to, tries to shut itself down and shut down the entire computer. It also has, you know, all the strings that was using to search for things in the environment.

It actually encrypted them and then decrypted an opponent upon run, other interesting things. So when we we ran the run Twain ran this tool and actually decrypted the on the strings we've, we found this this little bit of a little note that the attacker left here. So one thing interesting is that, basically said, I currently do not know what I'm intend to do with this, but I accepted a fact: I must do some limited experiments. So it's pretty interesting that limited experiments included about 80 hotels. Basically here, this is that this is a really active competes that we're gonna talk about and we're gonna demo. This is, you know, wind management at Exe. It was basically normal windows binary it in reference to a lot of things in it, a windsock API had some ftp commands in it. And then one thing you probably see very small down there, that's actually the regular expressions to search for track 1 and track 2 data.

And on track 1 and track 2 data, for those who aren't familiar with it, if you pull out your credit card out of your pocket, the data that's stored on the back your credit card, a magnetic stripe, is essentially it's. It's not, it's not encrypted, it's essentially just encoded on the back of that card, just like gibran showed you in the in the notepad demo. But basically this piece of malware was gonna parse memory and every single time it finds track 1 or track 2 data it's gonna log it to a file. So you basically you know some things. You know we're gonna walk through this stuff, cuz didn't actually show you this, but basically the big item here is that it's it's designed to monitor one of eight point-of-sale systems. Now we've seen later versions that sort of expand their scope. But the attackers really know what they're looking for. They're not just sort of taking a gasp and saying: let's launch it in the environment, just start dumping processes. This, this executable, actually was compiled with with the intent to find one of eight different point-of-sale systems and take the data out of memory. Som some more data here about sort of the data, how the data got out of the environment.

So basically the tool itself. Another process that was sort of used in conjunction with this was actually creating encrypted RAR files. Something we really noted, I mean our investigations, was that the encrypted RAR files- we didn't what the passwords were. So you know, when we going through a crack in exercise and found it easier because we took, took memory dumps, we actually found the passwords in memory on several of the systems we obtained and then, using the same password scheme- basically they use a server name of the system name in their password scheme- we were able to think, decrypt all the other locations or our files.

Really, when it was all said and done, there was about 350,000 cards that we obtained from the RAR files that were pulled from these systems, and then sort of propagation and, like I mentioned earlier, the attackers were just basically able to listen, to leapfrog from this one single environment and and deploy the playtest tool on all the other environments that they that were sort of in the chain of systems. So here's, here's the bran with the live demo. Ok, alright, before I do this demo, I just want to ask how many people have memory in their computers? All right, so this is, this is gonna be fun because you know this malware is taking the data from the memory. So you know, Howard, secure application that you're running.

You know you, even if you're running TrueCrypt and all you know, there's a point in time where your data it remains unencrypted in the memory. So watch out for this. All right, so I'm gonna resume. My horse will machine, okay, so this, this is not a single executable. This is going to have three pieces to this and I'm gonna demo all three of them, alright? So, as you can see, there are three files that this marriage uses to steal a credit card track data from the systems that CSRs.

We see this is the actual memory dumper and, as Nick mentioned, there are about 8.0 sale applications that it's monitoring, and so we're gonna do the same thing again. We're gonna try to trick this malware to think that notepadexe is one of the point in point of sale applications. This dns MGR dot exe that is, that was compiled on the box. This is basically attractor departure. So when you have the huge memory dumps from the processes, it looks at the memory dumps and it looks for credit-card track data and then it takes it out of that file. That wouldn't MGMT dot exe. Now this: when MGMT dot exe. If you're a network administrator, you probably know that it's a legit Windows File, but in this case they are using that as a malicious purposes. That's their binary, not the one that's found on our machine. Ok, so we're gonna go with the demo.

