Wontok Lab Tests POS Trojan Backoff

Wontok Lab successfully tested SafeCentral against POS malware threat, Trojan Backoff

Backoff is a strain of POS malware that targets point-of-sale (POS) systems running Windows, and once in place, is capable of stealing credit and debit card information. Backoff malware attacks have been undetectable by updated AV systems on fully patched systems. To date, Backoff has impacted more than 1,000 businesses in the US alone with breaches also appearing in Canada, UK and Poland. Backoff variants have been identified as the source of recent breaches at large retailers including Home Depot and SuperValu, and restaurant chains Dairy Queen and P.F. Changs.

What is Wontok Lab?

Wontok Lab is Wontok’s product test facility which consists of a team of security researchers in a controlled analysis and testing environment.  Wontok Lab conducts rigorous tests specifically designed and tailored for each of Wontok’s security products.

How is Wontok Lab different from Quality Assurance?

Wontok also has a Quality Assurance or QA team.  The QA team performs functionality tests at the release of each product version to ensure quality and usability.  The Lab is responsible to day to day testing against emerging security threats such as new malware variants.

How does Wontok Lab test SafeCentral for Windows in a Financial Setting?

Wontok SafeCentral for Windows has been uniquely developed to work at the deepest kernel layer to protect institutions from modern financial malware. Wontok Lab must test against the most challenging type of malware that hides itself at the deepest level of the OS and is difficult if not impossible for most security products to detect, let alone test for.  As such, it requires very specialized testing, beyond what is performed for day to day anti-virus or average anti-malware products.  To simulate real financial malware threats such as Zeus or SpyeEye, Wontok Lab has a financial malware “zoo” where it keeps the live strains of recent malware variants used for state of the art testing. Because dangerous new malware variants surface continuously, the Lab conducts daily tests against emergent threats and results are summarized weekly.

What is unique about testing financial malware?

Financial malware such as Zeus or SpyEye and Trojans like Backoff have been designed to evade traditional antivirus software, and once inside the target system, its goal is to steal valuable data such as user name and/or passwords or credit card data, then transmit it to a malicious location undetected. Therefore, a test simulator must go beyond traditional testing for verification of detection.  In this case, it is not that malware is detected, but rather if a breach has occurred and whether sensitive information was captured or transmitted.

What criteria are used to show the software “passed” the test?

Wontok Lab first must detail the malware activity on the normal desktop and identify what the malware is capturing and what access to local system files, folders, calls to the operating system, and remote systems. They then switch to the SafeCentral desktop and perform the same tasks and check the system tools and logs if any information is available to the same local system files, folders, and remote systems.

How do you know when it “failed” the test?

Wontok’s analysts are able to determine by logs generated and timestamps if any credentials or information entered while in SafeDesktop is available to the files, processes, or network activity generated by malware. A test fails if any information, even a keystroke is available to the malware.

Is SafeCentral tested by any independent testing services?

Wontok utilizes the world’s largest independent testing services, CSC ITS (formerly Applabs). CSC ITS uses a mix of conventional and next-gen solutions to perform functional testing of SafeCentral prior to deployment. This includes full regression testing, compatibility, leak, remote monitoring testing, and more.

What other tests have been conducted on the efficacy of Wontok SafeCentral?

Wontok SafeCentral’s effectiveness has been documented through testing and endorsements by a number of organizations:

Wontok SafeCentral is one of only 5 vendors to receive Level 2 MRG Effitas Q2 2014 Certification. The certification is for their fourth annual Online Banking Browser Security Assessment Project conducted over three quarters. In Q2 quarter MRG Effitas partnered with IBM SoftLayer to establish the most rigorous and realistic testing scenarios to available. Through such independent testing, Wontok SafeCentral continues to stand out in its ability to prevent the likes of Zeus, Citadel, SpyEye, Carberp and their variants from stealing data from bank and merchant transactions. To find a copy of the report, please visit the MRG Effitas site.