{"id":872,"date":"2014-01-31T12:17:10","date_gmt":"2014-01-31T17:17:10","guid":{"rendered":"http:\/\/www.kaspersky.com.tr\/blog\/?p=872"},"modified":"2020-02-26T18:35:36","modified_gmt":"2020-02-26T15:35:36","slug":"ram-kaziyicilar-ve-diger-satis-noktasi-zararli-yazilimlari","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/ram-kaziyicilar-ve-diger-satis-noktasi-zararli-yazilimlari\/872\/","title":{"rendered":"RAM Kaz\u0131y\u0131c\u0131lar ve Di\u011fer POS Zararl\u0131 Yaz\u0131l\u0131mlar\u0131"},"content":{"rendered":"<p>Ya\u015fanan veri h\u0131rs\u0131zl\u0131\u011f\u0131 sadece ABD\u2019dekileri etkilemi\u015f olmas\u0131na ra\u011fmen, ge\u00e7en y\u0131l Amerikal\u0131 perakende devi <a href=\"https:\/\/threatpost.com\/target-attackers-took-11-gb-of-data-researchers-say\/103691\" target=\"_blank\" rel=\"noopener nofollow\">Target\u2019\u0131n ba\u015f\u0131na gelen dev veri h\u0131rs\u0131zl\u0131\u011f\u0131n\u0131 <\/a>belki duymu\u015fsunuzdur. 40 milyon m\u00fc\u015fterinin kredi kart\u0131 bilgilerinin yan\u0131nda 70 milyona yak\u0131n\u0131n\u0131n da ki\u015fisel verileri bu h\u0131rs\u0131zl\u0131\u011fa maruz kald\u0131. Bu olay \u00f6zellikle yeni y\u0131l tatili d\u00f6neminde olmak \u00fczere yakla\u015f\u0131k bir ayl\u0131k bir s\u00fcre\u00e7te ya\u015fand\u0131. ABD\u2019de bulunan hemen hemen t\u00fcm Target ma\u011faza ve noktalar\u0131 bu durumdan etkilendi.<\/p>\n<p>Sald\u0131rganlar\u0131n y\u00fcz milyonlarca Target m\u00fc\u015fterisinin verilerini \u00e7almak i\u00e7in baz\u0131 \u00f6deme sistemlerini ve Target\u2019\u0131n kurumsal sunucular\u0131n\u0131 ele ge\u00e7irdi\u011fini ve t\u00fcm verileri merkezi bir sistemden \u00e7ald\u0131\u011f\u0131n\u0131 d\u00fc\u015f\u00fcnebilirsiniz. Elbette bir perakende devinden \u00e7ok b\u00fcy\u00fck miktarda veri \u00e7almak i\u00e7in bu iyi bir y\u00f6ntem olarak g\u00f6z\u00fckebilir ancak g\u00f6r\u00fcnen o ki Target olay\u0131nda farkl\u0131 bir y\u00f6ntem kullan\u0131lm\u0131\u015f.<\/p>\n<p>Asl\u0131na bakarsan\u0131z, Target\u2019\u0131n \u00f6deme cihazlar\u0131 veya \u00f6deme sistemleri bu h\u0131rs\u0131zl\u0131\u011f\u0131 yapmak i\u00e7in \u00e7ok k\u00fc\u00e7\u00fck kal\u0131r. Bu sald\u0131r\u0131y\u0131 d\u00fczeleyenler kredi kart\u0131 okuyuculara \u2013 pos cihaz\u0131 olarak da bilinir \u2013 ve yazar kasalara \u00f6zel tasarlanm\u0131\u015f bir zararl\u0131 yaz\u0131l\u0131m yerle\u015ftirmi\u015f.<\/p>\n<div class=\"pullquote\">\u201cPOS (Point of Sale) zararl\u0131 yaz\u0131l\u0131m\u0131 RAM verilerinin kriptosunu a\u00e7arak i\u00e7indeki kredi kart\u0131 numaralar\u0131, kullan\u0131c\u0131 adlar\u0131, adresler, g\u00fcvenlik kodlar\u0131n\u0131n yan\u0131 s\u0131ra \u00f6deme kart\u0131n\u0131n di\u011fer bir ve ikinci iz verilerini s\u00f6k\u00fcyor.\u201d<\/div>\n<p>Daha net a\u00e7\u0131klamak gerekirse, sald\u0131rganlar Target\u2019\u0131n kurumsal \u00f6deme sunucular\u0131na bir yolla ba\u011flant\u0131 kurmu\u015f. Buradaki konu, kart verisi bu sunuculara hali haz\u0131rda kriptolanm\u0131\u015f olarak geliyor. Sadece \u00f6deme do\u011frulamas\u0131 amac\u0131yla bilgilerin kriptosunun a\u00e7\u0131ld\u0131\u011f\u0131 \u00e7ok k\u0131sa bir zaman aral\u0131\u011f\u0131 var. \u0130\u015fte bu anda yazar kasa \u2013 veya sisteme ba\u011fl\u0131 olarak yak\u0131ndaki bir sunucu \u2013 bu kriptolanmam\u0131\u015f verileri RAM\u2019i \u00fczerinde tutuyor.