- The Department of Homeland Security’s US-CERT sent out an alert on July 31, 2014 about the widespread prevalence of one single malware variant used in Point of Sales (POS machines), the BackOff virus. An investigation by DHS and US Secret Service determined that over 1,000 retail firms have been breached by the BackOff malware.
Invincea’s analysis of BackOff shows that in spite of the widespread prevalence of BackOff in Retail networks, it is not a particularly sophisticated Windows Trojan.(1) BackOff is re-purposed malware to run on Windows-based POS systems and capture credit card data from memory. In other words, BackOff should have been detected by standard Windows anti-virus software. Most AntiVirus Vendors already have detection signatures in place for most variants within days of initial discovery “in the wild”. (2)
BackOff breaches can be prevented by merchants running Antivirus on their windows-based POS systems, updating their Antivirus regularly, or by rebooting an infected POS system to remove the malware from active memory. Rebooting is required by some cleanup mechanisms for installation of AntiVirus detection.
BackOff POS malware has caused much damage in the retail industry and with consumer’s credit. The dismaying aspect of it is this really should not have been more than what traditional anti-virus systems alert against. This widespread infections points to systemic weaknesses in securing retail networks, including failure to segment corporate networks from POS networks, failure to lock down port services on POS machines, and failure to keep endpoint security software up to date on endpoints. These practices are considered standard security hygiene. Advanced threat protection would analyze patterns of network connections, e.g. in-bound connections to POS machines, out-bound connections from POS networks, and anomalous processes that are running on POS machines.
(2) For a virus to be considered in the wild, "it must be spreading as a result of normal day-to-day operations on and between the computers of unsuspecting users” without prior interception.