Significant number of major businesses (POS systems) hit by Backoff malware

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

    --------
    DHS first warned of Backoff in late July, when it noted the
    malware was not detectable my most antivirus software.
    --------

And yet in spite of that and countless other similar examples, the myth
continues that AV/AM software actually accomplishes anything useful and
is worth the millions of dollars that is spent each year on that market
segment.

====================================================================

US warns 'significant number' of major businesses hit by Backoff malware

Backoff malware is stealing credit card details, according to a
cybersecurity alert
August 22, 2014 05:48 PM ET

IDG News Service - More than 1,000 major enterprise networks and small
and medium businesses in the U.S. have been compromised by a recently
discovered malware package called Backoff and are probably unaware of
it, the U.S. Department of Homeland Security (DHS) said in a
cybersecurity alert on Friday.

Backoff first appeared in October 2013 and is capable of scraping the
memory contents of point of sales systems -- industry speak for cash
registers and other terminals used at store checkouts -- for data swiped
from credit cards, from monitoring the keyboard and logging keystrokes,
from communicating with a remote server.

"Over the past year, the Secret Service has responded to network
intrusions at numerous businesses throughout the United States that have
been impacted by the "Backoff" malware," the alert said. "Seven PoS
system providers/vendors have confirmed that they have had multiple
clients affected."

The malware is thought to be responsible for the recent data breaches at
Target, SuperValu supermarkets and UPS stores, and the Secret Service is
still learning of new infections.

DHS first warned of Backoff in late July, when it noted the malware was
not detectable my most antivirus software. That made it particularly
difficult to stop, because much of the fight against computer viruses
and malware rests on antivirus applications.

Most antivirus packages now detect Backoff, but DHS is advising network
operators take immediate action to ensure they haven't been affected.

"DHS strongly recommends actively contacting your IT team, antivirus
vendor, managed service provider, and/or point of sale system vendor to
assess whether your assets may be vulnerable and/or compromised," it
said. "The Secret Service is active in contacting impacted businesses,
as they are identified, and continues to work with and support those
businesses that have been impacted by this PoS malware."

In many cases, hackers gained access to machines through brute-force
attacks on remote log-in systems offered through companies like
Microsoft, Apple and Google and other third-party vendors. Once inside,
they were able to copy the malware to the machine and set it capturing
credit card data.

The DHS asked that instances of it are reported to a local Secret
Service field office.

The Target data breach was one of the largest in recent memory,
resulting in tens of millions of credit and debit cards being
compromised. In the last couple of weeks, SuperValu said that at least
180 of its stores had been hit by a data breach and earlier this week
UPS said 51 of it UPS Store locations had been hit.

http://www.computerworld.com/s/article/9250607/US_warns_39_significant_number_39_of_major_businesses_hit_by_Backoff_malware

Re: Significant number of major businesses (POS systems) hit by Backoff malware

Virus Guy expressed precisely :
Quoted text here. Click to load it

Sure, it's not perfect, but just try detecting this and other malware  
types without it.



Re: Significant number of major businesses (POS systems) hit by Backoff malware

On Sat, 23 Aug 2014 11:38:49 -0400, FromTheRafters wrote:


Quoted text here. Click to load it

Looks like he's off his meds again and looking for an argument.

Thane

Re: Significant number of major businesses (POS systems) hit by Backoff malware


Quoted text here. Click to load it

I wouldn't mind a good discussion. If only he'd take the time to  
provide one. He seeks perfection when the device itself is incapable of  
it. [g]



--  
I know you tried to show me the light, I feed on the darkness
I've lost control, I'm down in a hole, I'm broken and helpless
The noose is getting tight, so tight, will I make it through the night  
It's time to surrender to myself and crawl out of this hell, the battle  
is in my head, there is nobody else

Re: Significant number of major businesses (POS systems) hit by Backoff malware

Dustin wrote:
  
Quoted text here. Click to load it

And all of you continue to ignore just plain don't get my main point.

The price/performance ratio of AV/AM software is a joke.

There were some observers who speculated 6 to 8 years ago (when
polymorphism emerged) that the industry would collapse when IT people
and the organizations they work for would realize the poor performance
of AM software did not justify the expense, after years of being
ingrained into people's heads that AM software was as indispensible to
any PC as the OS itself.

The industry worked hard to silence those people and continue to foster
the belief that their products are a truly critical (and effective!)
part of anyone's PC, from the low-importance home PC to the back-office
enterprise workstation.

And yet time after time, new malware has been able to run on infected
PC's and disable firewalls and any AM/AV software running on those
PC's.  And even more embarrasing, some malware, when up and running and
in control of a machine, downloads and installs free versions of certain
AM/AV software as a third line of defence to retain control of the PC by
preventing other botnets from controlling it.

