IT security blogs have recently been abuzz with stories about RAM-scraping attacks. But what exactly is RAM scraping?
At its simplest, it is when a Trojan horse steals data by examining the contents of a system's memory. As is the case with other types of malware, the Trojan horse sends the stolen data to a collection point on the Internet.
While there are several types of RAM-scraping attacks, there are similarities between each method.
Suppose a malware author wanted to steal Social Security numbers as a part of an identity theft scheme. An attacker could steal Social Security numbers by identifying a line-of-business application that is connected to a database where such information is commonly stored. The malware author could then create a Trojan horse that acts as a debugger to the application. A low-level debugger can parse the memory being used by the processes that are tied to the application. Depending on the operating system (OS) and on the application's security level, malware authors may also have to perform an elevation of privileges before gaining access to the desired memory space.
Once the attackers have gained access to the process's memory workspace, they can perform queries against the memory contents. In the case of a Trojan horse designed to steal Social Security numbers, the query might look for a string of numbers in a certain format. Such a query would typically be made up of wildcards (asterisks) and formatting characters.
However, RAM-scraping attacks aren't always quite so targeted.
A few years ago, I saw a proof-of-concept Trojan horse that triggered a general protection fault, resulting in a "blue screen of death." The idea behind this technique is that some Windows OSes produce a crash dump file containing the full contents of a system's memory whenever a blue-screen event occurs. The proof of concept that I saw acted as a debugger, which was capable of parsing the crash dump file and looking for specific search strings.
RAM scraping has been around in one form or another for several years. The technique has received a lot of media attention lately because of the recent attack against Verizon Business Data. In that case, the attacker used RAM scraping to steal credit card numbers from a point-of-sale (POS) system.
This attack drew so much attention because Payment Card Industry (PCI) standards require credit card transactions to be encrypted from end to end. While this encryption protects the transaction data while it is in transit, the credit card numbers must be entered into the system before they can be encrypted. Likewise, on the back end, the credit card number must be decrypted before the transaction can be processed. It stands to reason that the credit card numbers are the most vulnerable at the end points of the process.
The Verizon Business Data breach was successful because the attacker used malware that was specifically designed for the job. There is other malware that is known to employ similar techniques to RAM scraping, but in a less targeted way. The attack on Verizon Business Data succeeded because it was a zero-day attack involving the use of custom code.
Your best defense against RAM scarping attacks is up-to-date antivirus software.
About the author:
Brien M. Posey, MCSE, has received Microsoft's Most Valuable Professional Award four times for his work with Windows Server, IIS and Exchange Server. He has served as CIO for a nationwide chain of hospitals and healthcare facilities and was once a network administrator for Fort Knox. You can visit his personal website at www.brienposey.com
This was first published in February 2010