Identifying BlackPOS Infected Hosts by Matt Robertson

Identifying BlackPOS Infected Hosts

Over the last month a there has been a significant amount of press and industry coverage relating to the Target data breach where malicious software had been installed on point-of-sale (POS) terminals and personal and financial information was successfully stolen from Target’s customers. Brian Krebs posted two articles ([1] & [2]) about specific malware samples used in the breach – in which he identified a malware package known as BlackPOS as a malware package tool that was used in the Breach.  

Additional analysis of BlackPOS by CrowdStrike [3] identified components of BlackPOS that were used as parts of the Target data breach to steal information; and more specifically the use of FTP over three different IP Addresses:

            199.188.204.182

            50.87.167.144

            63.111.113.99

With the publication of the above IP Address it is unlikely that they will continue to be used as a component of BlackPOS, but it is still possible to leverage the Lancope StealthWatch System and use this information to identify hosts that have been infected by BlackPOS in the past (and likely continue to be infected). 

The first step in StealthWatch is to first create a Host Group for the suspicious hosts and manufacture a host lock violation alarm to be fired just in case there is future communication with these known-bad IP Addresses.  

 

Create Host Group to Identify BlackPOS Infected Hosts
Figure 1- Create a Host Group

 

 


Figure 2- Create a Host Lock Violation Rule

Now we can check to see if any hosts in the environment have communicated with these known bad BlackPOS IP Addresses in the last 3 months by running a Flow Query:

 Identify BlackPOS Infected Hosts

The above query will return all flows that have occurred from any hosts inside your environment (for example POS terminals) and the identified BlackPOS IP Addresses in the last 3 months. This information can then be used to identify all infected hosts and assist in the quick mitigation of the breach. 

identify all BlackPOS infected hosts

For more information about using the StealthWatch System to help secure POS environments see:

http://www.lancope.com/blog/monitoring-protected-data-with-netflow/ 

http://blogs.cisco.com/security/detecting-payment-card-data-breaches-today-to-avoid-becoming-tomorrows-headline 

References:

[1]  http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/ 

[2] http://krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/ 

[3] http://www.crowdstrike.com/blog/actionable-indicators-detection-signs-compromise-target-related-breaches/index.html