Detecting The Trojan.POSRAM Malware

by Paul Asadoorian
January 21, 2014

Malware is created for a number of different purposes and often targeted at a specific industry or type of software. Such is the case for Point-Of-Sale systems, those systems that process transactions in a retail environment are highly sought after by attackers as they can be a gold mine for credit card data. Tenable's products can be used to detect if such malware, for example the recently discovered Trojan.POSRAM (aka "The BlackPOS malware" as references by the Kreb's on Security Blog) in the following ways:

  • Creating an Asset List of POS Systems - Using process detection inside Nessus, you can find all systems running POS related processes
  • Using the Passive Vulnerability Scanner you can detect DLL files being transferred over SMB
  • ICMP anomalies can be detected using both PVS and the Tenable Network Monitor (Netflow data analysis) as ICMP is used by the malware
  • PVS plugin 7 logs all ports that have any type of highly random network session which could indicate encryption used by the backdoor shell code

Tenable's products can also be used to discover Unauthorized FTP access, "Rogue" applications, activity from "hacking tools" and search for malware with custom MD5 hashes. For a more detailed overview you can check out Ron Gula's recent post to the discussions forum.