Wednesday, November 5, 2014

Over 1000 Backoff Malware Infected Machines in the US, 2500 in Europe

Researchers at SLC Security Services LLC have been able to identify over 3500 positive infections utilizing 3 variants of the Backoff malware over the past 30 days. By capturing data over networks and comparing against known MD5 hashes we can first detect the infection. Then the infected host will start making DNS request to Google DNS servers (8.8.8.8) and then the encrypted data stream we feel as though our detection methods are accurate.

One of the interesting things to note is that of the affected hosts we published earlier this month nearly half of their networks are still sending data through 8 hub locations in which we were able to analyze traffic through one of our business partners that is a major Internet Service Provider in North America. We created and were able to get our partners to run a set of 10 snort signatures that we provided as well as a customized program to capture binary streams off the wire to analyze them for known MD5 matches without storing the data.

It seems that the vendors and corporations affected either do not have adequate detection in place or have failed to lock down their networks sufficiently to protect the infrastructure. In one case we even found a misconfigured POS system sending dns request to 1.1.1.1 in encapsulated P2P traffic which was very unusual.

If you are a vendor or operate a POS system and require an audit call us. We have more experience dealing with malware than some of the largest antivirus firms. To protect your point of sales equipment from allowing this type of activity we recommend hardware based firewall network interface cards from Intel and our OS level shim to protect the POS hardware and our X-Gateway Hardware Firewall to detect and alert you to any activity and manage your Intel cards, Switches, Firewalls and IDS/IPS systems. The X-Gateway will provide customized rule sets, ACL's and Firewall Rules for all of your network devices and allow management from a single web based interface. Our Compliance Framework ensures that you will pass your audit, the first time!

Trust the leaders in this space and find out why 98% of our clients pass their audits after initiating our security model.

SLC Security Services LLC can be reached at (919)441-7353 or www.slcsecurity.com.

No comments:

Post a Comment