In a blog post from Monday, 3 November, 2014 researchers in Fortinet announce that they have recently come across a new version of the notorious Backoff PoS malware, called ROM. The new version is a very precise compared to the previous ones.
While the older version was pretty much similar to the previous ones, ROM is designed to better evade and by-pass a software analysis process of a machine. The latest Backoff version which technical name is W32/Backoff.B!tr.spy no longer uses a version number in the log file. This has been replaced only by the “ROM” word now.
In order to make sure it’s constantly running, the malware creates series of logs for automatic system register start during installation. The newest version is no different than the others but instead as being disguised as a Java component this time it’s covered as part of the Windows Media Player program under the name of mplayerc.exe. In addition, unlike the previous versions which were making copies of themselves as CopyFileA API this one calls itself API WinExec.
ROM’s functionality for extracting credit cards information remains pretty much the same, but it has two more processes added now – Track 1 parsing the information and Track 2 – storing the data on the infected machine. In Track 1 the names of the processes are disguised like hash signs and in Track 2 it stores the data on the local machine.
Like its previous version ROM ignores parsing some processes, but instead of comparing process names against the names in its blacklists in a regular code it already uses a hash-valued tables. After the comparison is being made it saves the credit card information into encrypted file in the % AppData% \ Media Player Classic \ locale.dat Windows file directory.
Before checking the file in the control and command server the malware first checks if, the saved file can be found on the infected machine. If this is the case, it encrypts it and enters it in a POST request.
Changes in terms of communicating with the control and command server of the newest version of the malware have been made as well. It communicates with the server via port 443, all the data flow being encrypted as well, which makes it very hard to detect. The names in the data requests are also changed, some of them even having additional Base664 encryption. Here are the main components the malware concatenates now:
- Hard-coded string
- Randomly generated seven-character code
- One more hard-coded string
- The username and the computer name
Additionally the server data responses are also changed. If they consisted of simple and understandable commands in the previous versions, now they are replaced by single bytes, for ex. – previous version “Update”, new version – “0x01” and so on. The new responses can be found here.
One of the Backoff key features in older versions – keylogging is not present in the ROM one, but it might appear with a new version of the malware in the future.
We would advise all our readers to maintain their anti-virus software and to follow all security update articles for news.