A new type of malware designed to capture data from volatile random access memory (RAM) within a system is on the rise. RAM scrapers, which were recently brought to light in a Verizon Data Breach report,
However, RAM scraping isn't entirely new. A different form of RAM scraping was used in the cold-boot attacks of 2008. For those who don't remember, researchers demonstrated how to subvert disk encryption by abruptly cutting a computer's power, which causes its RAM to preserve a near-perfect copy of its most recent memory image. Simply by cooling and removing its RAM chip, dropping it into another computer and examining the RAM chip, an attacker can obtain the original computer's disk encryption key in a matter of moments. The attack could even be effective without taking the memory out if the computer was power cycled and immediately loaded with a specialized operating system designed to dump the contents of memory.
Special coverage: Inside the 2014 Target breach
Major retail breaches highlight point-of-sale security weaknesses
Massive Target data breach: Retailer says 40 million cards compromised
Does retail security take a back seat during the 'holiday IT lockdown'?
Target breach update: Information on up to 70 million customers stolen
The cold-boot vulnerability clearly pointed out that data stored in RAM was there for the taking. This same method could be used to access credit card data stored in RAM, but the RAM scrapers in the report didn't require physical access.
Today's RAM scrapers are able to bypass most security protections and access sensitive credit card data by either injecting themselves into running processes to hide or directly executing on machines. Once in a system, the RAM scraper can read passwords, encryption keys, credit cards, Social Security numbers, or any other type of data that is easy to monetize. The RAM scraper then can either save this sensitive data to a local system or send it directly to the criminals via a number of different methods. Even if the stolen credit card data is encrypted, damage can still be done if the attacker is able to also grab the private key used for encryption in a method similar to that described earlier.
RAM scrapers in the enterprise
So then it's no surprise that RAM scrapers can compromise enterprise information security in many different ways. This form of malware can gather data by reading directly from memory, or even from a swap file (virtual memory on a hard disk) if it's being read offline. Regardless of how it obtains the data, in order to be successful, a RAM scraping attack must either exploit a configuration weakness to be able to read all of the memory, or have the executable run with enough privileges to read the memory. Reading from all the memory is slow, inefficient and easier to detect, but it is still a potentially effective attack.
Attacking software is another possible target for RAM scrapers. More specifically, such malware attacks the memory management aspect of software and sensitive data. This would be more efficient than reading all the memory, because it would have to monitor where the program wrote to memory, rather than read gigabytes of memory. In addition, this RAM-scraper method is more difficult to detect, but there are also drawbacks for the attacker.
These types of attacks represent a realistic threat to enterprises, but only for high-value targets. Crafting RAM-scraping malware requires a higher level of sophistication than most commonly seen malware because it must be tailored for the specific software or environment.
To defend against RAM scraping, it's a good idea for enterprise IT security managers to make sure preventive and detective measures are in place for the organization's high-value targets, typically devices where sensitive data resides or that may represent a way to easily obtain access to it. Obviously those targets need to first be identified, and then evaluated to determine if existing defensive measures are adequate, or if new technology or processes are needed.
Putting a process in place to follow up on potential RAM-scraping attacks (or any attacks, for that matter) is as important. If network-monitoring systems identify when a high-value target, such as a stationary point-of-sale terminal, starts communicating with new systems on an internal network in the enterprise or on the Internet, this alert should not only draw the attention of the security staff, but also be investigated quickly. Investigating potentially illegitimate communications quickly could help to identify serious incidents early on and limit or prevent damage or data loss.
Also to protect against RAM-scraping attacks, systems should not be run at an administrative level, or with generally high levels of system access. The easiest way for an attacker to get access to the sensitive data from RAM is by exploiting software already running with administrator-level privileges. Secondly, the location of sensitive data should be kept up to date in a detailed systems inventory. IT infrastructures grow and change over time, so it's important to make sure security measures are in the right place.
RAM scrapers aren't new, but recent developments represent an evolution in prior attacks that will continue to advance in the future. Enterprises must continually improve their defenses by implementing some of the aforementioned best practices to make sure sensitive data is protected effectively as possible.
About the author
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.
This was first published in February 2010