Fresh Backoff Point-of-Sale Malware Strain ‘ROM’ Detected, Says Fortinet

Fortinet the security company recently intercepted ROM a malicious program, which is one fresh and increasingly advanced edition of the POS (point-of-sale) malicious software 'Backoff.'

The Company notes that ROM though appears like its earlier edition yet its special tweaks aid it to better bypass security software as also create obstacles for its analysis.

Moreover, ROM technically identified as W32/Backoff.B!tr.spy does not have an edition number within its payload.

ROM doesn't also use a camouflage of Java to hide its real nature unlike the earlier Backoff editions. Instead it poses like one media-player labeled mplaterc.exe. When it replicates itself onto a system it infects the malware summons one API viz. WinExec. This particular API modifies file-names by using hashed values so the analysis process gets thwarted.

According to Junior Antivirus Analyst Hong Kei Chan with Fortinet, ROM, like before, filches credit card information in much a similar manner with an added capability for parsing Track 1 as well as Track 2 details. Within the new edition, though, the malware exhibits 2 more functionalities: saving the filched payment card data somewhere inside the infected computer and hashing blacklist processes' names, he adds. Securityweek.com published this, November 3, 2014.

Besides, Backoff's latest version changes the elements of its command-and-control structure for even more bypassing detection by establishing its communication with the command-and-control system via port 443 as well as encrypting the data exchanged during the communication.

The new variant, it requires noting, has abandoned the keyogger element of the malware. But Chan is sure that this will merely remain tentative before the keylogger would again appear within yet another sample of Backoff. Tripwire.com reported this, November 4, 2014.

In an advisory that Department of Homeland Security released during August 2014, it's reported that almost 1,000 enterprises became victims of Backoff, including UPS Stores, Dairy Queen, Target and Supervalu.

Furthermore, albeit Backoff and its strains were lately found during July 2014, the main payload, as per forensic investigations, may've remained active since far back October 2013.

To remain safeguarded from malware assaults, users are advised towards imbibing the solutions that US-CERT highlights, as well as keeping their anti-viruses up-to-date.

» SPAMfighter News - 11/15/2014