Backoff Malware: “Unsophisticated” But Effective

Look, I’m not trying to scare you, although I don’t think it’s a bad idea to be a little scared about the current threat level from data breaches. The Backoff malware that’s suspected to be behind most of the big headline breaches over the past year is generally described as not very sophisticated—yet criminals have managed to use versions of this code to steal hundreds of millions of credit card numbers and associated personal information.

Last month, security experts at Damballa released a report that showed a spike in infections of the Backoff point-of-sale malware during the third quarter of 2014. Last week, they added another blog post indicating that infections continue to rise as we head into the all-important holiday shopping season. To make matters worse, researchers at Fortinet announced the discovery of two new versions of Backoff active in the wild that have been modified specifically to make detection more difficult.

Although Backoff is described as unsophisticated, it is nonetheless quite insidious. In brief, here’s how it operates:

  • When the executable runs, it copies itself onto the machine’s hard drive to look like a Java application (javaw.exe). (The newly discovered versions, ROM and 211G1 look like a media player instead.)
  • The new file is configured with the READONLY, SYSTEM, and HIDDEN attributes.
  • The malware sets several registry keys to ensure persistence across reboots.
  • It uses a custom function for data scraping of credit cards and related data in memory.
  • The malware uses keylogging and stores keyboard input to a log file. (The ROM and 211G1 versions apparently don’t include keylogging.)
  • The malware attempts to inject code into the explorer.exe process that lets it reinstall itself if it gets removed.
  • It communicates regularly with the attacker to send data, and the attacker has the ability to send commands, including new versions of malware.

You can read a more detailed explanation of this process in SpiderLabs’ “Backoff – Technical Analysis.”

Another interesting piece of news that came out this week relates to the Home Depot data breach, which is believed to be from a version of Backoff and resulted in the loss of 56 million payment card numbers. Home Depot released the news that malware entered their systems through legitimate credentials of a third-party vendor. In other words, the initial hack occurred on someone else’s network, allowing the criminals to enter Home Depot with what appeared to be legitimate authorization.

The important lesson to take from this news is that sometimes it doesn’t matter how good your perimeter security is. Unless you’re living in an underground bunker with absolutely no connections to anything or anyone else, there’s always a way in. And there aren’t many practical businesses you can run from a disconnected bunker.

Although Backoff is primarily designed as a point-of-sale malware that targets retailers, other businesses should be on the lookout as well. American Banker published “How ‘Backoff’ Malware Works and Why Banks Should Care,” aimed primarily at financial institutions but with valuable information for any business. The article points out how the malware’s keylogging ability can be used to steal passwords, which could be a problem for banks, medical institutions, or any business that deals with secured data.

As almost any malware will, Backoff is always trying to hide what it’s doing—removing copies of itself, renaming itself, and so forth. At the same time, it’s making a lot of changes to the network as it goes about its business. And it’s creating a communication channel with the attacker in order to exfiltrate stolen data. As a result, Backoff’s activity should show up in a change auditing log. Yes, it’s important to have an up-to-date anti-virus and malware protection, but it’s also important to keep a close watch on your network for unauthorized or unusual changes or communications.

In the case of the Home Depot breach, malware was active on their systems for at least four months and regularly sending credit card and other personal information outside the network. That’s a really long time for that much activity to be going on within the network and no red flags raised. I hope other IT pros are more vigilant about network auditing, and are on the lookout for problems such as Backoff. You don’t want your holiday season ruined with a breach—or to ruin someone else’s.

TOP-7-522X90 (1)