Backoff Malware: The Reason Why You See So Many Data Breach Headlines


Target, Neimann Marcus, Michaels, Sally Beauty, Hilton, Sheraton, Marriott, and Westin. P.F. Chang’s, Goodwill, and just yesterday, Jimmy John’s.

Names that have appeared on your monthly statement? Let’s hope not. These are all restaurants and retailers that have fallen victim to point of sale data breaches in just the last 8 months – and the list is not exhaustive.

A report from the United States Computer Emergency Readiness Team has now illuminated how many of these breaches – and apparently hundreds more than 1000 like them affecting smaller companies across the U.S. – have been able to go down. They call it: Backoff malware.

According to US-CERT, attackers’ strategy has been to use publicly available (and legal) software to locate point of sale systems that utilize remote desktop applications from Microsoft, Apple, Google, and others. Once systems with such apps are located, they’re then brute forced* until administrative access is achieved. Once logged on with admin rights, it’s then only a matter of installing Backoff and letting the malware do all the nasty things it’s been designed to do – like scraping RAM for unencrypted credit card information, logging keystrokes, connecting to a command and control server, and installing a malicious stub into explorer.exe to ensure the malware’s persistence.

Detection by US-CERT has been thanks to a coordinated effort with a number of U.S. entities, including the secret service. Hopefully, all their hard work will help to stymie the ridiculous slew of POS data breach headlines we’ve all (unfortunately) gotten used to.

Have a great (data-breach-free) day!

Additional Resources

  • US-CERT alert – technical overview and defense measures for businesses/retailers
  • New York Times – less computer lingo and more big picture understanding
  • Emsisoft Knowledgebase – more on POS intrusions, RAM scraping, and BlackPOS
  • Curious how Emsisoft interacts with Backoff? Our signature database currently detects two of the malware’s most prevalent variants: 1.55 backoff and 1.55 goo.

* Brute forcing is when a hacker uses an automated program to guess log in credentials. Brute force programs use dictionaries of weak and common usernames and passwords.