Backoff Malware Used in Credit Card Breach Spreading Rapidly

The network security company Damballa has just released information claiming that the number of North American computes infected with the “Backoff” malware involved in the massive retail data breach has been rising sharply.

Between August and September, the internet security company noted an increase of 57 percent in Backoff infected devices. This malware software scrapes the computer’s RAM for any leftover credit card data whenever a payment card had been swiped, Brian Foster, Damballa CTO said.

This data stems, Damballa says, from ISP and enterprise customers which have used the traffic analysis products provided by the internet security company to detect any malicious activity. The company also has access to around 55 percent of the internet traffic throughout North America, DNS requests included. Forster noted, however, that for privacy reasons, the IP addresses of most of these computers are unknown to the company.

“We actually attribute the behaviors we see-as well as the domain names and IP addresses that malware is looking up- to threat actors and threat groups” Foster said.

Damballa uses a Hadoop cluster at its headquarters in Atlanta to analyze the DNS requests in question. It then classifies these requests as either good or potentially malicious, depending on the servers being contacted.

“We track a set of domain characteristics and domain names that are related to Backoff, and its looking at the volume of those lookups that shows us the increase.:

Foster added.

Backoff has already caused several retail industries to struggle to contain attacks that have targetted payment card data. Big-name companies such as Home Depot, Target or Dairy Queen have all been Backoff victims. Moreover, the Department of Homeland Security issued a warning in August, saying that as many as 1000 enterprise and small-business networks could already be infected with the malware but not be aware of it.

Damballa has added visibility into the networks of those companies using its services and as such, it enables the security company to warn those possibly infected. For ISP’s using their services, Damballa can issue alerts so that the ISP can announce its customers that they have been infected.

Foster explained that ISP’s have already begun alerting their customers because of a desire to avoid government regulation. Moreover, they want to make sure that their networks perform perfectly, since they offer high-bandwidth entertainment services, Foster said.