"Backoff" malware variants: Unskal, Saluchtra, Dexter and IeEnablerCby

This month we will check four new malware families to the:  Win32/Saluchtra,Win32/Dexter, Win32/Unskal and Win32/IeEnablerCby.

IeEnablerCby is an unwanted software family that can install browser add-ons or extensions without asking for your permission. The other three malware families also have similar information stealing capabilities, if a system is compromised. This article will focus on Unskal, a point-of-sale (POS) malware. 

POS malware target retail companies in an attempt to steal customer payment details, such as credit card information. The stolen data can then be sold in underground markets. These threats can be deployed to a system by brute-forcing log in credentials on machines with weak passwords. They can also be installed by other malware, or by exploiting software vulnerabilities.  

Unskal is also known as Backoff, and was initially detailed in a US-CERT alert. Due to its targeted infection, we observed very low numbers in our telemetry for the past month. However, each infection can potentially have a high impact due to the exposure of sensitive information. Infections with this family are more common in the United States.

Once the malware is in the system, it can drop a copy of itself with any of the following names:

Stealing user data

Unskal can gather information such as credit card details, computer names, and user names by using the keylogging and memory scraping techniques .

Sending stolen data

Once it has verified that the data taken is valid, the malware sends it to a remote malicious user via port 443. We have seen it use the following command and control (C&C) servers:

The format of the base-64 encoded information can be similar to the following URLs:

To help prevent malware intrusions from threats such as Unskal, Dexter and Saluchtra, we recommend users and network administrators have strong firewall policies in place. They should also enforce complex passwords and regular password changes. To help prevent the installation of unwanted software such as IeEnablerCby, you should exercise caution when clicking on links to webpages.

We also recommend updating your software regularly and running up-to-date security software, such as Microsoft Security Essentials or another trusted security software product. 


From: blogs.technet.com/b/mmpc/

In god we trust