 Okay, thanks everybody. This is MailWear Freak Show. We're going to run through briefly of the agenda here. So we're going to talk about who we are, how do we get the MailWear, analysis outline, we're going to go through some samples. That's where we're going to see some demos. This is going to be a, we have 50 slides and four demos to go through, so we're going to be going through this rather quickly. And then we're going to finish up with some conclusions and give you a list of some tools we like to use. So, who we are. I'm Nick Prococo. I'm the head of Spider Labs. I've done about 14 years of information security experience. My world of information security and things like that started about 15, 16 years ago when I started dabbling around and running EFNet IRC servers back when I was in school. I used to dabble around with IRC bots, wrote a bunch of bots that emulated Eliza, trying to do the Turing test online, even had a bot get asked out to prom. So this is Jabron Ilias. Hi guys, I'm Jabron. As you can read, I've done hundreds of security incident responses and just recently I got a master's degree from Northwestern University. So as you can see, I'm a good boy and I will be taking you on a ride. So hopefully everyone's ready. Go. Okay, so who, you know, who Spider Labs is? So basically we're a team within TrustWave. We've done incident response, penetration testing, application security tests for TrustWave clients and sort of the mass, the volume that we've done. We've done hundreds of security incidents we've responded to. We've done, you know, thousands of ethical hacking exercises and hundreds of business applications have been tested through our labs. So how did we get the malware? Now, you know, we didn't set computers up on the internet and just allow malware to help people to hack them and get malware on the computers. The malware we're going to show in the next several slides is actual malware that we took out of environments that were compromised environments. Now these environments were confirmed compromised. The data was confirmed taken from these environments and used for fraudulent purposes out in the real world. And so we're going to take you through that. And really the basic method of acquisition, we do a lot of, you know, live analysis, memory dumps, disk imaging, and then of course take all that stuff back to our labs, either in Chicago or London, and churn through it to be able to produce some results. So the analysis outline, we tried to organize each of these samples in sort of a, you know, sort of a cohesive manner. So basically we're going to go through, you know, the basic architectures and really be able to try to tell a story about the environment these were taken out of. So what did the architecture look like? What were the problems that we saw within the environment? What tools were found? And really, you know, what did the hackers leave behind? What were the traces that we found? And then of course the installation vector. How did the tools get into the environment in the first place? And then do some static dynamic analysis, show you what we learned about the malware and how did data get out of the environment. And of course what you're probably really looking forward to seeing, we're actually going to demo this stuff live. So we'll jump in the sample A. So now basically this environment, this was a casino club in Las Vegas. So it's someplace not too far from this hotel. You know, visually showing you the visual aspects of the environment so you can see what the environment looked like. You have sort of over on the right-hand side of that screen you have the internet, right, everybody knows what that is. And then you have a firewall, you know, sitting out there. And basically a back-of-the-house server. This is a server that basically is used for processing the data that's being transmitted and used by the front of the house systems. And so the POS terminals you see, these are things that range from little small, you know, bulky calculator type devices that people are swiping cards through to your touchscreen computers that are being used in clubs. And specifically in this environment, these were the touchscreen systems. You know, when you go to a club, go to a bar, server takes your credit card, they swipe your card through the system, they type in what you have, you know, a couple of beers, a martini, and they, and off goes the data. And so that's what was being used here in this environment. So what were the problems that were found in this environment? So, you know, very, very basic stuff. So remote desktop was allowed from the internet into the club point of sale system. So the previous slide has showed you this point of sale server out there. Remote desktop, you know, wide open from the internet. We found common passwords, weak passwords in the environment, and specifically the point of sale system that was being used and the point of sale system name, and the name of the system was also used as the password. And also, you know, basically, you know, it makes it very, very easy for the people to guess, you know, the IT guys to admin these systems, but it may be easy for the attackers to get in. We found out that antivirus hadn't been updated on the point of sale systems for at least eight months. So that was a big problem there. And then, of course, you know, basically the customer data we saw in the system was carried over from two previous owners. So if you think about this, you're running a restaurant, or basically in this case you're running a bar, and you go out of business, where you're going to try to sell the stuff on eBay. And so this happened twice with these systems that we looked at. Someone sold them online or they sold them to somebody else, and no one bothered to wipe the system. So we found customer data