Saturday, October 25, 2014

Backoff Malware and Variants are Spreading through POS Systems Quickly

We have had several retailers notify us that they are having problems keeping the Backoff variant off their point of sales systems. We have given them the quick run down on what they can do to protect themselves and then a few weeks go by and they call again. We have offered to assist them in locking down their systems correctly. In fact this week we provided a lock down script in our Auditing Toolkit specifically for retailers to apply to their point of sales system.

The Backoff malware is being modified to avoid detection and since it runs differently than previous malware variants each system must be checked as it can run in memory without any indication of any issue. We have even seen some variants that actually seek out other traffic and send it out using protocols that typically would not be a problem (including DNS traffic request with payloads).

The best bet is to hire a security firm that specializes in this type of protection. Symantec has stated that known threats are safe in recent testing and it's really starting to annoy us. In fact we have been doing submissions by request all week and the latest signatures still do not detect known variants. We are starting to feel as though these companies don't care to protect against this or see some sort of liability if they miss something. Well Symantec you are missing a lot of the viruses and malware that is causing head aches to the financial industry.

In our testing of 22 malware and virus samples on Friday Symantec only detected 7 of the samples. The other variants went undetected although Virus Total detected 21 of the 22 samples as malicious. As of today Virus Total detected 22 of 22 samples so it's a little concerning that AV vendors are lagging so far behind.

We have continually updated our MD5 hash feed with the latest threats but it's impossible to keep up with the variants. We have turned to our cloud infrastructure for help and will be allowing binary submissions soon. Clients already submit samples to our cloud for analysis and scoring and we are noting an uptick in Backoff this week.

There will be more to come on this topic but Antivirus is not the answer even though corporations keep telling us we have a firewall and we have antivirus. How does this stuff keep getting in? It's getting in because your teams are not adequately trained to identify unconventional threats. This is why this malware goes months without being detected even though external indicators are alerting people to problems.

We will continue to notify entities until they start to take notice. We are getting tired of the "if I don't know about it, it's not a problem" attitude. Ignoring the problem is NOT the way to proceed. We have 56 entities that we are set to list on vulnerable disclosures. We have notified all 56 of problems and have not seen responses. This will probably get interesting very, very quickly when the full list is put out there.


No comments:

Post a Comment