Skip to main content

CERT issues alert about new Backoff PoS malware

Over in the US, CERT (the Computer Emergency Readiness Team) has issued a warning over a nasty strain of malware which targets PoS (point of sale terminals).

CERT, in association with the National Cybersecurity and Communications Integration Center, US Secret Service and Trustwave Spiderlabs, has named the fresh malware Backoff, and noted that it has been involved in at least three PoS data breach incidents to date.

Upon first discovery, unsurprisingly the team found that antivirus engines had a very low (or zero) detection rate for the malware, which has three primary variants that date back to last autumn (1.4, 1.55 and 1.56).

The malware has four main capabilities, which include keylogging, scraping memory from running processes and searching for track data, command and control server communication, and injecting a stub of malicious code into explorer.exe (although the earliest incarnation lacked any keylogging).

The injected stub ensures that the malware persists should it crash or be forcefully halted, and the command and control module makes sure thieved data is uploaded back to the malware author, and allows for patching the malicious software.

In short, Backoff can strip customer data from PoS systems such as names, addresses, emails, and of course critical financial information such as card details.

CERT notes that now these details have been published, security firms will doubtless be updating their antivirus definitions, so Backoff should be picked up by AV programs (in its current form, anyway). Be sure to update your definitions regularly, as ever, and you can find a full list of recommendations to take to mitigate against a possible Backoff breach in CERT's report here.

You might also want to check out: How to beat malware malaise at the point of sale.