Cupfighter.net

The talk gave insight into three actual samples of malware the authors find during their work.

Case 1: Casino club in Las vegas
The Casino club got exploited because of classic mistakes such a a lack of egress filtering and network separation. Network was owned. Malware included keyloggers, putty, smtp servers. Since it was installed on a PoS terminal it was able to steal creditcard data as most card readers actually plug into the keyboard interface. The keylogger was a customezed version of Perfect Keylogger 1.68 a commercially available key/screenlogger. It is noteworth that the keylogger was setup to only log key input of a certain process to save resources and avoid detection. It also took a screenshot every 15 minutes.

Keyloggers are used more and more on Point of Sale systems to capture creditcard data because the data is more and more protected (encrypted) from the PoS terminal on.

Case 2: Chain of Hotels in New York
Again, classic mistakes like lack of seggragation, lack of password, lack of patchingand no AV or Anti-Malware helped the compromised. On top of that the firewall was a consumer grade firewall which allowed in RDP in for their outsourcing provider.

Actual malware was memory dumping malware and had regular expressions of track1 and track 2 credit card data. As a security measure the malware stored the data in encrypted RAR file. By searching the memory the key for this RAR file was recovered. In order to prevent anti-malware, parts of the malware where compiled on the box.

Case 3: Video poker Lake Tahoe
The video poker machines at a Lake Tahoe casino got compromised and infected with mallware. Video poker machines are just embedded PC’s. unfortunately, embeded PC’s are often not updated in fear of breaking the system, they don’t have anti-virus and mostly don’t have classical defences like unique passwords etc.

Since these machines accept vouchers as means of payment, this mechnism was used to trigger the malware.

Various vouchers have various functions. Some of these certificates performed a single function, e.g. to shift the odds towards the player. These certificates are ment to be sold to individuals, while other vouchers will give multiple functions like set credits, etc.

Unformtunatly the demonstration was not with the actual malware, but with a mockup piece of malware.

Case 4: Restaurant in Michigan
The firewall was configured to allow VNC in, they used common/waek passwords, the PoS was not running anti-virus and had unrestricted internet acess.

The software installed a custom IRC bot, contained a custom Packet Sniffer. In order to load, the malware actually needed the .NET framework.

Conclusion
Malware is dominating and it is getting better at it.
Computer memory is the target to extract sensitive data, even if you encrypt you disk and your databases, the data is still going to be in memory unencrypted.
Corporate security is still not getting it.
If a specific peace of malware is successfull it will be used, and probably sold, over and over again.