from two previous owners that were live on these systems. And of course, this casino's network was very, very flat. The club that we investigated was connected right on the same exact flat network as the reservation systems, the same exact flat networks as the fast food places that were in the lobby and in the gift shops, wide open. Anybody who plugs into any of those networks could navigate to any of the systems in the environment. Tools we found in the environment, we're going to go into more detail. You probably can't read this anyways from after the third or fourth row, so we're going to skip past this. Basically, installation vector. How did the attacker get into the environment? Well, of course, remote desktop. We already talked about that. The targeted account was POS user. The attackers that are launching these attacks, they have a whole laundry list of the point of sale username passwords available to them. They know exactly what the default passwords are. Scan out there from the remote desktop, try the default username passwords, and they're in the environment. Basically, once they were in, they downloaded an SFX archive and basically from a website that we actually were able to, you know, navigate onto. And it was still up and running when we were doing the investigation, it was Drugzeller, and we're not going to show you the rest of the name there. But basically SFX archive had a keylogger and putty executable within it. The other interesting aspect is that the attacker then went and purchased using the BARS computers, went online, purchased a SMTP server to install it on the club point of sale system. As noted that was on the previous slide, really the only way into the environment was remote desktop. The only way out of the environment was through the point of sale system, the point of sale server. There was no ability to get out of the environment. And then of course they used VNC to manage those systems because the point of sale terminals had no keyboard and really no mouse. And so if they needed to manage it or do upgrades, the IT folks would just VNC from the point of sale server and that's how they would get in the environment. Here's a listing of the directory. I want to take this. Sure. So as you can see, we got into their server and we see a lot of interesting tools. Basically these are some of them are keylogger executable, semiform or remote desktop crackers and so forth. So, and this is a screenshot as Nick just told you that they actually bought an SMTP server from the merchant's machine. So that's a screenshot for that at $69 that they spent. And anyone want to guess whose credit card they used? That's from the merchant. All right. So what does XXX.exe do? All right. So what they do, this is basically a packer, a packed SFX archive. So when they installed it, they installed it in a folder that's in Program Files Outlook folder. So they could get hidden from IT administrators and security administrators were looking for malware. So as you can see, Windows Security is one of the other folders that they installed the things in. Steve Windows did some 32, malware favorite. And then other one, the hackers that are lazy, they basically installed it in C Program Files BPK folder. So basically this keylogger has, you know, ability to hide from task manager, start menu, system tray. So all, you know, if a regular person, regular IT person takes a look at it, if you were to take a look at it, you wouldn't be able to tell that a keylogger is running on the system. And basically the file that they store, the credit card track data that they steal from the systems, it's actually an encrypted, statically encrypted file which could only be opened by keylogger's log viewer. And that's a great way to hide the data. So, you know, if a regular person is looking at BPK.dat file and even if you try to open it with Notepad, you won't be able to see the contents because it's all encrypted. Keylogger, you know, that's one of the more interesting things about the keylogger when we were investigating it. It takes screenshots at regular intervals. So basically not only that it had, you know, my screenshot, you know, activities of my activities, it also had attackers' activities. So when the attackers were going into their website, it was taking screenshots every 30 seconds and it was storing in a hidden directory. All right, so basically now I'm going to show you some of the options of this keylogger. As you can see, it's a commercially available keylogger, but they had a very customized version of this keylogger. So as you can see, you can hide this program icon and there's a key combination that only the attacker knows to get the options menu up and you could even hide it from control of delete and basically you can run on Windows startup so that the keylogger comes up even when you boot up the systems. All right, that's another screen. That's basically for the visual surveillance that I was talking about, you know, it didn't even spare attackers' activities. So they were taking screenshots every 15 minutes and medium resolution. They didn't want anything big. They were kind of nice. This is for the emailing of the logs, the keylogger output and basically what this is saying that every 30 minutes, they were sending logs via email. That's another screen. Now the attackers basically, they could have monitored every single key typed on the keyboard, on the hacked computer, they wanted to cut their work. So they basically started monitoring just the applications that contain credit card data. So on a point of sale system, they only put one application that was known to process credit card transactions. So as Nick said, if you go to a bar, you swipe at a credit card, the application that actually processes those transactions, that's the application that they