SlideShare a Scribd company logo

A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses

Download as PPTX, PDF
Lastline, Inc., profile picture
Lastline, Inc.

The Backoff malware has affected over 1,000 U.S. retailers by targeting point-of-sale (POS) systems and evading detection through various techniques such as timing evasion and code obfuscation. Attackers deploy Backoff by scanning for remote desktop applications and using brute force to infiltrate POS systems. Current security solutions struggle to protect against these sophisticated and evasive threats, necessitating more robust strategies like EMV payments and full system emulation.

Technology
Related topics:
Network Security
1 of 14
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Backoff My Point-of-Sale Data! Profiling the Backoff PoS Malware Affecting Retailers Engin Kirda Ph.D., Co-Founder & Chief Architect, Lastline www.lastline.com
What is Backoff? • Malware used in numerous breaches in the last year • Secret Service currently estimates 1,000+ U.S. businesses affected • Targeted to PoS systems • Evades analysis Copyright ©2014 Lastline, Inc. All rights reserved. 2
Recent and Notable Retail/Payments Breaches • The last year has seen a dramatic escalation in the number of breached PoS systems • Many of these PoS payloads, like Backoff, evaded installed defenses and alarms Copyright ©2014 Lastline, Inc. All rights reserved. 3
What is Backoff? [1 Slide Summary from Kyle] • Product screenshot? • Mention evasive behaviors exhibited Copyright ©2014 Lastline, Inc. All rights reserved. 4
What is Backoff? • Timing evasion (an anti-VM technique) • Utilizes code obfuscation • Also uses rare and poorly emulated instructions to defeat simple emulators • Attempts to encrypt parts of the command and control traffic Copyright ©2014 Lastline, Inc. All rights reserved. 5
How are the attackers deploying it? • Scan for Internet facing Remote Desktop applications • Brute force login credentials • Often successfully find administrative credentials • Use admin credentials to deploy Backoff to remote PoS systems Copyright ©2014 Lastline, Inc. All rights reserved. 6
Understanding Evasive Malware Malware authors are not stupid • they got the news that sandboxes are all the rage now • since the code is executed, malware authors have options Evasion defined • Develop code that exhibits no malicious behavior in a traditional sandbox, but still infects the intended target • Can be achieved in a variety of ways… Copyright ©2014 Lastline, Inc. All rights reserved. 7
8 The Evasive Malware Problem Current solutions fail to protect organizations from sophisticated, targeted attacks. Copyright ©2014 Lastline, Inc. All rights reserved.
Lastline Labs AV Vendor Review Antivirus systems take months to catch up to highly evasive threats. Copyright ©2014 Lastline, Inc. All rights reserved. 9
3 Ways to Build a Sandbox Not all sandbox solutions can detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 10
Virtualized Sandboxing vs. Full System Emulation Even APT Solutions with virtualized sandboxing fail to detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 11
Securing Your Organization • At PoS: Accept EMV payments to limit exposure in case of a breach • At PoS: E2E encryption of transaction (POI never has cleartext) • Detect and protect against malware and C&C • Full system emulation approach with Lastline Copyright ©2014 Lastline, Inc. All rights reserved. 12
Detect Evasive Malware in Your Network Start your 30-day Lastline trial: http://landing.lastline.com/request-lastline-trial “I would highly recommend Lastline to any company that is entrusted with customer data. Retailers, restaurants, or any organization that is interested in elevating their handling and protection of data could benefit from working with Lastline.” Tom Lindblom CTO, CKE Restaurants Copyright ©2014 Lastline, Inc. All rights reserved. 13
Thank You! For more information visit www.lastline.com or contact us at info@lastline.com.

More Related Content

PPTX
Introducing Savvius Vigil
Savvius, Inc
 
PPTX
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
PPTX
T3 conference talk nov 2014
Sid Yenamandra
 
PPTX
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Digital Bond
 
PPTX
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
centralohioissa
 
PDF
AWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summits
 
PPT
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Digital Bond
 
PPTX
Risks vs real life
Mona Arkhipova
 
Introducing Savvius Vigil
Savvius, Inc
 
Tiptoe Through The Network: Practical Vulnerability Assessments in Control Sy...
Digital Bond
 
T3 conference talk nov 2014
Sid Yenamandra
 
Time Traveling: Adapting Techniques from the Future to Improve Reliability, J...
Digital Bond
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
centralohioissa
 
AWS Summit Singapore 2019 | Pragmatic Container Security
AWS Summits
 
Detecting Problems in Industrial Networks Through Continuous Monitoring, Leve...
Digital Bond
 
Risks vs real life
Mona Arkhipova
 

What's hot (20)

PPTX
Endpoint Security Evasion
Invincea, Inc.
 
