Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Trojan.Backoff: Support Perspective

Created: 01 Aug 2014 • Updated: 28 Aug 2014
Brandon Noble's picture
+1 1 Vote
Login to vote

Security Response is aware of an alert from US-CERT regarding a threat they are calling Backoff. This threat family is reported to target Point of Sale machines with the purpose of logging key strokes and scraping memory for data (like credit card info) and then exfiltrating the data to the attacker.

Symantec Security Response is currently investigating this threat family and is working to obtain samples that were mentioned in the IOC section of the CERT alert. All detections for threat files have been, or will, be mapped to: Trojan.Backoff

Detection information:
AV:      Trojan.Backoff – available in RR def 20140731.025 (156267)
IPS:     System Infected: Trojan.Backoff Activity
XPE:    W32/Trojan3.JRS

Information on US-CERT alert:
The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.
 
SEP for XP Embedded:
SSEP 5.1 for XPE is reaching its End of Support Life on 10/15/2014 but is still in use on a significant number of PoS devices around the world.  This legacy product only updates its definitions once per week- and uses a def set and naming convention different from SEP 12.1
We recommend that customers still using SSEP 5.1 for XPE should migrate to SEP 12.1 for more complete coverage.

Additional reading:

•    US-CERT Alert:
http://www.us-cert.gov/ncas/alerts/TA14-212A

•    Windows XP Embedded Support in Symantec Endpoint Protection (SEP) 11 vs. Sygate Symantec Endpoint Protection (SSEP) 5.1
http://www.symantec.com/docs/TECH91152

•    Symantec Endpoint Protection support for embedded operating systems
http://www.symantec.com/docs/TECH106027

•    Trojan Backoff: A new point-of-sale threat emerges
https://www-secure.symantec.com/connect/blogs/trojan-backoff-new-point-s...

Change Log:

8-28 - Updated to include Response Blog and IPS defs