<\/p>\n<p>Bu a\u015famada da PoS zararl\u0131 yaz\u0131l\u0131m\u0131 devreye giriyor. POS (Point of Sale) zararl\u0131 yaz\u0131l\u0131m\u0131 RAM verilerinin kriptosunu a\u00e7arak i\u00e7indeki kredi kart\u0131 numaralar\u0131, kullan\u0131c\u0131 adlar\u0131, adresler, g\u00fcvenlik kodlar\u0131n\u0131n yan\u0131 s\u0131ra \u00f6deme kart\u0131n\u0131n di\u011fer bir ve ikinci iz verilerini kaz\u0131yor. Bu s\u0131n\u0131f zararl\u0131 yaz\u0131l\u0131mlar <a href=\"https:\/\/threatpost.com\/ram-scraper-malware-a-threat-to-point-of-sale-systems\/103623\" target=\"_blank\" rel=\"noopener nofollow\">RAM kaz\u0131y\u0131c\u0131<\/a> olarak biliniyor ve en az alt\u0131 y\u0131ld\u0131r ortal\u0131kta dola\u015f\u0131yor.<\/p>\n<p>Target vakas\u0131nda, sald\u0131rganlar PoS zararl\u0131 yaz\u0131l\u0131mlar\u0131n\u0131 merkezi olarak konumland\u0131r\u0131lm\u0131\u015f a\u011fa ba\u011fl\u0131 sunucular veya makinalar \u00fczerinden sat\u0131\u015f terminallerine veya do\u011frulama prosesinin yap\u0131ldu\u011fu sunuculara aktarm\u0131\u015f olmal\u0131lar. Aksi takdirde RAM kaz\u0131y\u0131c\u0131lar\u0131n\u0131 her bir Target noktas\u0131ndaki her bir PoS terminaline tek tek kurmalar\u0131 gerekirdi ki bu da pek m\u00fcmk\u00fcn g\u00f6z\u00fckm\u00fcyor.<\/p>\n<p>Vakay\u0131 inceleyen <a href=\"http:\/\/www.seculert.com\/blog\/2014\/01\/pos-malware-targeted-target.html\" target=\"_blank\" rel=\"noopener nofollow\">bir Seculert ara\u015ft\u0131rmac\u0131s\u0131<\/a> sald\u0131rganlar\u0131n a\u011fdaki vir\u00fcsl\u00fc bir makina \u00fczerinden eri\u015ferek Target\u2019\u0131n \u00f6deme noktas\u0131 altyap\u0131s\u0131na girdi\u011fini ortaya \u00e7\u0131kard\u0131. Sald\u0131rganlar bu eri\u015fimi sa\u011flad\u0131ktan sonra pop\u00fcler BlackPOS zararl\u0131 yaz\u0131l\u0131m\u0131n\u0131n bir varyasyonunu kurmu\u015flar. (E\u011fer nereye bakaca\u011f\u0131n\u0131z\u0131 biliyorsan\u0131z bu yaz\u0131l\u0131m\u0131 kolayca online yasad\u0131\u015f\u0131 hack forumlar\u0131ndan sat\u0131n alabiliyorsunuz.)<\/p>\n<p>Department of Homeland Security, United States Secret Service, National Cybersecurity and Communications Integration Center, Financial Sector Information Sharing and Analysis Center, ve iSIGHT Partners taraf\u0131ndan olu\u015fturulan dan\u0131\u015fma koalisyonuna g\u00f6re BlackPOS\u2019un kodu yak\u0131n zamanda halka a\u00e7\u0131k hale geldi\u011fi i\u00e7in herkes taraf\u0131ndan kolayca eri\u015filebilir.<b><\/b><\/p>\n<p>Nas\u0131l BlackPOS bu t\u00fcrdeki tek PoS zararl\u0131 yaz\u0131l\u0131m\u0131 de\u011filse Target da bu tehditle kar\u015f\u0131 kar\u015f\u0131ya kalan tek perakende zinciri de\u011fil. Asl\u0131nda Nieman Marcus al\u0131\u015fveri\u015f ma\u011fazalar\u0131 ve Michael\u2019s sanat ma\u011fazas\u0131 da benzer sald\u0131r\u0131lar\u0131n kurban\u0131 olduklar\u0131n\u0131 a\u00e7\u0131klad\u0131. Baz\u0131lar\u0131 bu \u00fc\u00e7 sald\u0131r\u0131n\u0131n da birbiri ile ba\u011flant\u0131l\u0131 oldu\u011funu s\u00f6ylese de bu t\u00fcr a\u00e7\u0131klamalar spek\u00fclatif olman\u0131n \u00f6tesine ge\u00e7emiyor.