Skip to content ↓ | Skip to navigation ↓

Tripwire’s support team has quickly developed rules for Tripwire Enterprise customers that will check for known markers of compromise of the point-of-sale malware (Trojan.POSRAM and Infostealer.Reedum.B) that has hit Target and other retailers. Customers can log into the customer portal and open a ticket for the appropriate downloads.

The Tripwire Enterprise content is based on what is known about the malware from various reports. The rules will check for touched files, registry keys and service names, as well as checks for running process, local user logging and NetBIOS share information.

POSWDS malware dump before it sends data
Malware dump before it sends data

Antivirus products (40+ tested) had a 0% detection rate for the PoS malware. However, Tripwire Enterprise with its basic out-of-the-box rule set would have detected changes immediately, leading to the intrusion being detected much earlier, before data was compromised.

Tripwire’s real-time capability adds the ability to detect the intrusion before it is able to send any data. In addition Tripwire Enterprise adds audit information automatically enabling monitoring of what the login was doing so the account can be quickly shutdown before it can be used for further compromise.

Tripwire POS Malware Real-Time DetectionTripwire Enterprise real-time detection before data can be sent

Using Tripwire Enterprise’s Critical Change Audit and default Windows rule sets we were able to identify markers of the malware with very little customization.