Insights

Backoff Point-of-Sale Malware: Here We Go Again

Backoff Point-of-Sale Malware: Here We Go Again

The Secret Service, the National Cybersecurity and Communications Integration Center, and others announced yesterday in a US-CERT Alert (available at www.us-cert.gov/ncas/alerts/TA14-212A) that recent investigations have revealed the use by malicious actors of malware—dubbed Backoff Point-of-Sale Malware ("Backoff")—to pilfer consumer payment information from point-of-sale terminals. Backoff is another in a seemingly endless array of new tools used by such actors to gain unauthorized access to consumer credit/debit card account information from point-of-sale terminals, and it requires an immediate response. 

According to the Alert, malicious actors have attacked what are known as remote desktop applications ("RDAs"), common software tools that allow access to a computer from another location. Such applications are necessary for companies that maintain IT support in a centralized location but that have numerous point-of-sale terminals in disparate locations such as malls, retail stores, etc. The malicious actors use brute force techniques, including entering at login all combinations of usernames and passwords until finally guessing the correct set, to access administrative and other accounts. The actors then deploy Backoff to acquire a variety of payment- and consumer-related data, including customer names, mailing addresses, credit/debit card numbers, phone numbers, and email addresses. 

Backoff includes several variants that have been in use from October 2013 to today. The variants are generally capable of (i) scraping memory from the infected computer, (ii) recording keystrokes typed by users of the infected computer, and (iii) uploading data to a central malware controller, updating the malware itself, and uninstalling the malware in an effort to avoid detection. 

There are certain obvious implications inherent to the loss of data targeted by Backoff, most notably the obligation companies have to report the loss of data to affected consumers and the impact to company brand and reputation. However, companies can take certain technical steps to mitigate any related harm and potential liabilities. First, as disclosed in the Alert, certain Backoff indicators, provided in Tables 1–5 below, can be used by a company's network security team to search for the existence of Backoff on company systems. Kroll, a premier provider of end-to-end cybersecurity services, additionally advises a defense-in-depth mediation strategy that includes the following initial and subsequent steps (described for IT personnel in a technical manner):

Initial Steps

  • Change the communication ports at which the RDA listens to accept connections.
  • Limit the number of failed login attempts and trigger a lockdown of the RDA upon the requisite number of failures.
  • Allow the point-of-sale terminal to accept communications from known IP addresses only (the so-called whitelist approach).
  • Require multi-factor authentication to start all RDA sessions.
  • Require RDA connections to be made using secure communication methods.
  • Use an RDA gateway to control access.

Subsequent Steps

  • Implement monitoring on the point-of-sale terminals that track all changes made to file structure, etc.
  • Review all point-of-sale software updates from vendors before they are installed.
  • Maintain centralized reporting for all changes to point-of-sale terminals.
  • Track and limit outbound traffic from point-of-sale terminals, and have your IT response team check such traffic regularly!

We anticipate that affected companies will learn of their status from the Secret Service in the coming weeks, and a company's response will necessarily need to be thorough and swift in order to satisfy all applicable legal requirements. In addition to the recommendations outlined above, companies should reassess enterprise-wide privacy and data security policies and procedures to ensure that data are adequately protected and that privacy and data security compliance obligations are met.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.

Mauricio F. Paez
New York
+1.212.326.7889
[email protected]

Richard J. Johnson
Dallas
+1.214.969.3788
[email protected]

Jonathan Fairtlough, Managing Director and Deputy Practice Leader for Kroll Cyber Security, contributed to this Alert. Jonathan can be reached at 213.598.4181 or at [email protected].

 

The following tables include certain Backoff indicators that can be used by a company's network security team to search for the existence of Backoff on company systems.

TABLE 1 – Indicators for Backoff Variant 1.4

Indicators Variant: 1.4
Packed MD5 ·   927AE15DBF549BD60EDCDEAFB49B829E
Unpacked MD5 ·   6A0E49C5E332DF3AF78823CA4A655AE8
Install Path ·   %APPDATA%\AdobeFlashPlayer\mswinsvc.exe
Mutexes ·   uhYtntr56uisGst
·   uyhnJmkuTgD
Files Written ·   %APPDATA%\mskrnl
·   %APPDATA%\winserv.exe
·   %APPDATA%\AdobeFlashPlayer\mswinsvc.exe
Static String(POST Request) ·   zXqW9JdWLM4urgjRkX
Registry Keys ·  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
·  HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
User-Agent ·   Mozilla/4.0
URI(s) ·   /aircanada/dark.php

 

TABLE 2 – Indicators for Backoff Variant 1.55 "backoff"

