Wontok Lab Tests POS Malware LucyPOS

Wontok Lab successfully tested SafeCentral against POS malware threat, LucyPOS.

LusyPOS is a new strain of POS Malware putting retailers at risk. LusyPOS malware uses RAM scraping to collect credit and debit card data, then uses Tor for command and control (C&C) communication to send the data to the attackers. LusyPOS incorporates portions of two other known POS malware: Dexter and Chewbaca. Once executed, the main file, called lusypos.exe drops four files. LucyPOS has been advertised for sale in cybercriminal forums since late November.

Wontok Lab Results

We observed that with SafeCentral, the tested malware are not able to capture data from RAM and there were no active network connections to attacker IPs via TOR.

What is Wontok Lab?

Wontok Lab is Wontok’s product test facility which consists of a team of security researchers in a controlled analysis and testing environment.  Wontok Lab conducts rigorous tests specifically designed and tailored for each of Wontok’s security products.

How is Wontok Lab different from Quality Assurance?

Wontok also has a Quality Assurance or QA team.  The QA team performs functionality tests at the release of each product version to ensure quality and usability.  The Lab is responsible to day to day testing against emerging security threats such as new malware variants.

How does Wontok Lab test SafeCentral for Windows in a Financial Setting?

Wontok SafeCentral for Windows has been uniquely developed to work at the deepest kernel layer to protect institutions from modern financial malware. Wontok Lab must test against the most challenging type of malware that hides itself at the deepest level of the OS and is difficult if not impossible for most security products to detect, let alone test for.  As such, it requires very specialized testing, beyond what is performed for day to day anti-virus or average anti-malware products.  To simulate real financial malware threats such as Zeus or SpyeEye, Wontok Lab has a financial malware “zoo” where it keeps the live strains of recent malware variants used for state of the art testing. Because dangerous new malware variants surface continuously, the Lab conducts daily tests against emergent threats and results are summarized weekly.

What is unique about testing financial malware?

Financial malware such as Zeus or SpyEye and new strains like BackOFF and LucyPOS have been designed to evade traditional antivirus software, and once inside the target system, its goal is to steal valuable data such as user name and/or passwords or credit card data, then transmit it to a malicious location undetected. Therefore, a test simulator must go beyond traditional testing for verification of detection.  In this case, it is not that malware is detected, but rather if a breach has occurred and whether sensitive information was captured or transmitted.

What criteria are used to show the software “passed” the test?

Wontok Lab first must detail the malware activity on the normal desktop and identify what the malware is capturing and what access to local system files, folders, calls to the operating system, and remote systems. They then switch to the SafeCentral desktop and perform the same tasks and check the system tools and logs if any information is available to the same local system files, folders, and remote systems.

How do you know when it “failed” the test?

Wontok’s analysts are able to determine by logs generated and timestamps if any credentials or information entered while in SafeDesktop is available to the files, processes, or network activity generated by malware. A test fails if any information, even a keystroke is available to the malware.

Is SafeCentral tested by any independent testing services?

Wontok utilizes the world’s largest independent testing services, CSC ITS (formerly Applabs). CSC ITS uses a mix of conventional and next-gen solutions to perform functional testing of SafeCentral prior to deployment. This includes full regression testing, compatibility, leak, remote monitoring testing, and more.

What other tests have been conducted on the efficacy of Wontok SafeCentral?

Wontok SafeCentral’s effectiveness has been documented through testing and endorsements by a number of organizations:

Wontok SafeCentral is one of only a handful of vendors to receive several consecutive Level 2 MRG Effitas Certifications. In the latest certification for their Online Banking Browser Security Assessment Project , MRG Effitas partnered with IBM SoftLayer to establish the most rigorous and realistic testing scenarios to available. Through such independent testing, Wontok SafeCentral continues to stand out in its ability to prevent the likes of Zeus, Citadel, SpyEye, Carberp and their variants from stealing data from bank and merchant transactions. To find a copy of the Q3 2014 report, please visit the MRG Effitas site.

Posted in Articles, Featured Posts 4, Malware Bulletins and tagged , , , , , , , , , .