were monitoring. Do you want to go? Yeah, sure. So the logs that we collected, basically this is from this keylogger, we had to black those out, but those are actually tracked data logs from the actual swipes that were going on inside this bar. But basically the keylogger was then emailing this off to an email address, a Montana email address, Montana at a free email domain. Here's some other screenshots here. One thing interesting is that you could see the attacker was actually also tripped up in their own keylogger on the SMTP site. We were able to obtain their password. And the other thing here, you could see where they were actually copying and pasting the serial code, or the serial key for the keylogger itself, not for the keylogger, but for the SMTP gateway. Here's some other logs we obtained from the SMTP gateway. You can see some things going on where they're actually sending that data out, sending it out to the email address. Blackout a lot of things are protecting innocent, but you could see sort of the data going back and forth. So right now we're going to jump into a live demo and Jabron's going to take you through the installation and the execution of the specific piece of malware. Alright, so we're going to do a live demo for you in our VMware machine. Okay, one thing that we didn't mention was that the POS terminals themselves, they weren't able to go online. So what they had to do to get data out was they installed an SMTP server on the back-of-house server because they had internal communications. So the SMTP server was running on a private IP address and that back-of-house server, which had connection to the internet, that was acting as an email proxy to send data out. Alright. Okay, you guys can see everything okay. Alright, so we're going to jump right into the malware. It's a keylogger malware demo that we're doing. So if you see this icon, who wants to guess what this application looks like? So it's an obfuscated application. Putty, there you go. So on the face of it, it looks like a putty application, but behind the scenes, I'm going to show you what it does. So basically when this malware runs, it installs a keylogger and you would actually see an SFX archive being cracked there. So I'm going to open two folders, basically. One is going to be a temp folder and one's going to be a C-vindos security folder and that's the folder where the keylogger installs its files in. So here's the security folder where the files are going to go. So I'm just going to run this and then minimize this folder. So as you can see, as you guessed it, it's a putty on the front end. You don't know what happened in the background, right? So if I close this, the keylogger files are put in the security folder and this temp directory where the SFX archive was kind of extracting, you can see this has the putty application. So what we're going to do is we're going to show how attackers take the data. As I mentioned earlier, they were only monitoring the POS application. So I'm actually going to go to the folder where the POS application resides. And that is this bin folder. So if I put something in notepad.exe it won't detect because it's not monitoring notepad.exe. So what I have to do is basically copy notepad from system32 folder. So I'm going to copy notepad from system32 folder. I'm going to place it in this bin folder because this is one of the processes that they're monitoring. I'm going to name to payment application. And then I'm going to open this up and I'm going to free track data to this file. So this is basically we're kind of tracking the malware to think that this notepad.exe is a point of sale application. So anything that I swipe in here these magnetic stripe readers that you guys see on bars these are basically keyboard input. So when you swipe card cards here the computer basically takes it as a keyboard input and that's how it logs. So I'm going to swipe a credit card here. So one thing I want to show you is that when we looked at this folder before the BPK.dat file was in there and as you can see as I swipe a credit card here you'll actually see basically this this BPK.dat file is going to grow. So right now it's only 1kb and I'm just going to keep swiping the card. Hopefully DarkTangent doesn't mind. Alright. I think we got enough of it. Maybe you could memorize it. Okay. So now we're going to go back to that folder where the keyboard keylogger is putting its output file and this is the security folder. As you can see it's 2kb right now. So I'm going to try to open this with the notepad first just to kind of show you that if you're a regular security administrator what you're going to see in this output file. So here we go. I'm going to open it with the wordpad and all you see is just garbage. So all this data is encrypted in the keyloggers format. Okay. So what we're going to have to do to actually see the data is actually install the keylogger and we're going to install a legit version in a bit. And that legit version is in my supporting tools. So I'm going to install the trial version. This is basically a 5-day trial. Don't try this at home. Obviously alright I have to agree to the terms and I'm going to call it a legit keylogger. Alright so we're going to just install you know launch the install program so we can view the log file that the attacker created and as you can see they want to thank you for being attacked. And there we go. We're going to go to options, logging view log and as I mentioned before all the output is being stored in cvindows security folder so I'm going to go ahead and open this log file in cvindows security folder and there you go. So the keylogger is basically monitoring two processes explorer.exe and iber.exe which I mentioned this is a point of sale application process. We basically just tricked the malware to think