<\/p>\n<p><a href=\"http:\/\/artemonsecurity.com\/20140116_POS_Malware_Technical_Analysis.pdf\" target=\"_blank\" rel=\"noopener nofollow\">Koalisyonun a\u00e7\u0131klamas\u0131<\/a>\u2018na g\u00f6re PoS zararl\u0131 yaz\u0131l\u0131m\u0131 bir patlaman\u0131n e\u015fik noktas\u0131. \u0130ddialar\u0131na g\u00f6re <a href=\"https:\/\/www.kaspersky.com\/blog\/the-big-four-banking-trojans\/\" target=\"_blank\" rel=\"noopener nofollow\">Zeus<\/a> gibi bankac\u0131l\u0131k Truva atlar\u0131 basit modifikasyonlarla pek \u00e7ok yeni \u00f6rnek ortaya \u00e7\u0131kacak. PoS zararl\u0131 yaz\u0131l\u0131m\u0131 siber su\u00e7lulara giderek artan miktarda kullan\u0131labilir hale geldik\u00e7e ve g\u00fcvenlik g\u00fc\u00e7lerince g\u00f6r\u00fclebilir olduk\u00e7a RAM kaz\u0131y\u0131c\u0131lar (bunlardan \u00f6nceki bankac\u0131l\u0131k Truva at\u0131 yazanlar gibi) kendileri i\u00e7in daha zor tespit edilebilir \u00f6zel Truva atlar\u0131 tasarlamaya ba\u015flayacaklar.<\/p>\n<p>DHS ve \u015firketler freelance forumlar\u0131nda PoS zararl\u0131 yaz\u0131l\u0131m\u0131 reklamlar\u0131nda (\u00e7e\u015fitli dillerde) bir art\u0131\u015f g\u00f6zlemlediler. Di\u011fer bir deyi\u015fle, su\u00e7lular RAM kaz\u0131y\u0131c\u0131 \u00fcretecek freelance geli\u015ftiriciler arad\u0131klar\u0131na dair \u00e7ok say\u0131da ilanlar veriyor. PoS zararl\u0131 yaz\u0131l\u0131mlar\u0131 ile ilgili benzer bir art\u0131\u015f 2010 y\u0131l\u0131nda da ger\u00e7ekle\u015fmi\u015f. Y\u0131l\u0131n ba\u015flang\u0131c\u0131nda outsource edilen POS zararl\u0131 yaz\u0131l\u0131m\u0131 projeleri 425$ ile 2500$ aras\u0131ndayken y\u0131l\u0131n sonuna do\u011fru bu rakam talebin artmas\u0131 \u00fczerine 6500$ seviyelerine kadar \u00e7\u0131kt\u0131.<\/p>\n<p>Bu nedenle PoS zararl\u0131 yaz\u0131l\u0131mlar\u0131ndaki yay\u0131lman\u0131n sebebinin a\u00e7\u0131k kaynakl\u0131 mevcut kimlik h\u0131rs\u0131zl\u0131\u011f\u0131 Truva atlar\u0131n\u0131n kolayca de\u011fi\u015ftirilerek RAM kaz\u0131ma operasyonlar\u0131 i\u00e7in kullan\u0131labilmesi.<\/p>\n<p>Raporda, \u201cS\u0131zan kimlik h\u0131rs\u0131zl\u0131\u011f\u0131 zararl\u0131 yaz\u0131l\u0131mlar\u0131na ait kaynak kodlar\u0131 yeni bir t\u00fcr zararl\u0131 yaz\u0131l\u0131m\u0131 s\u0131f\u0131rdan \u00fcretecek yetene\u011fe sahip olmayan ki\u015filer i\u00e7in bir ba\u015flang\u0131\u00e7 noktas\u0131 olurken kendi \u00e7al\u0131\u015fmalar\u0131n\u0131n etkinli\u011fini art\u0131rmak isteyenler i\u00e7in ise iyi bir basamak g\u00f6revi g\u00f6r\u00fcyor. Bu nedenlerle d\u00fc\u015fen bariyerler sebebiyle piyasaya \u00e7ok miktarda POS zararl\u0131 yaz\u0131l\u0131m\u0131 ortaya \u00e7\u0131kabilir. Dolay\u0131s\u0131yla daha ucuz fiyatlar ve daha geni\u015f bir kullan\u0131c\u0131 kitlesi bu yaz\u0131l\u0131mlar\u0131 kullanmaya ba\u015flayabilir\u201d diye belirtilmi\u015f.<\/p>\n<p>Anahtar bu. Hemen her t\u00fcrl\u00fc siber su\u00e7 i\u00e7in bu paradigma mevcuttur. \u0130lk olarak sald\u0131r\u0131lar basit olarak ba\u015flar, ger\u00e7ekle\u015ftirmesi ve tekrarlamas\u0131 zordur.