Vulnerabilities / Threats
1/27/2014
03:03 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%

SecureState Releases Black POS Malware Scanning Tool

Black POS is the reported culprit behind recent retail data breaches

CLEVELAND, Jan. 27, 2014 /PRNewswire/ -- SecureState, a management consulting firm specializing in information security, has developed a custom scanning tool that retailers can use to detect Black POS malware, and other similar strains.

Black POS is the reported culprit behind recent retail data breaches, and is also known as KAPTOXA, a more advanced version of the original malware.

(Logo: http://photos.prnewswire.com/prnh/20130521/CL17240LOGO)

Krebs on Security recently reported that, "this type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the card's magnetic stripe in the instant after it has been swiped at the terminal and is still in the system's memory."

It has also been reported that there are currently no known antivirus programs that detect the malicious files used in these attacks.

"We don't currently know if installed antivirus software on POS systems has been updated to detect this malware," Spencer McIntyre, SecureState's lead researcher said. "But, we do know that this tool will allow retailers to manually, or remotely, scan their systems for these specific strains, whether or not they have antivirus software installed."

The tool will scan for service, file, registry and autorun artifacts to determine if any KAPTOXA footprints are present on the POS system. A confidence output is generated giving the user an indication of a likely compromise.

"If the tool has detected any artifacts related to KAPTOXA immediately enact your incident response plan and contract the appropriate management and security teams," John Melvin, SecureState Lead Forensic Investigator said. "Even if the tool outputs no detection, organizations should still consider performing regular system response testing and checkups."

The tool has been tested on all MS Windows versions up to Windows 7 and is freely available for download from SecureState's website: Black POS Malware Scan

About SecureState

With the goal of making the world more secure, SecureState provides premier management consulting services for companies internationally. The SecureState team is comprised of several specialties to solve complex business problems

including: Advisory Services, Audit & Compliance, Profiling & Penetration, Privacy, Risk Management, and Incident Response.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.