that notepad.exe is actually iber.exe So all this track data that you can see they're taking it home. And that's basically how they take the data. Now one thing I want to mention here is that now that security controls are being widely adopted and the databases of these point of sale applications are being encrypted and the data is being encrypted in transit. What I mean by that is from a front of house machine to the back of house machine. The only way for them to take the data is the data in transit. And this keylogger is a perfect way to do it because as soon as you swipe it's intercepting the track data. So that basically concludes the keylogger demo and you can actually save this file as html or whatever you want when you have it on site. And then you can get these credit cards to the black markets. So I'm just basically going to go to my snapshot and as you can see my snapshot's name is Colin Shepard he's probably around somewhere he's my boss. Thank you Colin. Alright so while it restores we're going to jump on the second piece of malware that we've found we're going to demo that as well later on but for now we're just going to suspend this machine and take it when Nick is ready. Okay, so now the second piece of malware we obtained from a hotel in New York we're going to go through that example here. So basically the architecture as you see here looks rather similar to what we saw in the casino the casino club but one minor minor difference here is actually major difference is that this was a chain of hotels and so there was more than one environment connected here and so you sort of see the router there leading up to corporate that's a key aspect of sort of how this compromise took place. But then you also see the ultimate machines here we have a gift shop a restaurant, a bar, central processing server one thing to note when we are sort of looking at the problems here when we've done these investigations we've often stayed at the same hotel that these investigations are taking place and people on our team have actually noticed that when you plug into the hotel room often times you're actually able to reach all these servers that are around the environment so the IT administrator has probably made one major mistake by actually plugging the switches in the wrong place so keep that in mind when you're actually using hotel internet access we've also seen that the wireless internet access plugged into the same exact network as the reservation systems in a lot of the hotels but basically the problems we saw here the firewall was a consumer level firewall so this is sort of a major hotel that was using a consumer grade firewall for their firewall but basically allowed RDP in into many many systems into the environment a couple of things, hotel management systems and the point of sale systems hadn't been patched in a number of years in this specific case since 2004 and 2006 they had not run any updates in the environment weak username passwords, actually the administrator password was NIMDA in the environment which made things probably easy for the IT guy to remember but also made it very easy for anybody who's trying to guess that password they had no antivirus and no anti-malware systems, really didn't matter much like you've seen in Gibran's demo in which you'll see in some of the other demos a lot of the malware that we find was custom created or just compiled directly before they actually put them in the environment so having antivirus in the environment really wouldn't help there but again no network segmentation between any of the environments at all tools found, some things to note here, basically the stuff that's highlighted in black we're going to show you some things in more detail about it but there are some other tools that basically were associated with this attack as well so installation vector again this was remote desktop, remote desktop live on the internet, basically it targeted two different accounts, the administrator account the backup account was targeted and then SQL debugger account was targeted as well again they downloaded the attacker tool kit and then basically one key difference here is that they didn't just target the one environment when they got into the environment they actually basically were able to connect all the other environments in this chain of hotels and they used PSXAC to deploy this malware one thing to note, this malware we're talking about here is actually a memory dumper malware so it's a bit different than the keystroke logger it actually targets memory so we're going to show you more of that some static analysis, now there's two components to this malware package there was a communication component and basically this piece of the malware actually ran as a service, it connects an SSL connection up to a system in South Korea and basically it had some anti-debong features built into it so basically if you try to run it through Explorer it would do things like try to lock the workstation try to terminate any processes that are running and close all terminal sessions and basically try to disrupt what you're trying to do if you're trying to run it through Explorer I would also check to see if it's running in VM so it sort of shows the things that we're doing here so we're actually not going to demo this aspect of it as a demo but basically if it detects VM running in the environment it actually tries to shut itself down and shut down the entire computer it also has all the strings it was using to search for things in the environment it actually encrypted them and then decrypted them upon run other interesting things so when we ran this tool and actually decrypted the strings we found this little bit of a little note that the attacker left here so one thing interesting is that basically said I currently do not know