top | item 8390914

(no title)

alexkus | 11 years ago

> How RAM Scrapers Work

> Once on a targeted system, RAM scrapers work by examining the list of processes that are running on the system and inspecting the memory for data that matches the structure of credit card data, such as the account number, expiration date, and other information stored on a card’s magnetic stripe.

No hooking, sounds exactly like they're looking through the memory assigned to each process looking for the right looking data.

discuss

ultramancool|11 years ago

Okay, so, how do they harvest live data? Scan constantly? That would have a risk of missing something or of slowing down the system.

I suspect that is just an oversimplification, of course, unless they post the malware in question I can't really say for sure.

tkmcc|11 years ago

That's exactly what they do. They'll call ReadProcessMemory() on every process and then use a regex + Luhn algorithm to check for credit card data. I'm sure some of the more advanced and targeted ones do use hooking, and some filter the processes to scrape by name, but a lot of malware authors are surprisingly amateur.

further reading: http://www.trendmicro.com/cloud-content/us/pdfs/security-int...

doug11235|11 years ago

My guess is that 100% robustness wasn't a big concern. Getting 80% of a lot is good enough.