ModPOS Malware: iSight’s Pathetic Effort to Increase Revenues

iSIGHT-Partners-ModPOS-timeline-20nov2015-1024x533

A few days before the 2015 Black Friday frenzy, a number of security web sites and security bloggers have published and re-published a very well-timed and very scary report issued by iSight Partners, a security firm based out of Dallas, Texas.

The report in question was published on the iSight Partners’ website behind a data collection wall, where one has to enter name, e-mail address, title and corporate information in order to obtain the document. In essence, the release of this report appears to be little more than a marketing effort to obtain potential sales leads for this organization.

Many other organizations have regurgitated the press releases coming from iSight Partners without checking or challenging any of the statements made by their representatives.  Steve Ward, a marketing director with iSight Partners made a statement to Russia Today and The Register, “This is POS malware on steroids. We have been examining POS malware…for at least the last eight years, and we have never seen this level of sophistication in terms of development… [Engineers say] it is the most sophisticated framework they have ever put their hands on.”

Gizmodo also made the spectacular claim that this malware is so sophisticated and scare that it employs highly advanced features like ‘key-logging’, ‘network monitoring’ and ‘RAM scraping,’ all methods used by viruses and malware for decades. These claims made by various iSight employees to the media were never questioned or challenged by editors or journalists.

Maria Noboa, a technical analyst with iSight also told Fortune Magazine, “This is by far most the most sophisticated point of sale malware we’ve seen to date.”  Yet one paragraph later, Noboa claims that ModPOS has probably been around since 2012, with attacks being observed in 2013 “and likely ongoing.”  In other words, iSight has no evidence and no idea about the scope of the ModPOS infection, attack surface and the risk it currently poses to current retailers. Instead, the iSight marketing team apparently decided to throw in some key-words meant to scare an uneducated audience and wrapped it all up with “Eastern Europe” knowing that it is the epicenter of “very bad hacking things happen here.”

hyperbole

The iSight report is in essence a rehash of a 3 year old piece of malware, which is well-known in the security industry; the report is purposefully vague to apparently create panic and using trigger words to scare an audience into action.

The very qualified folks from Verizon Cyber Intelligence Center also did not fall for iSight’s fear mongering press release. In a very short blog post they updated their customers after they also analyzed ModPOS and determined that it is nothing other than the Backdoor.Straxbot malware; Symantec released signatures for Straxbot in December 2014. It is unclear why iSight decided to re-name this piece of malware as Symantec had existing functioning signatures in production one year ago.

The Verizon blog entry stated, “Our initial assessment of the iSight report does not support observations such as, “Most complex ever,” or “silent assassin.” These characterizations of ModPOS are hyperbole.”

Verizon is kindly calling iSight’s report “hyperbole.”  I call it fear mongering and a pathetic marketing and sales effort to scare customers into writing checks.

While iSight claimed that this report was released to help retailers maintain security awareness, I see no evidence of this. It is unfortunate that security firms like iSight use fear to sell their services and scare retailers into wasting valuable efforts on very low risk items which could be mitigated with minimum effort, and this is why such firms cannot be trusted with security contracts. If they exaggerate threats and risks in order to sell services, what else do they lie about?

The footprint and behavior of “ModPOS” has been very well documented for almost three years. The trojan creates a file %System%Drivers[RANDOM CHARACTERS FILE NAME].sys and an encrypted directory %Windir%Installer[GUID][HEXADECIMAL VALUE]. Furthermore this malware connects to a static set of IP addresses (listed below). These ModPOS c&c destination address should be blocked in an enterprise firewall in order to mitigate risk of further infection and limit the command and control functions of the package:

  • 109.72.149.135
  • 109.72.149.42
  • 130.0.237.22
  • 178.162.163.194
  • 188.72.218.230
  • 212.224.112.155
  • 213.155.8.44
  • 213.229.116.165
  • 216.246.23.8
  • 5.187.1.198
  • 67.228.137.30
  • 75.127.113.184
  • 87.118.92.44
  • 88.198.119.118
  • 89.149.235.55
  • 89.149.247.139
  • 91.207.61.208
  • 91.218.39.217
  • 91.226.31.43
  • 91.228.152.134
  • 92.60.177.225
  • 93.174.3.146

Retailers using non-MS Windows point of sales systems should rest assured that they are not at risk of infection. They are however at risk of wasting money on likely expensive and unnecessary services sold to them by iSight Partners.