PDF
Web Intrusion Detection
Abhishek Singh
 
PPTX
Advanced Persistent Threats
ESET
 
PPTX
Firewall, Router and Switch Configuration Review
Christine MacDonald
 
PPT
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
Imperva Incapsula
 
PPTX
Security Ops for large and small companies
Mona Arkhipova
 
PDF
On the impact of security vulnerabilities in the npm package dependency network
Tom Mens
 
PPTX
ESET: Delivering Benefits to Enterprises
ESET
 
PDF
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
 
PPTX
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
Imperva Incapsula
 
PDF
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Security Weekly
 
PDF
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 
PDF
Newsletter Connect - Sep 2015
Arish Roy
 
PDF
Build and deploy bulletproof software
Fabrice Derepas
 
PPTX
Network Forensics for Splunk, an Emulex presentation
Emulex Corporation
 
PDF
Virtual Security
F-Secure Corporation
 
PDF
Positive Hack Days 7 - Ransomware forensiсs
Mona Arkhipova
 
PPTX
Multi domain security-management_technical_presentation
davebrosnan
 
PDF
Protection Service for Business
F-Secure Corporation
 
PPTX
Application Security within Agile
Netlight Consulting
 
Endpoint Security Evasion
Invincea, Inc.
 
Web Intrusion Detection
Abhishek Singh
 
Advanced Persistent Threats
ESET
 
Firewall, Router and Switch Configuration Review
Christine MacDonald
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
Imperva Incapsula
 
Security Ops for large and small companies
Mona Arkhipova
 
On the impact of security vulnerabilities in the npm package dependency network
Tom Mens
 
ESET: Delivering Benefits to Enterprises
ESET
 
Robots, Ninjas, Pirates and Building an Effective Vulnerability Management Pr...
Security Weekly
 
An Inside Look at a Sophisticated Multi-Vector DDoS Attack
Imperva Incapsula
 
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
Security Weekly
 
The Internet of Insecure Things: 10 Most Wanted List
Security Weekly
 
Newsletter Connect - Sep 2015
Arish Roy
 
Build and deploy bulletproof software
Fabrice Derepas
 
Network Forensics for Splunk, an Emulex presentation
Emulex Corporation
 
Virtual Security
F-Secure Corporation
 
Positive Hack Days 7 - Ransomware forensiсs
Mona Arkhipova
 
Multi domain security-management_technical_presentation
davebrosnan
 
Protection Service for Business
F-Secure Corporation
 
Application Security within Agile
Netlight Consulting
 
Ad

Viewers also liked (20)

PPTX
4 ltr powerpoint2010_ch21_pr1a_briannaspinney_2
Brianna Spinney
 
PDF
Realmadrid-Atleticodemadrid
Ropa Deportiva Online
 
PDF
KCB101 Not Your Mothers' Storyboard
francesliam
 
PDF
Vaccination Schedules for Dogs and Puppies
canadapetcare
 
PPTX
Siklus anggaran forum skpd
Indra Djatie
 
PDF
FC Barcelona, trayectoria de sus estadios
Ropa Deportiva Online
 
PPTX
Three things for wildcard ssl certs
tas-hiro
 
PDF
Liptonvscold final
Oleg Idolov
 
PDF
White stone meandr
Данил Сахненко
 
PPTX
PERBANDINGAN EVALUASI KEKUATAN PERLEKATAN MICRO-TENSILE PADA SISTEM ADHESIF O...
Universitas Sumatera Utara
 
