Backoff Malware Report

by Josef Weiss
August 28, 2014

This report provides the analyst with information to assist in determining if any Backoff vulnerabilities exist in the environment

A dynamic asset is available for devices running pp.exe, PosW32.exe, pos.exe and epsenginesrv.exe, and could be loaded and used for reporting in this section of the report. The asset can be found in the SecurityCenter Feed by searching for ‘Point-of-sale’ or the tag ‘pos’. Nessus plugin 70329 is used in conjunction with the plugin text patterns for the above referenced software.

Backoff is one of the new breed of POS-targeting malware, and was observed dating back to October 2013. Backoff exploits Remote Desktop Applications (RDA). If one of the targeted RDAs is installed on a targeted host, Backoff performs a brute force attack against the administrator account password.

If the attack is successful, Backoff can then install the POS malware with an administrator privileged account. User payment details are then exfiltrated via an encrypted POST command. Backoff has been identified as having four variants in the family; all four have at least three if not all four of the following functions: scraping memory for track data, keystroke logging, Command & Control communications and injecting a malicious stub into explorer.exe (this last one not seen in version 1.4 of Backoff). While not as sophisticated as some POS targeting malware, Backoff is effective and shows the continued increased targeting of POS systems.

The report is available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The report can be easily located in the SecurityCenter Feed by selecting category Threat Detection & Vulnerability Assessments, and then selecting tags 'pos' and 'windoes'. The report requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.7
  • LCE 4.2.2

The report contains the following chapters:

  • Known Software Summary (All) - All known software is enumerated in the following table. The applications are sorted by count. It is a simple table utilizing the List Software Tool. This list can be refined to only POS devices using the associated Point-of-Sale asset list.
  • Known Services Summary (All) - All known services are enumerated in the following table. The services are sorted by count. It is a simple table utilizing the List Services Tool. This list can be refined to only POS devices using the associated Point-of-Sale asset list.
  • Point of Sale Devices - Nessus plugin 70329 is used in conjunction with the plugin text patterns for the following applications: pp.exe, PosW32.exe, pos.exe and epsenginesrv.exe. Should the vulnerability text from plugin 70329 match this filter, the devices will be listed here.
  • Possible Backoff Created Files and File Hashes - Backoff is known to create files that look like Windows System, Adobe or Java files. This table was created using the Vulnerability Summary tool and the vulnerability text from the table above. In the test environment, none of these items exist. Backoff Found Hashes utilizes plugin ID 59275 Malicious Process Detection. The plugin output from this check contains the hash. By adding a filter to the vulnerability text of the indicator, an alert would trigger if a scan utilizing this plugin matched one of the hashes listed above.
  • Possible Rogue Applications - This chapter contains information that may provide details on possible rogue applications. Information presented includes: Microsoft Windows Known Bad Autoruns/Scheduled Tasks, Microsoft Windows Autoruns Unique Entries, Unknown Service Detection, and Reputation of Windows Executables.
  • Additional Information That May Be Helpful - This chapter contains additional data that may be useful. Details are included such as trending of events, which may show abnormal spikes, and detected changes over the last 30 days, such as installed software or new users.