Dear Antivirus Vendors,
On more and more incident response investigations, my clients (victims) have been asking the question “Why didn’t our Antivirus software detect the malware when we always keep it up to date?” I respond by telling them that they had targeted malware on their system. Their follow up question usually is whether antivirus software is relevant in this era of targeted threats and Modern Malware.
The intent of this letter is to appeal to you, Antivirus Manufacturers, to stay relevant to consumers, who put their faith and trust in your software, by flagging memory dumping and other emerging techniques of data extraction as suspicious activity. It is one thing for us to tell the victims that antivirus software is an important layer of defense in their network but it would be a much better thing to say that the next variant of this targeted threat can be protected by their antivirus software.
As you already know, memory dumping is emerging as one of the most effective techniques to steal sensitive data. The computer memory (RAM) stores unencrypted data. And while RAM is temporary storage, it provides enough of a time-window for attackers to gain sensitive information. In recent times, we have seen how “Dexter Malware” was capable of stealing credit card data using memory dumping techniques on Point of Sale (POS) systems in more than 40 countries. We have also seen “Dump Memory Grabber” malware targeting memory to attack Automated Teller Machines (ATMs). This technique was also used in hospitality breaches all over the world. The attackers were able to dump memory on hospitality payment systems to steal the magnetic stripe data of the credit card, which can be used to make counterfeit credit cards later sold on the Black Market. Due to the high impact of hospitality and retail breaches, Visa Inc. issued a Data Security Alert on attacks via memory dumping, but these memory dumping attacks are becoming more widespread.
As you can see, the attackers are taking advantage of the fundamentals of computing. Even popular file encryption tools like TrueCrypt write disclaimers about the possible recovery of passwords and encryptions keys from these memory dumps. A simple Google search for “memory dump password extraction” can tell you many different ways of dumping passwords from operating systems, internet browsers and email clients, via the memory dumping technique.
It is time for your end point security software to flag memory dumping as malicious or at least suspicious. Perhaps one of the reasons why this has not been done before is that few legitimate software also dumps memory for debugging purposes e.g. Sysinternals’ “procdump” tool and even Microsoft Windows itself, as it dumps the memory upon system crashes i.e. when you get the “Blue Screen of Death”. The cautious approach is understandable but when we know that it’s causing damage without setting off any alarms, it results in the loss of confidence for the antivirus software industry. Besides the mentioned data breaches, there are many other ways this technique could cause damage. For example, a memory dump for “lsass.exe”, which is the Local Security Authority Subsystem Service process, can expose operating system credentials, which can help attackers with propagation to organizations’ critical assets. An antivirus software is trusted as a crucial layer of defense and it is mostly the only security software deployed on user workstations. When we know the potential damage of memory dumping activities on end user workstations, why not flag this activity as at least questionable?
It is a foregone conclusion that antivirus software will never be able to keep up with the signatures for every new malware binary, therefore in order to stay relevant, it is pertinent for you to identify and flag malicious behavior of applications on the systems, especially the ones that have proved to cause significant monetary damage. To quarantine or delete memory dumping activity may be risky. Therefore a potential solution should be a notification to the administrators by flagging memory dumping activities as suspicious. After that, organizations can take action according to their escalation procedures and Incident Response Plan.
Incident Response Professional and Malware Defense Enthusiast