“BackOff is not a particularly sophisticated Windows Trojan. It was simply re-purposed to run on Windows-based POS systems and capture credit card data from memory,” wrote Pat Belcher of Invincea. “In other words, BackOff should have been detected by standard Windows antivirus software. In fact, most large antivirus vendors had detection signatures in place for most variants within days of initial discovery in the wild.”
Merchants, he said, are either not running antivirus on the servers managing point-of-sale devices or they’re not being updated regularly. The end result in Home Depot’s case, could be the largest retail data breach in U.S. history, dwarfing even Target. The Target breach happened during the course of a three-week period during the 2013 holiday shopping season and affected 1,800 Target locations. Experts believe the Home Depot breach could date back to April and affect 2,200 retail locations in the U.S. and others abroad.
Invincea’s Belcher says Backoff doesn’t behave much differently than other point-of-sale malware in that it scrapes payment card data from memory before it’s encrypted on the device. He said Backoff installs itself as a running service that runs at startup, meaning it will survive a memory-refreshing reboot.
“It’s a very small, simple, backdoor Trojan that is memory-resident, and listens on port 80 for command and control,” Belcher wrote. “It also hides information about itself by posing as an Adobe Flash Player update in the system registry. For once, malware doesn’t take advantage of a Flash vulnerability, but it tries to pin the blame on it anyways.”
Home Depot as of this morning has yet to confirm a breach, only adding that it has hired FishNet Security to help with the investigation.
- See more at: http://threatpost.com/feared-home-depot-breach-sparks-more-interest-in-backoff-pos-malware#sthash.fDfbeK9C.dpuf
No comments:
Post a Comment