Okay, so, as we can see, there are only three files here right now and it's gonna increase the watch out for that. So, basically, this: when MGMT dot exe. If you run it as in a standalone binary, it won't run it. It'll give you an error. To install that you will actually have to have the install switch and once you do that, as you can see, it's installed it as a service. So what these? The intent of the malware is to stay persistent on the system because you know they're taking the data in transit, so they want to have their presence in the system even after you reboot the systems.

So it's installed as a service. So again, if you're a regular IT administrator, you look at the service. You're not gonna doubt this service because it says: Windows management help service install, all right. So luckily we have these malware writers have a debug option and they code it. So we're gonna run this in malware in a debug mode. So basically, just look out for two things here. So what we see here? We see three files. So when I run it in debug mode it's gonna create a mem dump folder which is gonna be the location that memory dumps are created in it. And then you're gonna see two more processes here in the tasks in the system tray.

So it's gonna be that memory dumper and the second process is going to be the track data parser. Alright, so let's go ahead with that. Okay, so, as I promised, we got the mem dump folder. Now, notice, it has no file in here because it's not finding the process that it wants to monitor, but it's got these two applications, wonderful applications that are going to monitor the system for track data, and they run pretty much hidden from the system. It's just that I'm running it in debug mode. That's why you're seeing all this data here. Alright, so what we're gonna do is first I'm gonna just run the. You know, I'm gonna feed the track data to notepadexe to kind of show you what it, the malware, does within poor, dark check engine.

Tory, we got him again. Okay, so, as you can see, I'm feeding a legitimate track data to this notepad application and this malware is not responding. It's not doing anything, otherwise it would say something in here where it's monitoring. So we can tell that it's not monitoring notepadexe. So what we're gonna do is basically trick the malware again and rename notepadexe as name was a point-of-sale application. I'm gonna go to this system32 folder, again notepadexe. I'm gonna call it. See the I dot exe, which is a point-of-sale system application, and now I'm gonna have these two here again: CDI dot exe. So as soon as I do that, you're gonna see that it's going to create a dump and this dump is being created in this mem dump folder and you can see it has the name of the application which is it's thinking that it's a point-of-sale application and has a process ID and the name of the dump. So right now in this folder we only have a dump for about 238 club white. But this dump is gonna increase as we feed data to the point-of-sale application and we're gonna see it right now. So CD ID XE is running right now and I'm gonna feed track data to it. One and the two, one, two, three. Okay, so now that I've fed track data to this payment application process, you know, pretty soon we're gonna see here that this it's going to create another dump and it's gonna find track data in the file. So it usually takes a dump every two minutes, but in the interest of time, I'm actually going to trigger this application to create a dump. So I'm just gonna save this app.

You know this file as trigger dump. Alright, yeah, let's stay simple. So what you're going to see pretty soon. Actually, you see it right now. The malware is pretty fast. It's running faster than I'm running. So basically, it's found. It has found track data, one track, one data. And you know, pretty soon you're gonna see an attacker output file which they take home in the same memory number folder, as you can see, that it just created a file, the. This file wasn't here before vir, ehm, and this, basically, you know it looks like a help file. So again they're trying to, you know, fool the IT administrators or security administrator because they'll think, ok, it's a CSM file, how harmful could it be? But we're gonna open this in notepad. So so you're gonna see how easy, you know what, how neat of their output is. So I'm gonna open this in WordPad again and there you go. So basically, what they're taking home is, you know, this need of a file, grr Muncie, hm, and it tells them that, hey, this is where the dump was. I found track 1 data and then I found track 2 data and the data is there as well and it's it's pretty good at sorting out duplicates as well. So, if you know, it's doing a lot of things. So that basically concludes our memory dumper malware. Now, one thing to keep in mind is that you know I've shown you the demo for only the track data, but just imagine how much stuff goes through your memory. You know if you're using Firefox. You're typing your social security number. You're typing in, you know your password, you even even the passwords that go through SSL. They can be in the memory. So anyone who uses memory and their computers- you got to be careful here- and it's basically you know. It has PGP keys, TrueCrypt keys, basically everything that you type. And one thing Nona mention here is that the key logger malware. You know, even though it's it's all nice and stuff, it's only it only grabs the input that you guys feed to it. So if you're typing in, then but that's what key logger is gonna get, memory is a little different. Memory is actually more risky. I call it a key logger and steroids, basically because not only that, your input is being monitored, the input you know the, the party that you're communicating with, like if you're in on you know aim chatting with someone on AOL, you type in some info. Your buddy type is in some info that's gonna stay in memory. So if you're parsing for the right stuff, memory has a lot of good info. So just watch out for that. So that basically concludes our memory dump of malware. Nick's gonna show you another malware which is even more interesting. So watch out for that, okay. So no, we're gonna jump backward, jump into the back, into the presentation. You got a, okay. So the next piece of malware that we're going to talk about, basically it's based upon some investigations we performed and it's it's based upon more of our proof of concept and you know, basically the the investigations we've performed. Oh so, I'm basically the investigation we performed.