I tend to do with this but I accept the defect I must do some limited experiments so it's pretty interesting that limited experiments included about 80 hotels basically here this is the real active piece that we're going to talk about and we're going to demo this is winmanagement.exe it was basically a normal windows binary it referenced a lot of things in it WinSoc API it had some FTP commands in it and then one thing you probably see very small down there that's actually the regular expressions to search for track 1 and track 2 data and track 1 and track 2 data for those who aren't familiar with it if you pull out your credit card out of your pocket the data that's stored on the back of your credit card is essentially it's not encrypted it's essentially just encoded on the back of that card just like Gibran showed you in the notepad demo but basically this piece of mail where it was going to parse memory and every single time it finds track 1 or track 2 data it's going to log it to a file so basically some things we're going to walk through this stuff basically the big item here is that it's designed to monitor one of eight point of sale systems now we've seen later versions that sort of expand their scope but the attackers really know what they're looking for they're not just sort of taking a guess and saying let's launch it in the environment and just start dumping processes this executable actually was compiled with the intent to find one of eight different point of sale systems and take the data out of memory so some more data here about sort of the data how the data got out of the environment another process that was sort of used in conjunction with this was actually creating encrypted rar files something we really noted in our investigations was that the encrypted rar files we didn't know what the passwords were so we went through a cracking exercise and found it easier because we took memory dumps we actually found the passwords in memory on several of the systems we obtained and then using the same password scheme basically use a server name the system name in their password scheme we're able to then decrypt all the other locations rar files really when it was all said and done there was about 350,000 cards that we obtained from the rar files that were pulled from these systems and then sort of propagation and like I mentioned earlier the attackers were just basically able to leapfrog from this one single environment and deploy this tool on all the other environments that were sort of in the chain of systems so here's DeBron with the live demo okay before I do this demo I just want to ask how many people have memory in their computers alright so this is going to be fun because this malware is taking the data from the memory so how are you secure application that you're running even if you're running truecrypt and all there's a point in time where your data it remains unencrypted in the memory so watch out for this alright so I'm going to resume my Warsaw machine okay so this is not a single executable this is going to have three pieces to this I'm going to demo all three of them alright so as you can see there are three files that this malware uses to steal credit card track data from the systems that CSR SVC this is the actual memory dumper and as Nick mentioned there are about eight point of sale applications that it's monitoring so we're going to do the same thing again we're going to try to trick this malware to think that notepad.exe is one of the point of sale applications this is mgr.exe that was compiled on the box this is basically a track data parser so when you have the huge memory dumps from the processes it looks at the memory dumps and it looks for credit card track data and then it takes it out of that file that when mgmt.exe now this when mgmt.exe if you're a network administrator you probably know that it's a legit windows file but in this case they're using that as a malicious purpose binary not the one that's found on our machine okay so we're going to go with the demo okay so as we can see there are only three files here right now and it's going to increase so watch out for that so basically this when mgmt.exe if you run it as a standalone binary it won't run it will give you an error to install that you actually have to have the install switch and once you do that as you can see it's installed as a service so the intent of the malware is to stay persistent on the system because they're taking the data and transiting so they want to have their presence in the system even after you reboot the systems so it's installed as a service so again if you're a regular IT administrator you look at the service you're not going to doubt the service because it says windows management helps service install so luckily we have these malware writers have a debug option and they code it so we're going to run this malware in a debug mode so basically just look out for two things here so what we see here we see three files so when I run it in debug mode it's going to create a mem dump folder which is going to be the location that memory dumps are created in and then you're going to see two more processes here in the system tray so it's going to be that memory dumper and the second process is going to be the track data parser alright so let's go ahead with that ok so as I promised we got the mem dump folder now notice it has no file in here because it's not finding the process that it wants to monitor but it's got these two applications wonderful applications that are going to monitor the system for the track data and they run pretty much hidden from the system it's just that I'm running it in debug mode that's why you're seeing all this data here alright so what we're going to do is first I'm going to just run you know I'm going to feed the track data