ModPOS more highly sophisticated than required for POS systems
Miller explained that one of the key things that set ModPOS apart was the level of complexity around the software. He said: “POS malware doesn’t have to be complicated. All it has to do is match a pattern in memory and then exfiltrate the data. Lots of POS malware have been very simple. When we look at ModPOS it is extremely sophisticated. It is far more complex and better at evading detection than we would expect and it even allows the operator to customise it to the POS environment they are attacking.
“In the copies of the malware we’ve looked at it maintains unique hashes for different installations of the malware and even uses hashes unique to victim systems. The data it is exfiltrating is protected by strong encryption, AES-256, both in the network traffic and the code on the victims machines.”
This use of encryption to protect data being exfiltrated is nothing new and is one of the problems for security teams as they try and spot data leaving the organisation. What is not common is for both the data and the malware to be protected by encryption this strong. This means that locating it will always be a significant challenge.
The sophistication of ModPOS goes far deeper than just its use of encryption and unique hashes for each system and version. Miller told us:
“A lot of malware leverages shell code. The average number of functions we would expect to see for POS malware is around five. Looking at the shell code in ModPOS that is called out and injected in the services process there are 600 functions. Another piece of shell code has 50 functions. This is many orders of magnitude more than you would expect not just for POS malware but any malware.
“As well as the complex shell code we also see a kernel mode loader that bypasses the way Anti-Virus (AV) software would identify when something new occurred and check for new information. A lot of AV software would not detect something such as ModPOS.”
Perhaps the biggest thing that ModPOS does it turn itself into a root kit. By doing so it is able to avoid the vast majority of end-user security systems, even those that were designed to find root kits. We were interested if next generation security software vendor Cylance had been given access to ModPOS to see if they could detect it. Ward suggested we should speak to Cylance but despite reaching out to them we’ve had no response at the time of going to press.
How to detect ModPOS
iSight Partners gave us access to their report on the understanding we were careful with what information we identified from it. As such, the comprehensive work that identifies what files are affected, the infection mechanism and the details of the current ModPOS Plugins that iSight have identified we will leave to people to read for themselves when they get the report.
What we can say is at the moment it appears that ModPOS is only using three Command and Control (C&C) servers and their IP addresses are hardcoded. Given the sophistication of the software, to have hardcoded the C&C addresses seems a little surreal although it could be that they are there as a distraction. The addresses that companies can begin to monitor for are:
- 109.72.149.42
- 130.0.237.22
- 91.218.39.217
The first address comes back to a company in Toronto. The second comes back to a company registered in London. The third comes back to an address in the EU but appears to be part of a free pool of addresses with no further information.
There are other technical indicators of compromise in the report and it is likely that there is a lot more data only available to those customers who work with iSight to identify and track infections.
Conclusion
The emergence of malware as sophisticated as ModPOS targeted at the POS market would appear at first glance to be overkill. However, it is one of the clearest indications yet that the cyber criminals are raising their game far faster than security companies can react.
It will be interesting to see as we move through the holiday spending period just how many companies eventually admit to falling victim to ModPOS and whether, now it is being widely talked about, it continues to be so tightly controlled. The end game for most malware revolves around the ability to effectively monetise it.
While keeping it tightly controlled made sense when there was little information out there to detect it, now that iSight is actively pursuing it, the creators may decide that it is time to release a wider framework based on the software. This would enable them to reap the rewards of their work quickly over the holiday sales period and use that money for whatever they have planned next.
[…] covered by technology titles such as The Register, IT Pro Portal, Infosecurity, Information Age, Enterprise Times, Engineering & Technology, IT Pro, The Inquirer and IDG […]