PPTX
Tech slide show
Levi Lynch
 
PPT
(Lovern tamra historyingraphicdesign)powerpoint
Tamra Lovern
 
PPTX
Sophia grant 3100849 lang6099 power point presentationl
turbs1995
 
PDF
Snoring
gaonooe
 
PPTX
Ashley
Tamra Lovern
 
PPT
JLF
Susan Weldy
 
PPTX
Blenderman by panda_apps_presentation
mrjonesbrgs
 
PPTX
Prezentacja1
justynakokocinska
 
PDF
Real Madrid, trayectoria de su estadio
Ropa Deportiva Online
 
PDF
Alvaro
Alvaro Apileo Reyes
 
4 ltr powerpoint2010_ch21_pr1a_briannaspinney_2
Brianna Spinney
 
Realmadrid-Atleticodemadrid
Ropa Deportiva Online
 
KCB101 Not Your Mothers' Storyboard
francesliam
 
Vaccination Schedules for Dogs and Puppies
canadapetcare
 
Siklus anggaran forum skpd
Indra Djatie
 
FC Barcelona, trayectoria de sus estadios
Ropa Deportiva Online
 
Three things for wildcard ssl certs
tas-hiro
 
Liptonvscold final
Oleg Idolov
 
White stone meandr
Данил Сахненко
 
PERBANDINGAN EVALUASI KEKUATAN PERLEKATAN MICRO-TENSILE PADA SISTEM ADHESIF O...
Universitas Sumatera Utara
 
Tech slide show
Levi Lynch
 
(Lovern tamra historyingraphicdesign)powerpoint
Tamra Lovern
 
Sophia grant 3100849 lang6099 power point presentationl
turbs1995
 
Snoring
gaonooe
 
Ashley
Tamra Lovern
 
JLF
Susan Weldy
 
Blenderman by panda_apps_presentation
mrjonesbrgs
 
Prezentacja1
justynakokocinska
 
Real Madrid, trayectoria de su estadio
Ropa Deportiva Online
 
Alvaro
Alvaro Apileo Reyes
 
Ad

Similar to A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses (20)

PPTX
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
PPTX
Malware in the Wild: Evolving to Evade Detection
Lastline, Inc.
 
PPTX
PoS Malware and Other Threats to the Retail Industry
Invincea, Inc.
 
PDF
Lastline Case Study
Lastline, Inc.
 
PPT
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
PPTX
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
PDF
Paolo Passeri - A Multi Layered Approach to Threat Intelligence
Codemotion
 
PDF
Understanding Advanced Threats and How to Prevent Them
MarketingArrowECS_CZ
 
PDF
SunbeltLabs Quarterly Briefing Malware Unmasked
nicholaskeuning
 
PDF
Staying One Step Ahead with Zero-Day Protection
MarketingArrowECS_CZ
 
PDF
Sandboxing
NSConclave
 
PPTX
Modern Malware by Nir Zuk Palo Alto Networks
dtimal
 
PPTX
451 and Cylance - The Roadmap To Better Endpoint Security
Adrian Sanabria
 
PPTX
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
PPTX
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
SecureDocs
 
PDF
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
PDF
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
IBM Security
 
PDF
Oh... that's ransomware and... look behind you a three-headed Monkey
Stefano Maccaglia
 
PPTX
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
PDF
Check Point SandBlast and SandBlast Agent
MarketingArrowECS_CZ
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Malware in the Wild: Evolving to Evade Detection
Lastline, Inc.
 
PoS Malware and Other Threats to the Retail Industry
Invincea, Inc.
 
Lastline Case Study
Lastline, Inc.
 
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Stranded on Infosec Island: Defending the Enterprise with Nothing but Windows...
Adrian Sanabria
 
Paolo Passeri - A Multi Layered Approach to Threat Intelligence
Codemotion
 
Understanding Advanced Threats and How to Prevent Them
MarketingArrowECS_CZ
 
SunbeltLabs Quarterly Briefing Malware Unmasked
nicholaskeuning
 
Staying One Step Ahead with Zero-Day Protection
MarketingArrowECS_CZ
 
Sandboxing
NSConclave
 
Modern Malware by Nir Zuk Palo Alto Networks
dtimal
 
451 and Cylance - The Roadmap To Better Endpoint Security
Adrian Sanabria
 
Now you see me, now you don't: chasing evasive malware - Giovanni Vigna
Lastline, Inc.
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
SecureDocs
 
Next Generation Endpoint Prtection Buyers Guide
Jeremiah Grossman
 
The Business Case for Enterprise Endpoint Protection: Can You Afford Not To?
IBM Security
 
Oh... that's ransomware and... look behind you a three-headed Monkey
Stefano Maccaglia
 
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
Check Point SandBlast and SandBlast Agent
MarketingArrowECS_CZ
 

More from Lastline, Inc. (6)

PPTX
Lastline RSAC 2018 Highlights
Lastline, Inc.
 
PPTX
Infosec Europe 2017 Highlights | Lastline, Inc.
Lastline, Inc.
 
PPTX
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
PPTX
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 
PPT
Introduction to Malware - Part 1
Lastline, Inc.
 
PDF
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
Lastline RSAC 2018 Highlights
Lastline, Inc.
 
