Backoff POS Malware Evolves

Attackers Encrypting Latest 'ROM' Version Communications
Backoff POS Malware Evolves

The developers behind the pernicious Backoff point-of-sale malware that's infected more than 1,000 U.S. businesses have continued to refine their attack code, according to research released this week by network security vendor Fortinet.

See Also: Faster Payments, Faster Fraud?

The latest version of Backoff, dubbed "ROM," includes upgrades that encrypt connections between infected - or zombie - systems, and attackers' command-and-control servers, Fortinet says. The changes are designed to make the malware, which is designed to steal payment card data, tougher to find or eradiate.

"They've added a bunch of new features, which is kind of expected for this type of malware," Karl Sigler, the threat intelligence manager for information security firm Trustwave, tells Information Security Media Group. "As they progress, they learn things and add features in, like you would with any software."

The continuing evolution of Backoff is bad news for businesses that run POS systems (see New Breaches Tied to Evasive Malware). A U.S. Department of Homeland Security July 31 advisory warned that more than 1,000 businesses had been hit by Backoff. Security experts say the Backoff attackers typically exploit remote-access or third-party vulnerabilities to simultaneously infect numerous merchants with their malware.

With Backoff ROM, perhaps the biggest change is that while Backoff-infected zombie PCs used to communicate with servers using plaintext HTTP, communications are now being encrypted - using SSL - which will make related infections more difficult to spot, Sigler says. "If you were sniffing the wire and knew what to look for, you could easily spot Backoff on your network. Now with communications being encrypted, it's a lot more difficult," he says. "If you're using something like an intrusion detection system or something that is monitoring for the malware on the network, it's not going to be able to see it - it'll be encrypted or just be gibberish."

Many other recent changes to Backoff, however, are relatively minor. "Modifications have been made by the malware author for evading detection and hindering the analysis process," Hong Kei Chan of Fortinet says in a blog post. "During the installation phase, Backoff drops a copy of itself on the infected machine and creates a number of autorun registry entries to ensure persistence." While that hasn't changed, he says the latest version disguises itself as a media player application, named "mplayerc.exe," rather than as a Java component, as it did previously. The malware then stores stolen data in encrypted form in a data file related to the fake media player.

Missing: Keystroke Logging

The latest version of Backoff removes the ability to obtain, store and exfiltrate keystrokes from an infected device. "This new version of the Backoff malware no longer supports keylogging. As this was an essential feature of the Backoff malware, we suspect that it may be reintroduced in a later version," Chan says.

Trustwave's Sigler says the move may have been designed to reduce the size of the Backoff file. "But it's sort of an odd feature removal," he says, predicting the functionality will reappear in future versions.

Another change in Backoff ROM concerns how it monitors memory on infected devices, including changes that are designed to focus on finding credit card data. "It has a blacklist of processes that it doesn't want to monitor, like your Web browsers," Sigler says. "It saves on resources by preventing itself from looking at processes that it's not interested in."

Previously, attackers built their blacklist by using filenames, but more recently, they've been using hashes of files, which lets them zero in more closely on exactly which applications they do, or do not, want to monitor, Sigler says.

Backoff Defense Recommendations

Sigler says one takeaway from the ongoing research into new versions of Backoff is that businesses can't rely on spotting related infections simply by sniffing network traffic. "They should realize the signatures to monitor for Backoff on the network may not work with ROM, since it's encrypted," he says.

Instead, he recommends that organizations continue to apply current Backoff defense recommendations. "Really, the security protections we see organizations putting in place now - two-factor authentication, setting up firewall access control lists correctly and making sure their POS systems aren't sourcing traffic out to unexplained systems or computers on the Internet - those protections are still going to protect businesses with this new version as well."

While DHS warns that there have been mass infections of retailers and merchants with Backoff, relatively few of those businesses have come forward. Backoff infections have been confirmed by fast-food chain Dairy Queen and New Orleans eatery Mizado Cocina. Other suspected Backoff victims, meanwhile, include UPS Stores as well as numerous restaurants that work with Information Systems & Supplies Inc.

Fortinet says that on Oct. 28, it found an even newer version of Backoff ROM, compiled about a month after ROM. The latest version, with the version name "211G1," contains only minor changes compared to the ROM version, Chan says. "The malware authors are continuing to modify their malware binaries in their efforts to bypass detection, and to hinder the analysis process."

(News writer Jeffrey Roman also contributed to this story.)

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network