Since the early 90's, Macro$haft has been able to ingrain and foster the
idea that each new version of Windoze is a "must have" purchase, because
newer is always better - the emperor's new clothes are always woven from
the finest, most expensive threads.  The AM/AV industry has similarly
ingrained themselves into the consciousness of PC owners and IT
administrators, and IT budgets grow accordingly, and we are collectively
no closer to computing security than we were back in late 2001 when
XP-SP0 was unleashed on us.

With the institutionalized use of malware by the "security" agencies of
many countries, with back doors intentionally built into Windoze (and
certain vulnerabilities left unpatched for months if not years) it's
clear that the insecurity of Windoze (at least the NT line) and it's
inbred ecosystem (Flash, Acrobat reader, etc) is "by design" and will
continue to be that way, despite all the money spent and the best
efforts (geniune or fake) by the AV/AM software industry.

Re: Significant number of major businesses (POS systems) hit by Backoff malware

It happens that Virus Guy formulated :
Quoted text here. Click to load it

LOL.

[...]



Re: Significant number of major businesses (POS systems) hit by Backoff malware


Quoted text here. Click to load it

He's atleast a decade or more off with his timeframe for poly engines.  
[g]



--  
I know you tried to show me the light, I feed on the darkness
I've lost control, I'm down in a hole, I'm broken and helpless
The noose is getting tight, so tight, will I make it through the night  
It's time to surrender to myself and crawl out of this hell, the battle  
is in my head, there is nobody else

Re: Significant number of major businesses (POS systems) hit by Backoff malware


Quoted text here. Click to load it

I didn't ignore anything. You have no valid point.
  
Quoted text here. Click to load it

You're a decade or so off on your polymorphic time frame, genius.
  
Quoted text here. Click to load it

You have something resembling proof of any of that?
  
Quoted text here. Click to load it

Go back and re-read my previous reply to you. AV/AM is retroactive.  
It's unrealistic to think you can detect unknown bad code in all  
cases.
  
Quoted text here. Click to load it

Complete bullshit.
  



--  
I know you tried to show me the light, I feed on the darkness
I've lost control, I'm down in a hole, I'm broken and helpless
The noose is getting tight, so tight, will I make it through the  
night It's time to surrender to myself and crawl out of this hell,  
the battle is in my head, there is nobody else

Re: Significant number of major businesses (POS systems) hit by Backoff malware


Quoted text here. Click to load it

Malware authors would have a much easier life if AV/AM products were  
discontinued. Sadly, most viruses of yesteryear could resume activity  
in the wild in that scenario; without any way to detect them...or  
remove them.  

Older malware that's non self replicating that poses no threat to a  
system these days because those products have signatures for it could  
all have new fresh lives too.  

People think malware is a problem now? :) Just imagine a world  
without AV/AM programs, rootkit scanners, etc. The malware wouldn't  
go away with them. More systems/networks would be compromised. Bad  
guys would have a field day.

As you know, a virus is usually much worse than the typical garbage  
people are dealing with these days. Primarily due to the differences  
in cleanup. Viruses don't usually go away if you just delete a file  
and a registry key. heh.



--  
I know you tried to show me the light, I feed on the darkness
I've lost control, I'm down in a hole, I'm broken and helpless
The noose is getting tight, so tight, will I make it through the  
night It's time to surrender to myself and crawl out of this hell,  
the battle is in my head, there is nobody else

Re: Significant number of major businesses (POS systems) hit by Backoff malware

Dustin wrote on 8/28/2014 :
Quoted text here. Click to load it

They wouldn't even need to morph like they need to now. Even the  
self-polymorphic old-style viruses wouldn't need to do that - no more  
polymorphic engines - making malware piss-easy to write and distribute.

Quoted text here. Click to load it

Even automatically distributed malware using server side polymorphism  
will get more attention (and as a result, detection) by AV/AM than  
malware used in more targetted attacks like the one mentioned. Why  
someone as clueless as he is continues to use the nym "Virus Guy" is  
beyond comprehension - as is "Spam Guy" who can't read headers.



Re: Significant number of major businesses (POS systems) hit by Backoff malware

FromTheRafters used improper usenet message composition style by
unnecessarily full-quoting:

Quoted text here. Click to load it

Which headers would those be?

Re: Significant number of major businesses (POS systems) hit by Backoff malware

Virus Guy brought next idea :
Quoted text here. Click to load it

The one where he (you) flat out accused zscaler of spamming.



Zscaler spam (was: Significant number of major businesses...)

FromTheRafters wrote:

Quoted text here. Click to load it

==============
Subject: Is zscaler known to be a spammer or spam-relay? (because it is)
Date: Sun, 02 Jun 2013 19:26:09 -0400
Newsgroups: news.admin.net-abuse.email


Received:
from qtn1a-out-s6.mail.zscaler.net ([216.218.133.250]) by
my_server.my_domain.tld with ESMTP id AAA183 for
Sat, 1 Jun 2013 16:40:05 -0400
================


Quoted text here. Click to load it

216.218.133.250 = qtn1a-out-s6.mail.zscaler.net

How can you not see zscaler in that?