Various systems have been attacked with with it, with what we're calling credentialed malware, and sort of define that for you when going to the next slide. But just something to note is that what we're showing in this demo we're not talking about any vulnerabilities in any video poker system. We didn't, we we didn't find any vulnerabilities in video poker system. Just sort of leaving that as a disclaimer here for everybody in the room. But really the purpose of this demo is to talk about and introduce the concept of credentialed malware. And so what does credential malware? Just like any other piece of malware, but the the ID and concept that once you get this malware into a system, you, as the attacker or the person who's running this malware, is now able to to dispatch credentials in the form of tokens to other people to be able to use it, and you can set roles and risk roles and roles and tasks that they're able to perform. Specifically, this type of malware is targeting kiosk based environments, so places where or where you're not able to maybe get information out via network interface, but you're able to walk up to that system and actually perform some transactions, and so basically, these tokens are being used as authentication tokens to trigger various aspects of the malware. And then, of course, in the organized crime world, you could think of a sort of hierarchy where you can then rent these tokens up to do various functions and you can then can shut them off, turn them back on and control who has access to this malware that you've now have on a system. So to sort of introduce that concept, we decided to choose a video poker system. So to show the architecture here we have over on the left-hand side, or the sort of green screen there you have the video poker desktop, and so that's the video poker system that everybody probably walks around the casino. You see it, you know a thousand instances of them sitting out there, known over on the left-hand side, the, the credential token that we're gonna use in this, in this demo, is actually a voucher. So everybody have seen vouchers before. We have some of them here. Printed up is twenty dollar voucher. So basically you inserted that into the machine. It allows you to play the game. You lose all your money and then and then you sort of get up and go home. In this case now we have the Casino Network and we also have the casino itself. So some common problems in this type of environment.

You know you're talking about physical access to these devices. So number of machines in the environment. You know, does the eyes in the sky actually watch the repair of people? You know you walk around casinos. You see people opening up machines all the time something jams.

You know something's broken, something burns out on the replacing boards. Who's watching those people? Are they keeping track of what they're actually doing? You passwords are difficult to manage. You know, in our investigations looking at systems in hotels and casinos and other various places, they use the same password every single system.

Do you think that the password is unique on every single video poker machine? Probably not. Also, you know, are you? Are you running antivirus on these video poker machines? Probably not. And then, of course, under the hardened case you have. You know, really it's just a low-end PC. Other other keyboard ports, USB ports and what is there. And then, of course, what OS are they running? You know we don't know how often they patched, probably not very often. So installation vectors, Tosh, possible scenarios here: physical attack.

Someone walks up who has a legitimate, you know you need to get into the system. They install a USB key fob or something in the environment, install the malware you know, execute and now is running on their system in other scenarios, and malware's place in the system from the front, from the distributor or the manufacturer, and it's they're running live. Now one thing to note is that you know that the tokens that we're going to talk about and show you that's what's used to actually trigger this malware. So you as a normal user walking up to the system, you're not going to be able to know that the mail was running on the system at all. Basically, the, the token concept where we're introducing here is sort of you know, multiple types of levels of things. So we're talking about single function. You know authentication cards, we're talking user vouchers. Basically that triggers one aspect of it. This may be given to a mule who you say: go to these various video poker machines, insert it into the system and and basically, you know, tell me what it says on the screen. That might be one function of a mule. A multi function could be someone who's actually deployed this mailer then able to do other commands and run various other things.

