Attacks/Breaches
11/11/2014
05:02 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

POS Malware Continues To Evolve

New report out today details three prevalent families.

With a little over two weeks until the holiday shopping season kicks off in earnest, a picture of the evolution of point of sale (POS) malware has come into focus with a number of recent pieces of research of late. A common theme recurring throughout is that POS malware is increasingly maturing with different packages and families refined for specific attack scenarios.

Just today, researchers with Cyphort Labs released a report that dissected three families of POS malware associated with three distinct breach incidents at Target, Home Depot, and UPS over the past year--BlackPOS, FrameworkPOS, and Backoff respectively.

"Looking at the modes of operation of the three families one can clearly identify two directions: one from the targeted attacks on Target and Home Depot, and the other from the more generalized approach of Backoff," they wrote. "Targeted attacks are identified by the fact that the attacker chooses the target and specifically designs the attack, while in a general approach, the nature and identity of the victim are unknown to the attacker."

Tailored for attacks against dedicated targets, both FrameworkPOS and BlackPOS have got multi-functional components for persistence, memory scraping, process enumeration, and data exfiltration.

"They are most likely not from the same authors but FrameworkPOS leave the strong impression of a copycat attack after former POS malware incidents," the report says. "Basic principles and ideas are identical, as of creating a service, scanning chunks of memory, pushing data to a local SMB server and hiding the data in a fake binary file in system root."

The establishment of the multi-step approach all-in-one package comes from years of refinement of these malware packages in the underground. As Josh Grunzweig of Nuix explained in a recent talk at SecTor on POS malware, malicious software targeting payment systems is hardly a new thing.

"This past year alone you can't go more than a week without hearing some story in the news of some company with tens of millions of cards stolen. And it's this chaotic vibe," Grunzweig says. "In truth this stuff has been around for a long time."

For example, first found in the wild last year, BlackPOS is "actually not that sophisticated" and depends on code from mmon, a memory scraping piece of malware first discovered in 2010, he says. In truth, he'd say the first real advancement in POS malware came with the introduction of the Dexter family of malware in late 2012.

"Dexter was kind of a game changer," he said. "All of a sudden its pulling in a lot of interesting stuff, its memory scraping, its key logging, it's doing this cool thing where it injects into Internet Explorer so you can't kill it. Its exfiltrating data and one of the real stand outs was the fact that it had a command-and-control server."

This approach paved the way for something like a Backoff, first found and named by Grunzweig himself last year. According to an advisory from the Department of Homeland Security, Backoff had already infected more than 1,000 U.S. business at that point.

"Maybe the biggest takeaway from Backoff is that it is super, super prevalent," Grunzweig says.

And, according to new research from Fortinet, it's still evolving. Last week, Fortinet's researchers showed that several new versions of Backoff have surfaced that include new tweaks, notably around obfuscation. Now instead of disguising itself as a Java component, it is appearing as a media player and it uses hash functions for APIs and the names of blacklist processes. Modifications have been made to its C&C communication component to evade detection. Additionally, the latest version of the malware is now packed with a custom packer.  

"Like the API hashing function and the blacklist process name hashing function, using a custom packer is yet another attempt to hinder the analysis process," explains Hong Kei Chan. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
11/17/2014 | 11:36:50 AM
Re: Alarming
The two processes critical to the POS operation are: card data capture and communications with the transaction processor, and communications with internal back office applications.  So really, the best way to go is to ensure the security of the local machines and infrastructures. Encryption helps, no doubt, but at some point in time, the data needs to be decrypted so that processing can continue with the actual data, and this takes place within memory, the RAM scraper playground. So really, strict controls on the card transaction computing machine, stripping down services and applications to the bare minimum, file integrity protection, and anti-malware software serve to provide much needed protection to help prevent data leakage. Isolation and continuous monitoring of the card processing network help at the transaction perimeter, and strict controls on the back end internal server and external perimeter infrastructure help to prevent data exfiltration. None of these techniques are new; in fact, they are well established practices that have been preached for a very long time. It all boils down to strict controls and proper enforcement; breaches occur when those controls are violated. Upper management should make sure that there are sufficient resources to properly address and enforce those controls, and that appropriate separation of duties exist to address conflicts of interest.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/17/2014 | 10:08:36 AM
Retail hacking Radio Show THIS Wednesday @ Noon ET
@Dr.T -- and others. Just a reminder about our DR Radio show this week, which is totally focused on retail industry breaches:  Retail Hacking: What To Expect This Holiday Season (Wednesday at 1:00 p.m. ET (10:00 a.m. PT).  It promises to be a great show, with Kelly Jackson-Higgins interviewing  Nick Pelletier, senior consultant with Mandiant and Arthur Tisi, co-founder and CEO at The Praescripto Group LLC, and former CIO for Natural Markets Food Group. To register and save the date, click here.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/17/2014 | 9:39:45 AM
Re: Alarming
There can always be end to end encryption to reduce the risk of data being compromised. There is no real need to keep data on the POS unencrypted, easy to solve but it will cost more of course.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/17/2014 | 9:37:03 AM
Re: Cyber Security World Conference 2014
I will most likely miss this but hope be able to follow it online. We now know bad guys are winning based on the recent trends, good guys need to come together and address the issues for sure.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
11/17/2014 | 9:34:17 AM
POS terminals
It looks like we need to increase intelligence and security on POS terminals, they seem to be proven the weakest link on Target and Home Depot attacks. Maybe in the light of Internet of Things we will have better controlled and managed POS devices.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
11/12/2014 | 7:43:13 AM
Alarming
What a scary notion to ponder before the holiday season where credit cards will be swiped an incredible amount of times. It seems that with the evolution of malware in regards to POS that encryption of the POS points is no longer a strong means of securing customer data since much of the malware is sitting on the boxes themselves according to this article. This means that to perform their job, the machines will eventually have to decrypt the data from the cards and I would believe this would be done on the same system. With this being the case, what are some means of ensuring customer data security, other than persistent scans to detect malware on  daily basis?
KennethW444
50%
50%
KennethW444,
User Rank: Apprentice
11/12/2014 | 1:57:47 AM
Cyber Security World Conference 2014

Along these lines, cyber security experts will be in attendance at Golden Networking's Cyber Security World Conference 2014, November 21, where renowned information security authorities will bring their latest thinking to hundreds of senior executives focused on protecting today's enterprises and government data assets. This conference is organized by Golden Networking.

Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.