The December breach of U.S. retailer Target brought memory-only malware back into the spotlight. The infection that compromised Target’s systems was a member of a Trojan family that loads itself into RAM without any installation on the main drive.
Some security researchers have fretted about the impact of such threats, pointing out that they’re resilient against many types of antivirus software. Since they have no real footprint, they’re particularly elusive and may persist in the background.
However, the risk from memory-only Trojans such as BlackPOS is likely overstated. For starters, most of them can be removed by rebooting the system, which clears them out of RAM.
More sophisticated threats may require powerful tools such as restore software. This solution gives administrators many more options for managing endpoints, so that they can automate reboots, freeze desired configurations and safely move data between devices and network drives so that it’s intact even after a restore operation.
Analyzing the risks associated with memory-only malware
The cause of the Target breach was apparently a point-of-sale infection that compromised the memory in thousands of store payment systems. This was likely the most prominent incident involving memory-only malware, but it’s not the first – in fact the threat has been around for a while.
As far back as 2003, the memory-scraping SQL Slammer worm slowed down a considerable portion of Internet traffic. It took advantage of a buffer overflow vulnerability and infected thousands of Microsoft SQL Servers in a matter of minutes, making it the fastest spreading worm of all time.
More recently, the Trackr/Alina bug caused headaches for universities and hoteliers. These infections compromised fewer records than the Target breach, but were notable for how the malware could be controlled by a botnet.
“Although retailers can be affected by these kinds of things, there have been food service companies, healthcare, hotels and tourism companies being targeted by RAM scraping in the past,” security researcher Graham Cluley told InformationWeek. “Because of the scale of the Target breach, this is probably one of the biggest incidents, if not the biggest incident, that has occurred.”
Understandably, the scope of the Target breach has rekindled some of the fears about memory-scraping malware. It’s easy to hide since it doesn’t install itself, and it takes advantage of the fact that everything has to be decrypted in memory, meaning that it has the opportunity to seize plaintext credentials.
Still, malware that hides in RAM isn’t always an exceptional risk. Even SQL Slammer was addressable by simply patching the server and then rebooting it. Plus, scanning a computer’s memory is a much faster and more efficient process than combing through its hard drive for threats – unusual processes that are causing a performance drop are usually easy to single out and remove.
None of this means that administrators should be complacent about memory-scraping malware. A reboot to restore solution offers the perfect remedy because it clears the malware out of memory and enables the PC to be reverted to a safe disk state. If users are fearful of reinfection, then custom configurations and reboot schedules can be set up to ensure that endpoints are restored and hardened against threats.
For retailers in particular, using restore solutions is a key part of securing increasingly complex infrastructure that is now a prime target for attackers. Keeping software up-to-date and protecting POS systems with complex passwords are both important parts of retail IT security, and system restore can help out by shielding the management console with one-time codes and making it easier to roll out Windows updates to endpoints.