And of course, that the malware doesn't see a user voucher in place. They actually just continues on. It thinks that someone's sitting down playing a game, I'm out. That never really happens. So the functions we put into this, this demo here. So basically your keyboard put, is very limitedyou welcome to a video poker machine. You have the hold keys, you have your deal, your max bet and some various other keys, but you don't have a full keyboard. So you have to take, really take use of those if you're gonna write malware for this. So examples here we have: you know you hit hope if you, if your authenticate with the with the video poker machine, you hit the hold one button and on the sells it, so you could sort of wipe the tracks that this malware have been running on they're holding. You know, hit number two, I'm displaced. Stats on the system. It tells you how many uses have been taking place with this malware. It tells you you know various other things.

Then, of course, you can modify the credits and the things. That's even even more interesting as being able to modify the credits or shift the odds, and when you modify the credits, you could enter in what you want that system to actually have on it and then, of course, cash it out. So propagation, similar type thing. If these things are all in network denied together, what can you actually do from there? I think we talked about in some other demos. So basically, here we're gonna boot up the, the video poker machine, and show you this live. Okay, so I'm gonna come back to my original machine and we're gonna see the video poker malware and don't try this here because could get in a lot of trouble, alright, okay. Okay, so we have the mail we're booting up here. So, like, while it's booting up, we'll- or actually, this is a video poker system booting up, so while it's booting up, really to show you.

Talk to a little more about the vouchers. So we have the in my hand, I have the, the $20 voucher. This is a legitimate voucher that we're gonna use. We have one of the two, the user vouchers. This one will actually trigger the single function. And then we have a voucher that I actually will trigger on the multifunction cart. So we're gonna go through and actually, you know, swipe those in, okay. So here goes the $20 voucher. You're, bronze, gonna enter into the system. There you go.

So we've got twenty dollar voucher going in. See, see, there's twenty credits on the screen. So now we're gonna gonna go ahead and play and a max bet it. You see, the bets go twenty dollars there. Of course, what happens happens to everybody here as you go through and then you lose. So now we're gonna, we're gonna swipe the single-use voucher. So through the system and and show it to see what happens there. So we use voucher active is intercepted by the mail where it actually pops up the display stats here so you can see information about the voucher or about the, about the system that we're looking at, and the IP address tells you the name of the mail where that's running down there, I'm sorry, the odd shift sort of concept of actually changing the odds on the system.

And of course then you just sort of move on and you, you clear it out and it goes back to a regular, regular screen. Next piece: we're gonna actually demo the, the multi-use voucher here. So now a couple different functions here. So now this pops of a menu like I showed you earlier, the menu of doing various things. The first thing we're gonna do is actually option three and it tells it shift of the odds plus one. So basically put it in our favor and you can sit down and do that and you clear the screen and now you start playing. You may have you in various aspects here that they actually be able to rent someone a voucher that actually only lets them do that, so they can only shift the odds. They can't do anything else and you could put a price on that. Now we're gonna run that and run another multi user through the system on that's gonna let us do something else. So in a pick option for clear through it and we're actually gonna go be able to go through and actually modify the credits and we only have five keys to play with here.

So you know you really combinations of five, four, three, two, one. So we're gonna actually modify an ad 54321 credits to the system and of course you see in the bottom left hand corner we've added those credits. In a normal scenario, you maybe want to bet that, bet those credits, or maybe you want to cash out and so. So now we've cashed out and all systems cleared, no one has any, has any any knowledge that we've actually done this. I'm sitting in front of it in a casino, okay, so now we're gonna jump in.