======================

As far as I can tell, you never did reply to that.

That mail was received directly from 216.218.133.250, which is (as I've
already pointed out) operated by zscaler.

I've been looking at 10's of thousands of spam headers for the past 15
years, so don't god-damn tell me I don't know how to read them.

Instead of being an apologist for zscalar, why don't you go get a clue
and tell me why my server received that spam from them.

Re: Zscaler spam (was: Significant number of major businesses...)

Virus Guy presented the following explanation :
Quoted text here. Click to load it

http://216.218.133.250.ipaddress.com/

*Not* zscaler. Not then, and not now.



Re: Zscaler spam (was: Significant number of major businesses...)


Quoted text here. Click to load it


That info is from a whois lookup, which only tells you which isp owns
the ip address, not who is using it.

[dave@x3 ~]$ host 216.218.133.250
250.133.218.216.in-addr.arpa is an alias for 250.192-26.133.218.216.in-addr.arpa.
250.192-26.133.218.216.in-addr.arpa domain name pointer qtn1a-out-s6.mail.zscaler.net.
[dave@x3 ~]$ host qtn1a-out-s6.mail.zscaler.net
qtn1a-out-s6.mail.zscaler.net has address 216.218.133.250

For a change, I have to actually agree with Virus Guy.

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Zscaler spam (was: Significant number of major businesses...)

It happens that David W. Hodgins formulated :
Quoted text here. Click to load it

Or abusing it?

Quoted text here. Click to load it

So, you're saying that the entire "Received: " header is legitimate and  
zscaler was indeed spamming?

I'm saying that the IP# in the square brackets is legitimate - and one  
has to work back from there to see where it goes afoul - if it does  
indeed go afoul.

In your opinion, just how much of an e-mail header can be trusted to  
have no bogus information?



Re: Zscaler spam (was: Significant number of major businesses...)

FromTheRafters wrote:
  
Quoted text here. Click to load it

What kind of bone-head are you, exactly?

While some of the Received: lines in a header can be forged, you always
have the very last Received line that is generated by your own server
telling you the IP of the machine that handed it the mail.

Which in this case was 216.218.133.250.

Quoted text here. Click to load it

If the machine that connected to your server to deliver mail to your
account is a "legit" server, then you can always trust the next received
line (if there is one) and possibly all other received lines (if there
are any).

Quoted text here. Click to load it

In the original thread, zscalar was accused of being either a spammer or
being used as a spam-relay:

===========
Subject: Is zscaler known to be a spammer or spam-relay? (because it is)
===========

That accusation was based on examination of the header.

The deduction that the mail originated from (or was relayed by) Zscaler
was correct.  The subject line was correctly phrased.  Your
understanding and interpretation of the situation was (and apparently,
still is) flawed.

Re: Zscaler spam (was: Significant number of major businesses...)

Virus Guy has brought this to us :
Quoted text here. Click to load it

Okay, so Hurricane Electric is legit, I see that. But does that mean  
everything it tells you can be trusted?

http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html

Short of contacting them personally and providing complete headers can  
you really be sure where *they* got that e-mail spam from?

Quoted text here. Click to load it

Okay, I'll buy that. I'm wrong about you not being able to read  
headers, and I apologize. Does it bother you when someone who doesn't  
know what he is talking about continually argues with you when you *do*  
know what you're talking about - like you've been doing for years  
regarding viruses, malware, and AV/AM programs?



Re: Zscaler spam

FromTheRafters wrote:
Quoted text here. Click to load it

That was magnanimous of you FTR. Good to read! Bravo Zulu! :-)

Quoted text here. Click to load it

Now then, I don't want to interfere ..... BUT

How can anyone posting in these newsgroups be certain that YOU know  
about such matters if you have never explained *HOW* you have gained  
such knowledge, nor how you keep up to date?

Perhaps Virus Guy would be more understanding if folk (in general) were  
more open and honest with him (and BD!)

--  
First they ignore you, then they laugh at you, then they fight you, then  
you win.


Re: Zscaler spam

~BD~ formulated the question :

[...]

Quoted text here. Click to load it

There is no certainty about that, but I'm sure if I went to NANAE and  
bloviated such crap for years with everybody telling me I was wrong and  
all I would do in response was tell them that *they* are all wrong - I  
would be as annoying as VG is in the virus related groups.

Quoted text here. Click to load it

It started out that way, but he has never given anybody any reason to  
continue trying to help him to understand matters. It's not just a few  
people telling him he's wrong - it's practically everybody, and he  
continues to spew his crap.

Maybe he is more respectable and respectful in other groups, I just  
don't know.



Site Timeline