Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Backoff Malware Report

by Josef Weiss
August 28, 2014

This report provides the analyst with information to assist in determining if any Backoff vulnerabilities exist in the environment

A dynamic asset is available for devices running pp.exe, PosW32.exe, pos.exe and epsenginesrv.exe, and could be loaded and used for reporting in this section of the report. The asset can be found in the Tenable.sc Feed by searching for ‘Point-of-sale’ or the tag ‘pos’. Nessus plugin 70329 is used in conjunction with the plugin text patterns for the above referenced software.

Backoff is one of the new breed of POS-targeting malware, and was observed dating back to October 2013. Backoff exploits Remote Desktop Applications (RDA). If one of the targeted RDAs is installed on a targeted host, Backoff performs a brute force attack against the administrator account password.

If the attack is successful, Backoff can then install the POS malware with an administrator privileged account. User payment details are then exfiltrated via an encrypted POST command. Backoff has been identified as having four variants in the family; all four have at least three if not all four of the following functions: scraping memory for track data, keystroke logging, Command & Control communications and injecting a malicious stub into explorer.exe (this last one not seen in version 1.4 of Backoff). While not as sophisticated as some POS targeting malware, Backoff is effective and shows the continued increased targeting of POS systems.

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the Tenable.sc Feed under the category Threat Detection & Vulnerability Assessments. The report requirements are:

  • Tenable.sc 4.8.1
  • Nessus 8.5.2
  • LCE 6.0.0

The report contains the following chapters:

  • Known Software Summary (All) - All known software is enumerated in the following table. The applications are sorted by count. It is a simple table utilizing the List Software Tool. This list can be refined to only POS devices using the associated Point-of-Sale asset list.
  • Known Services Summary (All) - All known services are enumerated in the following table. The services are sorted by count. It is a simple table utilizing the List Services Tool. This list can be refined to only POS devices using the associated Point-of-Sale asset list.
  • Point of Sale Devices - Nessus plugin 70329 is used in conjunction with the plugin text patterns for the following applications: pp.exe, PosW32.exe, pos.exe and epsenginesrv.exe. Should the vulnerability text from plugin 70329 match this filter, the devices will be listed here.
  • Possible Backoff Created Files and File Hashes - Backoff is known to create files that look like Windows System, Adobe or Java files. This table was created using the Vulnerability Summary tool and the vulnerability text from the table above. In the test environment, none of these items exist. Backoff Found Hashes utilizes plugin ID 59275 Malicious Process Detection. The plugin output from this check contains the hash. By adding a filter to the vulnerability text of the indicator, an alert would trigger if a scan utilizing this plugin matched one of the hashes listed above.
  • Possible Rogue Applications - This chapter contains information that may provide details on possible rogue applications. Information presented includes: Microsoft Windows Known Bad Autoruns/Scheduled Tasks, Microsoft Windows Autoruns Unique Entries, Unknown Service Detection, and Reputation of Windows Executables.
  • Additional Information That May Be Helpful - This chapter contains additional data that may be useful. Details are included such as trending of events, which may show abnormal spikes, and detected changes over the last 30 days, such as installed software or new users.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training