We have we leave about eight minutes left, so we're gonna quickly go through the last one and see if we actually can can actually show you that demo. Okay, all right. So this last sample we have as a restaurant in Michigan, basically the similar problems as the first two, male, where you know these little merchants, they don't have a full-time IT staff so they have a third party ID and integrator supporting them so they like to come into the systems with ease.

You know they don't like to travel anytime there's a broken printer, so they have VNC open from outside so they could just control all the machines from outside. Similar thing: you know, no egress felting. No, how about filtering on the back of house server and the point-of-sale terminals with full internet access allowed. So the problems in here we're. You know, obviously VNC was allowed from outside, which is big no-no if the systems had weak password. Actually, for 18 of those restaurants in Michigan the integrator was using the same password and the passwords were basically the, the credentials were admin and support, pretty simple. The point-of-sale terminals were not running antivirus server, they were unrestricted Internet access and basically same passwords for all the systems in the region. This is basically the malware list from that system and what I want to show here is that this malware is kind of special because what it does, that it has an IRC BOTS and when you installed a malware it it looks for a POS application version and then it tells it creates the malware on site and it tells the malware to monitor the ports of that specific point of sale system.

So this IRC BOTS does that and then there's a custom packet sniffer and then all the data is being placed in the export folder and then uploaded to FTP server. So basically for this malware that even the attackers had to install Microsoft net framework. I thought it was pretty funny. It was only sniffing that, the TCP traffic one for ports, and then basically the files were IP address and cap and IP address recap and the data was being uploaded to a server in Munich, Germany. You know, I don't think we're gonna have time to show the malware, so we're just going to go to the conclusion slide, and we're gonna, yeah, so I just want to show you the additional comments here. We got that we we actually told FBI about it and the server was raided and we found out that 18 of the locations were sending data to that particular FTP server and we are basically investigating about six of them right now. So we're gonna hit the conclusions right now. So, as you can see, malware is dominating. Computer memory is the target for extract sensitive data. One thing that I forgot to mention on the memory dumper malware was that you know, I've basically seen- I have a pretty funny relationship with these malware writers. Basically I've seen them grow. You know that I've seen a malware growth. So before, malware used to take the full kernel dumps and put it in the the hard disk and the this.

You know, as you can imagine, when it creates too many dumps, the system's gonna run out of this. So do you want to guess what the solution of the merchants was when they were seeing low disk space on their servers? Add morethis.

You got it. So they basically purchased a Western Digital drives, they were putting data in and they were deleting actually their legit files. So they were deleting their accounting files to fit, you know to accommodate the attackers memory dumps. So that's kind of funny and, as I said, you know they've grown. They've at the end it's gonna keep growing. So watch out for this memory dumper malware and you heard it here first. You're gonna see this memory dumper malware grow a lot and take a lot of your personal data. So watch out. In the other aspects here you know really the we're finding, as the companies are really not learning so many of the investigations, like you saw from the initial, initial, initial, you know way that the attackers are getting em.

These are simple tactics- I mean guessing passwords using RTP or VNC- very, very simple and but historically, what they're not doing, what they were doing before was basically smash-and-grab is done. They're not popping into the environments and actually just, you know, just deleting, you know, just moving the files off the system. They're actually sticking around for a very long time. We didn't mention, with some of the examples, some of these attackers were in these environments for up to two years sitting around and doing the things that before we actually were brought in to do the investigation and then really we're finding once a male or proved successful, once they're learning and once in one environment that the stuff is working there, really going out there and in rubber-stamping the stuff all over the place, and we often see one one environment turn into five, then turn into ten and then turn it into 80 to 90 that are all all infected with the same malware, doing the exact same thing. So here's this, something you could actually download when she once you actually download the presentation but do some of the tools we'd like to use and, of course, our contact information. You can, you could email us or visit our website and we're gonna actually have have a copy of the presentation posted there as well. All right, thank you so much for thank you so much for being here. Hope you enjoyed it, thanks.