<a href=\"https:\/\/business.kaspersky.com\/addressing-the-global-trafficking-of-financial-data\/\" target=\"_blank\" rel=\"noopener nofollow\"> Zaman i\u00e7inde bu sald\u0131r\u0131lar kolayla\u015f\u0131r<\/a> ve daha az yetenekli sald\u0131rganlara da bunu ger\u00e7ekle\u015ftirme imkan\u0131 do\u011far. Bunun \u00f6tesinde, yetenekli sald\u0131rganlar kolayl\u0131kla kullan\u0131labilecek sald\u0131r\u0131 kitleri olu\u015fturabilirler. B\u00f6ylece siber su\u00e7lar klavyesi ve k\u00f6t\u00fc niyeti olan herkese a\u00e7\u0131lm\u0131\u015f olur.<\/p>\n<p>Di\u011fer yandan, bu durum i\u00e7in sizin elinizden gelen fazla bir \u015fey yok. Al\u0131\u015fveri\u015f yapt\u0131\u011f\u0131n\u0131z markete gidip PoS altyap\u0131s\u0131n\u0131 kontrol eden ve g\u00fcvenlik a\u00e7\u0131\u011f\u0131 olan t\u00fcm Windows XP makinalar\u0131 de\u011fi\u015ftiremezsiniz. Yapabilece\u011finiz en iyi \u015fey kulland\u0131\u011f\u0131n\u0131z ma\u011fazalar\u0131n ba\u015far\u0131l\u0131 y\u00f6ntemleri kulland\u0131klar\u0131ndan ve a\u011flar\u0131ndaki makinalar\u0131n g\u00fcvenli oldu\u011fundan emin olabilmektir.<\/p>\n<p>Bir di\u011fer konu ise, sald\u0131r\u0131ya u\u011frayan \u015firketlerin itibars\u0131zla\u015fmaya maruz kalmamak i\u00e7in muhtemelen dile getirmedi\u011fi pek \u00e7ok veri \u00e7al\u0131nma olay\u0131 daha ya\u015fanmas\u0131. Target vakas\u0131nda oldu\u011fu gibi \u00e7ok h\u0131zl\u0131 bir \u015fekilde gelip istediklerini al\u0131p \u00e7\u0131k\u0131yorlar. Pek \u00e7ok banka m\u00fc\u015fterilerini riskler konusunda uyar\u0131yor. Bu sayede hesaplar\u0131m\u0131z\u0131 kontrol etme ve problem potansiyeli olan kartlar\u0131m\u0131z\u0131 de\u011fi\u015ftirme imkan\u0131m\u0131z oluyor. Asl\u0131nda yapabilece\u011finiz en temel \u015fey: haberleri okumak, hesab\u0131n\u0131z\u0131 kontrol etmek ve gerekti\u011finde kartlar\u0131n\u0131z\u0131 de\u011fi\u015ftirmek.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ya\u015fanan veri h\u0131rs\u0131zl\u0131\u011f\u0131 sadece ABD\u2019dekileri etkilemi\u015f olmas\u0131na ra\u011fmen, ge\u00e7en y\u0131l Amerikal\u0131 perakende devi Target\u2019\u0131n ba\u015f\u0131na gelen dev veri h\u0131rs\u0131zl\u0131\u011f\u0131n\u0131 belki duymu\u015fsunuzdur. 40 milyon m\u00fc\u015fterinin kredi kart\u0131 bilgilerinin yan\u0131nda 70 milyona<\/p>\n","protected":false},"author":350,"featured_media":873,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1351],"tags":[515,517,516],"class_list":{"0":"post-872","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"tag-pos","9":"tag-ram-kaziyici","10":"tag-veri-hirsizligi"},"hreflang":[{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/ram-kaziyicilar-ve-diger-satis-noktasi-zararli-yazilimlari\/872\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.tr\/blog\/tag\/pos\/","name":"POS"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/users\/350"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/comments?post=872"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/872\/revisions"}],"predecessor-version":[{"id":7732,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/posts\/872\/revisions\/7732"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media\/873"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/media?parent=872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/categories?post=872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.tr\/blog\/wp-json\/wp\/v2\/tags?post=872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}