to notepad.exe to kind of show you what the malware does with it poor dark track engine we got him again ok so as you can see I'm feeding a legitimate track data to this notepad application and this malware is not responding it's not doing anything in here where it's monitoring so we can tell that it's not monitoring notepad.exe so what we're going to do is basically trick the malware again and rename notepad.exe as the name of a point of sale application I'm going to go to this system32 folder again notepad.exe I'm going to call it cdi.exe which is a point of sale system application and now I'm going to have these two here again cdi.exe as soon as I do that you're going to see that it's going to create a dump and this dump is being created in this mem dump folder and you can see it has the name of the application which is it's thinking that it's a point of sale application and it has the process ID and the name of the dump so right now in this folder but this dump is going to increase as we feed data to the point of sale application and we're going to see it right now so cdi.exe is running right now and I'm going to feed track data to it one and a two and a three okay so now that I've fed track data to this payment application process pretty soon we're going to see here that it's going to create another dump and it's going to find track data in the file so it usually takes a dump every two minutes but in the interest of time I'm actually going to trigger this application to create a dump I'm just going to save this you know this file as trigger the dump alright yeah we'll stay simple so what you're going to see pretty soon actually you see it right now the malware is pretty fast it's running faster than I'm running so basically it has found track data one track one data and pretty soon you're going to see an attacker output file which they take home in the same memory dumper folder so as you can see it just created a file this file wasn't here before dirmon.chm it looks like a help file so again they're trying to fool the IT administrators or security administrator because they'll think okay it's a chm file how harmful could it be we're going to open this in notepad so you're going to see how easy you know how neat of their output is so I'm going to open this in wordpad again and there you go so basically what they're taking home is you know this need of a file dirmon.chm and it tells them that hey this is where the dump was I found track one data and then I found track two data and the data is there as well and it's pretty good at sorting out duplicates as well so that basically concludes our memory dumper malware now one thing to keep in mind is that I've shown you the demo for only the track data but just imagine how much stuff goes through your memory if you're using firefox you're typing your social security number you're typing in your password even the passwords that go through SSL they can be in the memory so anyone who uses memory in their computers you got to be careful here and it's basically it has pgp keys truekrip keys basically everything that you type and one thing I want to mention here is that the keylogger malware you know even though it's all nice and stuff it's only it only grabs the input that you guys feed to it so if you're typing in the input that's what keylogger is going to get memory is a little different memory is actually more interesting to me I call it keylogger and steroids basically because not only that your input is being monitored the input the party that you're communicating with like if you're on aim chatting with someone on AOL you type in some info your buddy type in some info that's going to stay in memory so if you're parsing for the right stuff memory has a lot of good info so just watch out for that so that basically concludes our memory dumper malware which is even more interesting so watch out for that ok so we're going to jump into the presentation ok so the next piece of malware that we're going to talk about basically it's based upon some investigations we performed and it's based upon more of a proof of concept basically the investigations that we've performed so basically the investigation we performed various systems have been attacked with what we're calling credentialed malware and sort of to find that for you we're going to the next slide but just something to note is that when we're showing in this demo we're not talking about any vulnerabilities in any video poker system we didn't find any vulnerabilities in video poker system just sort of leaving that as a disclaimer here for everybody in the room but really the purpose of this demo is to talk about and introduce the concept of credentialed malware just like any other piece of malware but the idea and concept that once you get this malware into a system use the attacker or the person who's running this malware is now able to dispatch credentials in the form of tokens to other people to be able to use it and you can set roles and tasks that they're able to perform specifically this type of malware is targeting kiosk based environments so places where you're not able to maybe get information out via network interface which are able to walk up to that system and actually perform some transactions so basically these tokens are being used as authentication tokens to trigger various aspects of the malware and then of course in an organized crime world you could think of a sort of hierarchy where you could then rent these tokens to do various functions and you could then shut them off turn them back on and control who has access to this malware that you now have on a system so to sort of introduce that concept we decided to choose a video poker system over on the left hand side or the green screen there you had the video poker desktop so that's the video