Backoff My Point-of-Sale Data!Profiling the Backoff PoS Malware Affecting Retailers
Engin KirdaPh.D., Co-Founder & Chief Architect, Lastlinewww.lastline.com
What is Backoff?
• Malware used in numerous breaches in the last year
• Secret Service currently estimates 1,000+ U.S. businesses affected
• Targeted to PoS systems
• Evades analysis
2Copyright ©2014 Lastline, Inc. All rights reserved.
Recent and Notable Retail/Payments Breaches
• The last year has seen a dramatic escalation in the number of breached PoS systems
• Many of these PoS payloads, like Backoff, evaded installed defenses and alarms
3Copyright ©2014 Lastline, Inc. All rights reserved.
What is Backoff?
[1 Slide Summary from Kyle]• Product screenshot?
• Mention evasive behaviors exhibited
4Copyright ©2014 Lastline, Inc. All rights reserved.
What is Backoff?
• Timing evasion (an anti-VM technique)
• Utilizes code obfuscation
• Also uses rare and poorly emulated instructions to defeat simple emulators
• Attempts to encrypt parts of the command and control traffic
5Copyright ©2014 Lastline, Inc. All rights reserved.
6Copyright ©2014 Lastline, Inc. All rights reserved.
How are the attackers deploying it?
• Scan for Internet facing Remote Desktop applications
• Brute force login credentials
• Often successfully find administrative credentials
• Use admin credentials to deploy Backoff to remote PoS systems
7Copyright ©2014 Lastline, Inc. All rights reserved.
Malware authors are not stupid• they got the news that sandboxes are all the rage now• since the code is executed, malware authors have
options
Evasion defined• Develop code that exhibits no malicious behavior in a
traditional sandbox, but still infects the intended target• Can be achieved in a variety of ways…
Understanding Evasive Malware
8Copyright ©2014 Lastline, Inc. All rights reserved.
The Evasive Malware ProblemCurrent solutions fail to protect organizations from sophisticated, targeted attacks.
9Copyright ©2014 Lastline, Inc. All rights reserved.
Lastline Labs AV Vendor ReviewAntivirus systems take months to catch up to highly evasive threats.
10Copyright ©2014 Lastline, Inc. All rights reserved.
3 Ways to Build a SandboxNot all sandbox solutions can detect highly evasive malware.
11Copyright ©2014 Lastline, Inc. All rights reserved.
Virtualized Sandboxing vs. Full System EmulationEven APT Solutions with virtualized sandboxing fail to detect highly evasive malware.
12Copyright ©2014 Lastline, Inc. All rights reserved.
• At PoS: Accept EMV payments to limit exposure in case of a breach
• At PoS: E2E encryption of transaction (POI never has cleartext)
• Detect and protect against malware and C&C
• Full system emulation approach with Lastline
Securing Your Organization
13Copyright ©2014 Lastline, Inc. All rights reserved.
Detect Evasive Malware in Your Network
Start your 30-day Lastline trial: http://landing.lastline.com/request-lastline-trial
“I would highly recommend Lastline to any company that is entrusted with customer data. Retailers, restaurants, or any organization that is interested in elevating their handling and protection of data could benefit from working with Lastline.”
Tom LindblomCTO, CKE Restaurants
For more information visit www.lastline.comor contact us at [email protected].
Thank You!