1 Reply Latest reply: Jan 20, 2014 4:15 AM by rongula RSS

Searching for Trojan.POSRAM Indicators

rongula

I've had a variety of Tenable customers ping me about how to go about searching for the

indicators associated with the iSight and US-CERT January 16th report titled : "POS Malware

Technical Analysis : Indicators for Network Defenders". The report and it's contents are not

for public consumption, so I will speak about it indirectly. I've gone through the document

and have written a bunch of notes that would be very useful for our SecurityCenter users

who need to look and see if any of these indicators are on their network.

 

Creating An Asset of POS Systems

 

The document mentions that the ram scraping malware is looking for the systems running

pp.exe, PosW32.exe, pos.exe and epsenginesrv.exe. With Nessus plugin 70329, a dynamic

asset list can be created which leverages multiple text searches for these processes strings.

 

This will create a list of IP addresses of system which have those processes running. An

asset list of POS systems is useful for conducting further reporting and analysis of network

traffic, such as isolating FTP traffic to or from these devices.

 

Passively Looking for DLL Files moved over SMB

 

The trojan moves a text file across the network via the SMB Windows file sharing protocol.

All files observed moving across SMB are logged by Tenable's Passive Vulnerability Scanner

and these logs are normalized with an event name of "PVS-SMB_Client_DLL_File_Download

as shown below.

Screen Shot 2014-01-17 at 10.50.11 AM.png

Organizations who have been logging this sort of network traffic over time can search for the

names of the DLL files that have been transferred. If there are many to search through consider

looking for any anomalies (of event type stats) for this event with this search string:

 

type=stats text=PVS-SMB_Client_DLL_File_Download

 

Also consider using the "Date Summary" tool to see how this traffic visually compares to other

days and to also look for spikes or transfers between the times of day identified in the report.

 

ICMP Listener

 

Both Nessus and the PVS can detect if systems are pingable. For example, the PVS includes

a plugin 7043 which enumerates all observed IP protocols that the host has communicated on.

 

If you are running the Tenable Network Monitor on your network and configured it to log ICMP

traffic, consider auditing this also for anomalies and to look for odd communication patterns. Below

is a screen shot of ICMP logs from the TNM next to some PVS logs:

 

Screen Shot 2014-01-17 at 11.06.00 AM.png

 

Detecting the ShellCode Loader On the Network

 

The report indicated that a new form of malware delivery was in use which sends the actual

shell code across the network. No other details were given other than the file was highly random.

Consider looking for several different items:

 

  • PVS plugins 15 and 3 report all of the clients and servers per port for any given host. This
    list should be audited to see if there are any common servers used by the POS systems
    which could be an internal control point and is the source of the shell code.
  • PVS plugin 7 logs all ports that have any type of highly random network session which
    could indicate encryption.  These are also logged in real-time and can be searched within
    the LCE as shown below:

 

Screen Shot 2014-01-17 at 11.12.29 AM.png

 

Detecting the Hacking Tools

 

It is very likely, but was not specifically stated, that the PSEXEC utility was used by this malware.

Both Nessus and the PVS detect PSEXEC presence and we've blogged about detecting and auditing

this in your enterprise in the past. Many other windows hacking tools are detected as malware by
Nessus as well as the Windows LCE Client.


Auditing for the Rogue POSWDS Service


Nessus records all running services in many different plugins. The main one is plugin 10456 which

enumerates all services. Searching this report for the string "POSWDS" will find any system with

that service running.


If a Windows LCE Client is running on your POS systems and you have a group policy logging all

process execution and service events, you can search your normalized logs with the following

string:


type=system normalizedEvent=Windows-Service* text=POSWDS timeframe="Within 30 Days"


Searching for Rogue Applications


The document also recommends searching for any type of rogue applications which may be

some sort of data manager. Keep in mind that:


  • Nessus plugin 70330 identifies any processes running on a given host that are unique
    compared to the other scanned hosts.
  • Nessus plugin 70628 identifies any unique AutoRun settings which are also unique to
    any other scanned hosts.
  • Nessus plugin 11154 identifies any network services which is not identifiable. We use this
    for our customers to send us information about new services, but it is also an excellent
    way to find malware running their own proprietary protocols.
  • Nessus plugin 70768 identifies all running processes which have an unknown reputation.

 

Searching for Unauthorized FTP


The PVS logs all FTP connections and transactions it sees. These logs are sent to the LCE for

normalization and reporting. Below is an example screen shot showing passive file detection

over SMTP, SMB and FTP:


Screen Shot 2014-01-17 at 11.32.30 AM.png

If you have created an asset list of your POS systems, you can leverage it to filter all of your

FTP traffic to just FTP traffic from the POS systems.

 

Custom File Hash Searches

 

The CERT report identifies six pages of malicious file indicators, including file hash signatures. Nessus

can be used to search for these custom hashes as part of your audits.

 

Additional Suggestions

 

  • Although the report didn't mention the creation of new user accounts specifically, I would
    find it very surprising if part of the malware expansion did not steal an account or try to crack
    passwords. As such, you should audit any New_User_Source events from the LCE which
    track where a user account normally logs into and alerts if it sees a new trust pair.
  • Look for any log anomalies from your POS systems. Any anomalies in network traffic,
    detected changes or errors could be your fingerprint of the malware.
  • Audit the list of commands that have run on your POS systems. The LCE summarizes this
    for each device and each user on a daily basis.

 

Ron Gula

  • Re: Searching for Trojan.POSRAM Indicators
    rongula

    CrowdStrike released a blog with YARA signatures as well as snort signatures for the

    Trojan.POSRAM sample. Their post referenced these IP addresses as destinations for

    the exfiltration of ftp data:

     

    199.188.204.182
    50.87.167.144 21
    63.111.113.99

    If you wish to search for these in your normalized logs, these addresses should be added

    to a Watchlist an then used as a search of your netflow, PVS realtime and other types of

    logs.

     

    Ron