I've had a variety of Tenable customers ping me about how to go about searching for the
indicators associated with the iSight and US-CERT January 16th report titled : "POS Malware
Technical Analysis : Indicators for Network Defenders". The report and it's contents are not
for public consumption, so I will speak about it indirectly. I've gone through the document
and have written a bunch of notes that would be very useful for our SecurityCenter users
who need to look and see if any of these indicators are on their network.
Creating An Asset of POS Systems
The document mentions that the ram scraping malware is looking for the systems running
pp.exe, PosW32.exe, pos.exe and epsenginesrv.exe. With Nessus plugin 70329, a dynamic
asset list can be created which leverages multiple text searches for these processes strings.
This will create a list of IP addresses of system which have those processes running. An
asset list of POS systems is useful for conducting further reporting and analysis of network
traffic, such as isolating FTP traffic to or from these devices.
Passively Looking for DLL Files moved over SMB
The trojan moves a text file across the network via the SMB Windows file sharing protocol.
All files observed moving across SMB are logged by Tenable's Passive Vulnerability Scanner
and these logs are normalized with an event name of "PVS-SMB_Client_DLL_File_Download
as shown below.
Organizations who have been logging this sort of network traffic over time can search for the
names of the DLL files that have been transferred. If there are many to search through consider
looking for any anomalies (of event type stats) for this event with this search string:
Also consider using the "Date Summary" tool to see how this traffic visually compares to other
days and to also look for spikes or transfers between the times of day identified in the report.
Both Nessus and the PVS can detect if systems are pingable. For example, the PVS includes
a plugin 7043 which enumerates all observed IP protocols that the host has communicated on.
If you are running the Tenable Network Monitor on your network and configured it to log ICMP
traffic, consider auditing this also for anomalies and to look for odd communication patterns. Below
is a screen shot of ICMP logs from the TNM next to some PVS logs:
Detecting the ShellCode Loader On the Network
The report indicated that a new form of malware delivery was in use which sends the actual
shell code across the network. No other details were given other than the file was highly random.
Consider looking for several different items:
- PVS plugins 15 and 3 report all of the clients and servers per port for any given host. This
list should be audited to see if there are any common servers used by the POS systems
which could be an internal control point and is the source of the shell code.
- PVS plugin 7 logs all ports that have any type of highly random network session which
could indicate encryption. These are also logged in real-time and can be searched within
the LCE as shown below:
Detecting the Hacking Tools
It is very likely, but was not specifically stated, that the PSEXEC utility was used by this malware.
Both Nessus and the PVS detect PSEXEC presence and we've blogged about detecting and auditing
this in your enterprise in the past. Many other windows hacking tools are detected as malware by
Nessus as well as the Windows LCE Client.
Auditing for the Rogue POSWDS Service
Nessus records all running services in many different plugins. The main one is plugin 10456 which
enumerates all services. Searching this report for the string "POSWDS" will find any system with
that service running.
If a Windows LCE Client is running on your POS systems and you have a group policy logging all
process execution and service events, you can search your normalized logs with the following
type=system normalizedEvent=Windows-Service* text=POSWDS timeframe="Within 30 Days"
Searching for Rogue Applications
The document also recommends searching for any type of rogue applications which may be
some sort of data manager. Keep in mind that:
- Nessus plugin 70330 identifies any processes running on a given host that are unique
compared to the other scanned hosts.
- Nessus plugin 70628 identifies any unique AutoRun settings which are also unique to
any other scanned hosts.
- Nessus plugin 11154 identifies any network services which is not identifiable. We use this
for our customers to send us information about new services, but it is also an excellent
way to find malware running their own proprietary protocols.
- Nessus plugin 70768 identifies all running processes which have an unknown reputation.
Searching for Unauthorized FTP
The PVS logs all FTP connections and transactions it sees. These logs are sent to the LCE for
normalization and reporting. Below is an example screen shot showing passive file detection
over SMTP, SMB and FTP:
If you have created an asset list of your POS systems, you can leverage it to filter all of your
FTP traffic to just FTP traffic from the POS systems.
Custom File Hash Searches
The CERT report identifies six pages of malicious file indicators, including file hash signatures. Nessus
can be used to search for these custom hashes as part of your audits.
- Although the report didn't mention the creation of new user accounts specifically, I would
find it very surprising if part of the malware expansion did not steal an account or try to crack
passwords. As such, you should audit any New_User_Source events from the LCE which
track where a user account normally logs into and alerts if it sees a new trust pair.
- Look for any log anomalies from your POS systems. Any anomalies in network traffic,
detected changes or errors could be your fingerprint of the malware.
- Audit the list of commands that have run on your POS systems. The LCE summarizes this
for each device and each user on a daily basis.