Monday, 3 November 2014

 
backoff-malware
'ROM' New Variant of Backoff Malware


Researchers at Fortinet has discovered another version of Backoff PoS Malware that does not come with a version name, instead with the name ROM. 

The new version of the Backoff Malware is similar to the last versions but this time the "keylogging" feature is not available. Fortinet believes that in near future, Backoff Malware developer will add this feature again.

Backoff is reported to be one of the malware which caused at least 1000 data breaches all over the country as said by US CERT. Among the top listed data breaches it includes Dairy Queen, Target and Supervalu. The attack of Backoff malware increased in such a way that Payment Card Industry Security Standards Council (PCI SSC) was forced to release an advisory to the merchants to contact their Antivirus Program provider to be sure if their software detects the malware or not.

New version of Backoff malware has some changes into components of its Command-and-Control communication to avoid detection. It connects with 443 Port encrypting the traffic and making detection more difficult. The Field name of the query string is also changed and the contents of some of the fields have additional Base64 encoding.

According to Fortinet, The latest variant of Backoff, dubbed “ROM” (and detected as W32/Backoff.B!tr.spy), disguises itself as a media player file during installation. 

Fortinet's Hong Kei Chan said,

During the installation phase Backoff drops a copy of itself on the infected machine and creates a number of autorun registry entries to ensure persistence. The latest version of no different, but instead of disguising itself as a Java component as with previous versions, it pretends to be a media player with file name "mplayerc.exe"     

Chan also added,

In addition, unlike previous versions where the CopyFileA API is called to drop a copy of itself, ROM calls the WinExec API. To hinder the analysis process, the malware author utilizes a very common technique by replacing API names with the hashed values, and a custom hashing function is called to look up the API name with the equivalent hash value.

As the previous versions, It is able to parse Track 1 and Tack 2 data and to store the stolen credit card data in local systems. The stolen data are encrypted with RC4 and Base64. Though the algorithm to generate the RC4 has been slightly modified.


The stolen credit card data is still encoded with RC4 and Base64, but the algorithm for generating the RC4 key has been slightly modified,Previously, the RC4 key was produced from three components: (1) a randomly generated seven-character string, (2) a hardcoded string, and (3) the user logon name and computer name (e.g. “bot @ FTNT”) that were concatenated and then hashed with an MD5 algorithm. In the new version, there is a slight modification in the concatenated strings.(Figure)

Back in August, security firm Trustwave also discovered another variation of Backoff Malware named 'Web' with version name 1.5. That version worked similar to the its previous version LAST.  LAST used to inject stub into the explorer.exe to maintain its persistence in case the application crashed or was forcefully stopped.


0 comments:

Post a Comment