Search This Blog

Monday, November 10, 2014

(I) Malware Management takes care of variants like Backoff.C!tr.spy

We all knew variants of BackOff would occur and infections spreading to other retailers and PoS machines.

By practicing the process of Malware Management you can keep up with variants of malware as they are discovered and reports or Blogs written. Then you can tweak your scripts and tools to detect the variants.

As we expected the Malware would move from mimicking Adobe and Java to being random named directories and random named files. Remember, Malware Management is about the known and unknown, so locations used are key to look for new things of any names and filter out the knowns.

The new variant of BackOff uses the Run key gain persistence and launch and uses ports 443 to talk to various domains, guaranteed to change, but notice they are .ru for you network NetFlow geeks.

If you are practicing Malware Management, using "Sha1Deep64 -r", a script, tool, file auditing in logs or my favorite defensive tool BigFix, you can look for any new directories and files being dropped in this location, common for all the PoS malware discovered thus far and detect the new variant fast!

Fortinet Blog on BackOff variant

Fortinet details on BackOff variant

#InfoSec #HackerHurricane