Detecting The Trojan.POSRAM Malware
Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.
Malware is created for a number of different purposes and often targeted at a specific industry or type of software. Such is the case for Point-Of-Sale systems, those systems that process transactions in a retail environment are highly sought after by attackers as they can be a gold mine for credit card data. Tenable's products can be used to detect if such malware, for example the recently discovered Trojan.POSRAM (aka "The BlackPOS malware" as references by the Kreb's on Security Blog) in the following ways:
- Creating an Asset List of POS Systems - Using process detection inside Nessus, you can find all systems running POS related processes
- Using the Passive Vulnerability Scanner you can detect DLL files being transferred over SMB
- ICMP anomalies can be detected using both PVS and the Tenable Network Monitor (Netflow data analysis) as ICMP is used by the malware
- PVS plugin 7 logs all ports that have any type of highly random network session which could indicate encryption used by the backdoor shell code
Tenable's products can also be used to discover Unauthorized FTP access, "Rogue" applications, activity from "hacking tools" and search for malware with custom MD5 hashes. For a more detailed overview you can check out Ron Gula's recent post to the discussions forum.
Related Articles
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Cybersecurity Snapshot: New Guide Details How To Use AI Securely, as CERT Honcho Tells CISOs To Sharpen AI Security Skills Pronto
January 26, 2024Cyber agencies from multiple countries published a joint guide on using artificial intelligence safely. Meanwhile, CERT’s director says AI is the top skill for CISOs to have in 2024. Plus, the UK’s NCSC forecasts how AI will supercharge cyberattacks. And a global survey shows cyber pros weighing pros and cons of AI. And much more!
Cybersecurity Snapshot: Are SBOMs on Your Supply Chain Security Radar Screen? Check Out New Recommendations from CISA and NSA
November 17, 2023The SBOM concept is still half-baked, but CISA and NSA want to help change that with new best practices for software vendors, developers and buyers. Plus, there’s new guidance about the Royal ransomware gang – as ransomware attacks grow. In addition, Google highlights a new typosquatting trend impacting cloud storage. And much more!
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
- Malware
- Nessus Network Monitor