Identifying BlackPOS Infected Hosts
Over the last month a there has been a significant amount of press and industry coverage relating to the Target data breach where malicious software had been installed on point-of-sale (POS) terminals and personal and financial information was successfully stolen from Target’s customers. Brian Krebs posted two articles ( & ) about specific malware samples used in the breach – in which he identified a malware package known as BlackPOS as a malware package tool that was used in the Breach.
Additional analysis of BlackPOS by CrowdStrike  identified components of BlackPOS that were used as parts of the Target data breach to steal information; and more specifically the use of FTP over three different IP Addresses:
With the publication of the above IP Address it is unlikely that they will continue to be used as a component of BlackPOS, but it is still possible to leverage the Lancope StealthWatch System and use this information to identify hosts that have been infected by BlackPOS in the past (and likely continue to be infected).
The first step in StealthWatch is to first create a Host Group for the suspicious hosts and manufacture a host lock violation alarm to be fired just in case there is future communication with these known-bad IP Addresses.
Figure 1- Create a Host Group
Figure 2- Create a Host Lock Violation Rule
Now we can check to see if any hosts in the environment have communicated with these known bad BlackPOS IP Addresses in the last 3 months by running a Flow Query:
The above query will return all flows that have occurred from any hosts inside your environment (for example POS terminals) and the identified BlackPOS IP Addresses in the last 3 months. This information can then be used to identify all infected hosts and assist in the quick mitigation of the breach.
For more information about using the StealthWatch System to help secure POS environments see: