back caretBlog

Detect and Track HTTP-based C&C Traffic for Backoff Malware

Roughly 1,000 retail companies have been impacted by the Backoff point-of-sale malware with costs related to data breaches totaling more than $150 million, according to a recent eWEEK article. If your organization relies on point-of-sale terminals, the best approach is to assume that your systems are already compromised and to look for malicious activity within your network.

Read the U.S. CERT advisory on Backoff, including capabilities and mechanisms.
To help IT organizations in this effort, I have created a bundle (a simple extension to the ExtraHop platform) that detects and tracks the HTTP-based command-and-control (C&C) traffic for the Backoff malware family. I used the code snippet provided by SpiderLabs to write the Application Inspection Trigger included in the bundle. The trigger parses the [HTTP payload](/resources/protocols/http/) and detects the RC4 and MD5 data fields used to encrypt stolen data and hash the password. This bundle cannot be guaranteed to detect every Backoff variant, but should detect a majority of the variants. The bundle also includes an alert and a custom dashboard for tracking infected systems, IP addresses of C&C servers, and C&C messages.

Why ExtraHop's Solution Is Unique

Backoff malware uses HTTP for command-and-control communications, such as this HTTP POST message with stolen data encrypted.

Backoff malware uses HTTP for command-and-control communications, such as this HTTP POST message with stolen data encrypted.

The ExtraHop solution for detecting Backoff malware can be implemented in minutes, requires no agents, and will not affect production systems apart from the ExtraHop appliance. Moreover, once Backoff activity is identified, the ExtraHop platform provides an excellent source of data for forensic investigation, enabling you to understand the context of the infiltration, including which systems are involved and what data was targeted for exfiltration.

For these reasons, the ExtraHop platform is an excellent complement to traditional methods of detecting malware such as Backoff, namely, antimalware software running on end points and inline intrusion detection systems (IDS) that rely on vendor-provided malware signatures.

Explore ExtraHop's ability to detect the cause and impact of data breaches in our free, interactive online demo.

ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed