Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

BrutPOS Detection

by Cody Dumont
July 31, 2014

Attention all organizations with Point of Sale (POS) systems: BrutPOS malware is running rampant.  By incorporating continuous network monitoring, SecurityCenter Continuous View (CV) can help identify systems at risk.  Tenable’s Kenneth Bechtel https://discussions.nessus.org/thread/7629 blogged about how BrutPOS malware is spreading and targeting POS machines.  This dashboard provides several of the indicators of compromised systems.  Using the continuous network monitoring approach, this dashboard detects vulnerabilities using regex pattern matching in the plugin output text, and monitoring the events related to the known Command and Control addresses.

The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Security Industry Trends.

The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.7
  • LCE 4.2.2

SecurityCenter CV has the ability to monitor the network continuously, and to quickly identify vulnerabilities related to a BrutPOS compromise.  By implementing SecurityCenter CV, an organization can reduce risk by staying in compliance and proactively discovering systems at risk.  By using Nessus to detect and assess risk within the network, PVS to perform deep packet analysis, and LCE to correlate logs and related event data, SecurityCenter CV provides the most comprehensive and integrated view of network health.

BrutePOS - Indicators of Compromise: The search for rogue applications can be difficult. This component provides a series of saved queries to focus on the most relevant plugins related to the BrutPOS malware.   The first row of indicators report on AutoRun entries targeted by BrutPOS.  The second row looks for services and processes.  The last row is split between enumerated services and new user sources.  The indicators will turn purple when a match is found.

BrutePOS - Potential Targeted Systems: The plugin 70329 (Microsoft Windows Process Information) reports details about the running processes on a Windows system. This plugin is informational, and could be used for forensic investigation, malware detection, and to confirm your system processes conform to your system policies.  The first step in assessing the risk of BrutPOS is to identify the systems that are targeted by the malware.  This component uses a regex and plugin 70329 (Microsoft Windows Process Information) to identify systems targeted by BrutPOS. 

BrutePOS - Systems with Known Bad Autoruns / Scheduled Tasks: This table provides a list of hosts with bad or unknown AutoRuns detected.  The plugin 74442 (Microsoft Windows Known Bad AutoRuns / Scheduled Tasks) discovers Windows systems with one or more registry entries that are known to be associated to malware. This indicates the system may have been compromised by malware.

BrutePOS - Potential BrutPOS Infected Systems: The plugin 70329 (Microsoft Windows Process Information) reports details about the running processes on machine Windows system. This plugin is informational and could be used for forensic investigation, malware detection, and to confirm your system processes conform to your system policies.  The component is separate from the “BrutePOS - Potential Targeted Systems” table due a different regex.  The regex used in this component adds the string “llasc.exe” as part of the search pattern.  The “llasc.exe” executable is known to be created by the BrutPOS malware.

BrutePOS - Systems with Suspected BrutPOS Traffic: This component reports on communication traffic with the IP addresses known to be command and control servers for the BrutPOS malware. 

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.