US-CERT Backoff Malware Announcement

According to the U.S Department of Homeland Security, the Point of Sale (PoS) malware attack that affected Target in the recent breach is more prevalent than previously thought. Over 1000 U.S. businesses are estimated to have been victims of a malware named “Backoff”, a PoS malware that steals customer credit card numbers and other confidential information.

US-CERT, the United States Computer Emergency Response Team, released an alert telling companies to check their systems for the Backoff malware on July 31st. Up to this point, the malware was virtually undetectable. After this announcement, UPS announced that some of their stores had been affected by the same PoS malware. According to The New York Times, 7 stores that deal with PoS systems have currently detected being affected by Backoff, out of which only The UPS Store and Supervalu have come forward with the information.

How does Backoff work?

The hackers first attempt to login to the companies private systems using publicly available remote desktop tools such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2, Pulseway, and LogMeIn. These tools allow users to connect to a remote system and control the system from a different location.

Once the hackers located these remote desktop applications on the victim’s computers, they utilized brute force techniques where computers guess username/password combinations at high speed until it successfully logs in. Once the hackers gained access to an administrator’s account, they were able to install the PoS malware on the company’s systems, which sent customer data to the hackers in an encrypted POST request (the transfer of data from one system to another).

The Backoff malware gathered information in the following ways:

Memory Scraping

The malware analyzed memory on the PoS systems, and once it found data, it sent the data to the hackers in an encrypted format.


Keylogging is a method in which keystrokes (button presses on a keyboard) are recorded. The Backoff malware recorded keystrokes and stored it in a Log file that seemed at first glance to be a log file for a normal Java installation.

Explorer.exe Injection

Explorer.exe is a main process that runs on Windows computers. This malware attempted to inject its own malicious code into this process. If it detects that for some reason the malware is not working, it decrypts and reinstalls itself, making itself persistant.

Command and Control (C&C), aka the “Botnet Master”

Malware installations generally communicate with a master server, which is known as the Command & Control server. The Backoff malware sent customer data at regular intervals to the main server that controlled the malware. Because the investigation is still ongoing, they are not releasing the locations of these servers.

How does this affect you?

Variations of the Backoff PoS malware have been seen as early as October 2013. This means that your data may have been compromised as early as this date, and specifics won’t be known until companies scan their systems for the Backoff malware as suggested by US-CERT.

Until then, it is suggested that you request new credit/debit cards in the case that your information was compromised.

Share on Facebook0Share on Google+0Tweet about this on Twitter0Share on LinkedIn0Share on Reddit0Share on Tumblr