3 Replies Latest reply on Jul 24, 2013 2:41 PM by exbrit

    BlackPOS

      There is a malware package named BlackPOS in the wild since March 2013. The active agent file is MMON.EXE.

      Does the McAfee agent with the current signature file clean this virus?

        • 1. Re: BlackPOS
          exbrit

          I moved this to Top Threats.  From online searches I gather this is a point-of-sale infection similar to VSkimmer which is already in the McAfee Database.   I can't find reference to BlackPOS per se.

           

          You mention McAfee Agent yet you posted in Home Products - I assume you mean that in ePO?

           

          How to Submit Samples for Analysis

          • 2. Re: BlackPOS
            Hayton

            Just beat me to it. Although general Security Awareness Discussions is a better place, not Top Threats. Still ... <shrug>

             

            Yes this is similar to vSkimmer, which was first reported by Chintan Shah, a McAfee researcher. So similar that I bet McAfee has given them both some unfathomable code name with a differentiating suffix. Could be anywhere in the vil.nai database. BlackPOS is known otherwise as a dump-memory-grabber and is known to Microsoft as "Win32/Pocardler.A"

             

            BlackPOS is reported in many places but this is one of the more informative articles

            http://pciguru.wordpress.com/2013/05/28/blackpos/

             

            And here is the analysis of what it does. It's pretty primitive stuff, so there's probably cover for it.

            http://www.xylibox.com/2013/05/dump-memory-grabber-blackpos.html

             

            Message was edited by: Hayton on 24/07/13 20:29:23 IST

             

            Message was edited by: Hayton - added direct link to BlackPOS article on 25/07/13 00:21:54 IST
            • 3. Re: BlackPOS
              exbrit

              Moved ;-)