poker system that everybody probably walks around the casino you see a thousand instances of them sitting out there then over on the left hand side the credentialed token that we're going to use in this demo is actually a voucher so everybody has seen vouchers before we have some of them here printed up it's $20 voucher so basically you insert it into the machine it allows you to play the game you lose all your money and then you sort of get up and go home in this case now we have the casino network and we also have the casino itself so some common problems in this type of environment you're talking about physical access to these devices so number of machines in the environment you know does the eyes in the sky actually watch the repair people you know you walk around casinos you see people opening up machines all the time something jams you know something's broken something burns out on the replacing boards who's watching those people are they keeping track unique passwords are difficult to manage in our investigations looking at systems in hotels and casinos in other various places they use the same password on every single system do you think that the password is unique on every single video poker machine? probably not also are you running antivirus on these video poker machines? probably not and then of course under the hardened case you have really it's just a low end PC other keyboard ports USB ports and what is there and then of course what OS are they running we don't know how often they patched probably not very often so installation vectors possible scenarios here physical attack someone walks up who is a legitimate you need to get into the system they install USB key fob or something in the environment install the malware it executes and now it's running on the system another scenario is the malware is placed on the system from the distributor or the manufacturer and it's there running live now one thing to note is that the tokens that we're going to talk about and show you that's what's used to actually trigger this malware normal user walking up to the system you're not going to be able to know that the malware is running on the system at all basically the token concept what we're introducing here is sort of multiple types of levels of things so we're talking about single function authentication cards we're talking user routers basically that triggers one aspect of it this may be given to a mule who you say go to these various video poker machines insert it into the system and basically tell me what it says on the screen that might be one function of a mule it could be someone who's actually deployed this malware that will do other commands and run various other things and of course if the malware doesn't see a user voucher in place it actually just continues on it thinks that someone's sitting down playing a game nothing ever really happens so the functions we put into this demo here so basically your keyboard input is very limited you walk up to a video poker machine you have the whole keys you have your deal your max bet and some various other keys but you don't have a full keyboard so you have to really take use of those here we have you know you hit if you authenticate with the video poker machine you hit the hold one button it un-stalls it so you can sort of wipe the tracks that this malware has been running on there hold hit number two display stats on the system it tells you how many uses have been taking place with this malware it tells you various other things then of course you can modify the credits and the thing that's even more interesting is being able to modify the credits or shift the odds and when you modify the credits you can enter in what you want that system to actually have on it and then of course cache it out so propagation similar type of thing if these things are all network connected what can you actually do from there I think we talked about in some other demos so basically here we're going to boot up the video poker machine and show you this live okay so I'm going to back to my virtual machine and we're going to see the video poker malware and don't try this here because you could get in a lot of trouble alright okay so we have the malware booting up here so like while it's booting up actually this is the video poker system booting up so while it's booting up really talk a little more about the vouchers so in my hand I have the $20 voucher this is a legitimate voucher that we're going to use we have one of the user vouchers this one will actually trigger the single function and then we have a voucher that I actually will trigger on the multifunction card so we're going to go through and actually swipe those in so here goes the $20 voucher into the system there you go so we got the $20 voucher going in see there's 20 credits on the screen so now we're going to go ahead and play you know max bet it see the bets go $20 there of course what happens happens to everybody here as you go through and then you lose so now we're going to swipe the single use voucher so through the system and show it to see what happens there single use voucher is intercepted it actually pops up the display stats here so you can see information about the voucher about the system that we're looking at IP address tells you the name of the malware that's running on there sort of the odd shift sort of concept of actually changing the odds on the system and of course then you just sort of move on and you clear it out and it goes back to a regular screen next piece we're going to actually demo the multi use voucher here so now a couple different functions here so now this pops up a menu like I showed you earlier the menu of doing various things the first thing we're going to do is actually option 3 and it tells us it shifted the odds plus 1 so basically