Wednesday, October 15, 2014

RESEARCH: How are these data breaches beating antivirus and malware protections?

During the past few days our researchers have had a chance to research some of the latest malware variants that have been affecting the point of sales systems of some of the more recent breaches. In each case none of the variants have been detected by the antivirus products that were installed to protect these systems. In one case the malware actually suppressed the warnings and the information was still written to logs although the logs were not reviewed for months after the affected entity discovered the breach.

Attackers are getting smarter and are writing their own software to circumvent the protections in place at these retailers. We have recommended that POS systems be protected with whitelisting software that will only allow authorized programs to run but to date we have only seen a handful of retailers actually implement the technology that is currently available that would have stopped the malware from infecting their systems in the cases that we reviewed. In one case the administrator accounts on the POS system were compromised and the systems continued to function but with information being stored on the local system (which could have also been an indicator of a problem) without anybody detecting the problem.

What companies and retailers are failing to realize that organized attackers will not use common tools to infiltrate a network or POS system. Even the recent ATM attackers are utilizing modified malware so that it is not detected. This should be a red flat to corporations and retailers that antivirus and malware protection software is NOT the solution to prevent these types of attacks.

Of the three variants of malware we inspected this week only 2 antivirus products even recognized the behavior as suspicious when the files were executed. Some of the ATM attacks were able to utilize little known zero day exploits to install the code and in some other cases poor network controls allowed attackers to circumvent systems that normally would have prevented the systems from communicating back to the thieves but did not stop the localized ATM attacks that followed.

Several banking organizations and healthcare security groups have warned that this malware existed with some indicators out to their subscribers and partners yet these entities were not the target of the attacks. It is clear to us that antivirus and malware detection is pretty much useless protection from organized attacks as these criminals have the resources, intelligence and opportunity  to write custom software and change it nearly daily as signatures are released to detect the threats. In fact that is exactly what is occuring this week as we have seen new variants that are completely different than the earlier malware that was detected and stopped.

There is a solution. The SLC Shim Service is being released to our clients for use on their POS systems that will only allow authorized code to execute. Regardless of patch level or operating system the Shim works to prevent code that is not recognized from running. The hashing is done as files are executed and will only allow known good operating system hashed files to load as well as known good POS system files to load. We have successfully tested the Shim Service on several systems here locally and are making it available to our existing client base tomorrow morning via download.

The days of antivirus and malware detection are numbered and the technology has not kept pace with the skills of hackers determined to get at your information. Now if we could only get some of the hardware vendors to build similar protections and get network administrators to utilize ACL's and other protection and we may actually arrive at a point in time where the POS nightmares are only a memory. 

No comments:

Post a Comment