Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Backoff Malware Report

by Josef Weiss
August 28, 2014

This report provides the analyst with information to assist in determining if any Backoff vulnerabilities exist in the environment

A dynamic asset is available for devices running pp.exe, PosW32.exe, pos.exe and epsenginesrv.exe, and could be loaded and used for reporting in this section of the report. The asset can be found in the Tenable.sc Feed by searching for ‘Point-of-sale’ or the tag ‘pos’. Nessus plugin 70329 is used in conjunction with the plugin text patterns for the above referenced software.

Backoff is one of the new breed of POS-targeting malware, and was observed dating back to October 2013. Backoff exploits Remote Desktop Applications (RDA). If one of the targeted RDAs is installed on a targeted host, Backoff performs a brute force attack against the administrator account password.

If the attack is successful, Backoff can then install the POS malware with an administrator privileged account. User payment details are then exfiltrated via an encrypted POST command. Backoff has been identified as having four variants in the family; all four have at least three if not all four of the following functions: scraping memory for track data, keystroke logging, Command & Control communications and injecting a malicious stub into explorer.exe (this last one not seen in version 1.4 of Backoff). While not as sophisticated as some POS targeting malware, Backoff is effective and shows the continued increased targeting of POS systems.

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the Tenable.sc Feed under the category Threat Detection & Vulnerability Assessments. The report requirements are:

  • Tenable.sc 4.8.1
  • Nessus 8.5.2
  • LCE 6.0.0

The report contains the following chapters:

  • Known Software Summary (All) - All known software is enumerated in the following table. The applications are sorted by count. It is a simple table utilizing the List Software Tool. This list can be refined to only POS devices using the associated Point-of-Sale asset list.
  • Known Services Summary (All) - All known services are enumerated in the following table. The services are sorted by count. It is a simple table utilizing the List Services Tool. This list can be refined to only POS devices using the associated Point-of-Sale asset list.
  • Point of Sale Devices - Nessus plugin 70329 is used in conjunction with the plugin text patterns for the following applications: pp.exe, PosW32.exe, pos.exe and epsenginesrv.exe. Should the vulnerability text from plugin 70329 match this filter, the devices will be listed here.
  • Possible Backoff Created Files and File Hashes - Backoff is known to create files that look like Windows System, Adobe or Java files. This table was created using the Vulnerability Summary tool and the vulnerability text from the table above. In the test environment, none of these items exist. Backoff Found Hashes utilizes plugin ID 59275 Malicious Process Detection. The plugin output from this check contains the hash. By adding a filter to the vulnerability text of the indicator, an alert would trigger if a scan utilizing this plugin matched one of the hashes listed above.
  • Possible Rogue Applications - This chapter contains information that may provide details on possible rogue applications. Information presented includes: Microsoft Windows Known Bad Autoruns/Scheduled Tasks, Microsoft Windows Autoruns Unique Entries, Unknown Service Detection, and Reputation of Windows Executables.
  • Additional Information That May Be Helpful - This chapter contains additional data that may be useful. Details are included such as trending of events, which may show abnormal spikes, and detected changes over the last 30 days, such as installed software or new users.
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.