put it in our favor you can sit down and do that and you clear the screen and now you start playing in various aspects here that they actually be able to rent someone a voucher that actually only lets them do that so they can only shift the odds they can't do anything else and so you can put a price on that now we're going to run another multi use so we're going to pick option 4 clear through it and we're actually going to be able to go through and actually modify the credits and we only have five keys to play with here so really the combinations of 5, 4, 3, 2, 1 so we're going to actually modify and add 54,321 credits to the system and of course you see in the bottom left hand corner we've added those credits in a normal scenario you maybe want to bet those credits or maybe you want to cash out so now we've cashed out and our system's cleared no one has any knowledge that we've actually done this I'm sitting in front of it in a casino so now we're going to jump in we only have about 8 minutes left so we're going to quickly go through the last one and see if we can actually show you that demo alright so this last sample we have is a restaurant in Michigan basically the similar problems as the first two malware these little merchants don't have a full time IT staff so they have a third party ID integrator supporting them so they like to come into the systems with ease they don't like to travel any time there's a broken printer so they have VNC open from outside so they could just control all the machines from outside similar thing no egress filtering no outbound filtering on the back of house server and the point of sale terminals with full internet access allowed so the problems in here on the outside which is big no no the systems had weak password actually for 18 of those restaurants in Michigan the integrator was using the same password and the passwords were basically the credentials were admin and support pretty simple the point of sale terminals were not running antivirus server there was unrestricted internet access and basically same passwords for all the systems in the region this is basically the malware list from that system and what I want to show here is that this malware is kind of special because what it does is it has an IRC bot and when you install the malware it looks for a POS application version and then it tells it creates the malware on site and it tells the malware to monitor the ports of that specific point of sale system so this IRC bot does that and then there's a custom packet sniffer and then all the data is being placed in and then uploaded to FTP server so basically for this malware even the attackers had to install microsoft.net framework thought it was pretty funny it was only sniffing the TCP traffic on four ports and then basically the files were ipaddress.sen.cap and ipaddress.read.cap and the data was being uploaded to a server in Munich, Germany I don't think we're going to have time to show the malware so we're going to go to the conclusion slide and we're going to yeah so I just want to show you the additional comments here we actually told FBI about it and the server was rated and we found out that 18 of the locations were sending data to that particular FTP server and we are basically investigating about six of them right now so we're going to hit the conclusions so as you can see malware is dominating computer memory is the target to extract sensitive data one thing that I forgot to mention on the memory dumper malware was that I've basically seen I have a pretty funny relationship with these malware writers, basically I've seen them grow I've seen the malware grow so before malware used to take the full kernel dumps and put it in the hard disk and as you can imagine when it creates too many dumps the system is going to run out of this so do you want to guess what the solution of the merchants was when they were seeing low disk space on their servers add more disk, you got it so they basically purchased western digital drives they were putting data in and they were deleting actually their legit files so they were deleting their accounting files to accommodate the attacker's memory dumps so that was kind of funny and as I said they've grown and it's going to keep growing and you can see this memory dumper malware and you heard it here first you're going to see this memory dumper malware grow a lot and take a lot of your personal data so watch out sure, in the other aspects here, we're finding the companies are really not learning so many of the investigations like you saw from the initial way that the attackers are getting the environment these are simple tactics guessing passwords using RDP or VNC very very simple what they were doing before was basically smashing grab is done they're not popping into the environments and actually just moving the files off the system they're actually sticking around for a very long time we didn't mention in some of the examples some of these attackers run these environments for up to two years sitting around and doing the things before we actually were brought in to do the investigation and then really we're finding once the malware proved successful, once they're learning in one environment that this stuff is working in rubber stamping this stuff all over the place and we often see one environment turn into five, then turn into 10 and then turn into 80 or 90 they're all infected with the same malware doing the exact same thing so here's something you can actually download once you actually download the presentation these are some of the tools we like to use and of course our contact information you can email us or visit our website and we're going to actually have a copy of the presentation posted there as well alright, thank you so much thank you so much for being here we enjoyed it