Infosec Europe 2017 Highlights | Lastline, Inc.
Lastline, Inc.
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 
Introduction to Malware - Part 1
Lastline, Inc.
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 

Recently uploaded (20)

PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
August Patch Tuesday
Ivanti
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Heart disease approach using modified random forest and particle swarm optimi...
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
August Patch Tuesday
Ivanti
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 

A Profile of the Backoff PoS Malware that Hit 1000+ Retail Businesses

  • 1. Backoff My Point-of-Sale Data! Profiling the Backoff PoS Malware Affecting Retailers Engin Kirda Ph.D., Co-Founder & Chief Architect, Lastline www.lastline.com
  • 2. What is Backoff? • Malware used in numerous breaches in the last year • Secret Service currently estimates 1,000+ U.S. businesses affected • Targeted to PoS systems • Evades analysis Copyright ©2014 Lastline, Inc. All rights reserved. 2
  • 3. Recent and Notable Retail/Payments Breaches • The last year has seen a dramatic escalation in the number of breached PoS systems • Many of these PoS payloads, like Backoff, evaded installed defenses and alarms Copyright ©2014 Lastline, Inc. All rights reserved. 3
  • 4. What is Backoff? [1 Slide Summary from Kyle] • Product screenshot? • Mention evasive behaviors exhibited Copyright ©2014 Lastline, Inc. All rights reserved. 4
  • 5. What is Backoff? • Timing evasion (an anti-VM technique) • Utilizes code obfuscation • Also uses rare and poorly emulated instructions to defeat simple emulators • Attempts to encrypt parts of the command and control traffic Copyright ©2014 Lastline, Inc. All rights reserved. 5
  • 6. How are the attackers deploying it? • Scan for Internet facing Remote Desktop applications • Brute force login credentials • Often successfully find administrative credentials • Use admin credentials to deploy Backoff to remote PoS systems Copyright ©2014 Lastline, Inc. All rights reserved. 6
  • 7. Understanding Evasive Malware Malware authors are not stupid • they got the news that sandboxes are all the rage now • since the code is executed, malware authors have options Evasion defined • Develop code that exhibits no malicious behavior in a traditional sandbox, but still infects the intended target • Can be achieved in a variety of ways… Copyright ©2014 Lastline, Inc. All rights reserved. 7
  • 8. 8 The Evasive Malware Problem Current solutions fail to protect organizations from sophisticated, targeted attacks. Copyright ©2014 Lastline, Inc. All rights reserved.
  • 9. Lastline Labs AV Vendor Review Antivirus systems take months to catch up to highly evasive threats. Copyright ©2014 Lastline, Inc. All rights reserved. 9
  • 10. 3 Ways to Build a Sandbox Not all sandbox solutions can detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 10
  • 11. Virtualized Sandboxing vs. Full System Emulation Even APT Solutions with virtualized sandboxing fail to detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 11
  • 12. Securing Your Organization • At PoS: Accept EMV payments to limit exposure in case of a breach • At PoS: E2E encryption of transaction (POI never has cleartext) • Detect and protect against malware and C&C • Full system emulation approach with Lastline Copyright ©2014 Lastline, Inc. All rights reserved. 12
  • 13. Detect Evasive Malware in Your Network Start your 30-day Lastline trial: http://landing.lastline.com/request-lastline-trial “I would highly recommend Lastline to any company that is entrusted with customer data. Retailers, restaurants, or any organization that is interested in elevating their handling and protection of data could benefit from working with Lastline.” Tom Lindblom CTO, CKE Restaurants Copyright ©2014 Lastline, Inc. All rights reserved. 13
  • 14. Thank You! For more information visit www.lastline.com or contact us at [email protected].

Editor's Notes

  • #6: rtdsc looping (timing evasion) obfuscation uses a mildly obfuscated code (oligomorphic decryptor), multistage encrypted shellcode, runpe/hollowing, encryption track/keylogger data sent to c2 is encrypted; networked based detection of the c2 still quite easy -> enterprise could detect it reliably, but DLP mechanisms would fail
  • #7: Using publicly available services and tools for each step
  • #13: emv reduces the value of stolen transaction data, as the transaction data has a limited number of “re-uses” end to end encryption prevents PoS malware from collecting transaction data, reducing the attack surface build verification and detailed behavioral analysis of all software being pushed to PoS systems could absolutely have stopped many these breaches comprehensive analysis of network traffic could have identified them quickly and easily… began providing protection before samples were seen, and alerts for the first c2 events