Indicators Variant: 1.55 "backoff"
Packed MD5 ·    F5B4786C28CCF43E569CB21A6122A97E
Unpacked MD5 ·    CA4D58C61D463F35576C58F25916F258
Install Path ·    %APPDATA%\AdobeFlashPlayer\mswinhost.exe
Mutexes ·    Undsa8301nskal
·    uyhnJmkuTgD
Files Written ·    %APPDATA%\mskrnl
·    %APPDATA%\winserv.exe
·    %APPDATA%\AdobeFlashPlayer\mswinhost.exe
·    %APPDATA%\AdobeFlashPlayer\Local.dat
·    %APPDATA%\AdobeFlashPlayer\Log.txt
Static String(POST Request) ·    ihasd3jasdhkas
Registry Keys ·   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
·    HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
User-Agent ·    Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
URI(s) ·    /aero2/fly.php

 

TABLE 3 – Indicators for Backoff Variant 1.55 "goo"

Indicators Variant: 1.55 "goo"
Packed MD5 ·    17E1173F6FC7E920405F8DBDE8C9ECAC
Unpacked MD5 ·    D397D2CC9DE41FB5B5D897D1E665C549
Install Path ·    %APPDATA%\OracleJava\javaw.exe
Mutexes ·    nUndsa8301nskal·    nuyhnJmkuTgD
Files Written ·    %APPDATA%\nsskrnl
·    %APPDATA%\winserv.exe
·    %APPDATA%\OracleJava\javaw.exe
·    %APPDATA%\OracleJava\Local.dat
·    %APPDATA%\OracleJava\Log.txt
Static String(POST Request) ·    jhgtsd7fjmytkr
Registry Keys ·   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
·   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
·    HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
User-Agent

 

URI(s) ·    /windows/updcheck.php

 

TABLE 4 – Indicators for Backoff Variant 1.55 "MAY"

Indicators Variant: 1.55 "MAY"
Packed MD5 ·    21E61EB9F5C1E1226F9D69CBFD1BF61B
Unpacked MD5 ·    CA608E7996DED0E5009DB6CC54E08749
Install Path ·    %APPDATA%\OracleJava\javaw.exe
Mutexes ·    nUndsa8301nskal·    nuyhnJmkuTgD
Files Written ·    %APPDATA%\nsskrnl
·    %APPDATA%\winserv.exe
·    %APPDATA%\OracleJava\javaw.exe
·    %APPDATA%\OracleJava\Local.dat
·    %APPDATA%\OracleJava\Log.txt
Static String(POST Request) ·    jhgtsd7fjmytkr
Registry Keys ·    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
·    HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
User-Agent

 

URI(s) ·    /windowsxp/updcheck.php

 

TABLE 5 – Indicators for Backoff Variant 1.55 "net"

Indicators Variant: 1.55 "net"
Packed MD5 ·    0607CE9793EEA0A42819957528D92B02
Unpacked MD5 ·    5C1474EA275A05A2668B823D055858D9
Install Path ·    %APPDATA%\AdobeFlashPlayer\mswinhost.exe
Mutexes ·    nUndsa8301nskal
Files Written ·    %APPDATA%\AdobeFlashPlayer\mswinhost.exe
·    %APPDATA%\AdobeFlashPlayer\Local.dat
·    %APPDATA%\AdobeFlashPlayer\Log.txt
Static String(POST Request) ·    ihasd3jasdhkas9
Registry Keys ·    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
·    HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
User-Agent

 

URI(s) ·    /windowsxp/updcheck.php

 

TABLE 6 – Indicators for Backoff Variant 1.56 "LAST"

Indicators Variant: 1.56 "LAST"
Packed MD5 ·    12C9C0BC18FDF98189457A9D112EEBFC
Unpacked MD5 ·    205947B57D41145B857DE18E43EFB794
Install Path ·    %APPDATA%\OracleJava\javaw.exe
Mutexes ·    nUndsa8301nskal
·    nuyhnJmkuTgD
Files Written ·    %APPDATA%\nsskrnl
·    %APPDATA%\winserv.exe
·    %APPDATA%\OracleJava\javaw.exe
·    %APPDATA%\OracleJava\Local.dat
·    %APPDATA%\OracleJava\Log.txt
Static String(POST Request) ·    jhgtsd7fjmytkr
Registry Keys ·    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\identifier
·    HKCU\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
·    HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Run\Windows NT Service
·    HKCU\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath
·    HKLM\SOFTWARE\\Microsoft\Active Setup\Installed Components\{B3DB0D62-B481-4929-888B-49F426C1A136}\StubPath
User-Agent ·    Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
URI(s) ·    /windebug/updcheck.php

 

 

 

We use cookies to deliver our online services. Details of the cookies and other tracking technologies we use and instructions on how to disable them are set out in our Cookies Policy. By using this website you consent to our use of cookies.