Via StoreFrontBackTalk -
The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.
“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.
Payment security experts pretty much agreed that hiding files in unallocated disk space is a fairly well-known tactic. But it requires such a high level of access—as well as the skill to manipulate the operating system—that is also indicates a very sophisticated attack. One of those security experts—who works for a very large U.S. retail chain and asked to have her name withheld—speculated that the complex nature of the hiding place, coupled with the relatively careless leaving of temp files, could suggest a less-skilled cyberthief who simply obtained some very powerful tools.
But she cautioned against reading too much into whatever clues the culprits left behind, given that some might be deliberately misleading. “Anyone who has access to that level of the machine can make it look like anything they want,” said the retail security manager. “There is virtually no way to tell in a case like that what really happened. If they have a chance to lay down false trails, it’s pretty hard to find out what really happened.”
Consultants agreed that this type of attack would require extensive access and the ability to trick the machine into believing the thief has very significant user privileges. But it wouldn’t necessarily require modification of the OS directly. “They could have done it two ways. You can modify the OS or you can install a modified device driver.”
Another consultant—who also wanted his name left out—said the ability to write directly to specific disk sectors is frightening. “Somehow, these guys went directly to the base level of the machine (to an area) that was not part of the file table for the disk,” he said. “Somehow, they got around the operating system. That’s a scary mother in and of itself.”
No comments:
Post a Comment