February 2nd, 2009 by Jamie Estep
Visa issues security alert
Filed in: Fraud, Industry News | 11 comments
A few days ago, Visa issued a security alert (possibly in reaction to the recent Heartland breach) outlining some specific applications and IP addresses to look out for. What is unique about this alert that I’ve never seen before is that Visa gave a very specific list of malicious applications to search for on a network/computer, and a specific list of IP’s to block.
This tells me that Visa has explicitly identified threats, where they are originating from, and these locations are static enough that blocking them would actually do some good (IP blocking is a terrible way to prevent/stop malicious behavior).
| Table 1, Search for these programs: | ||
| Filename | Purpose | MD5/SHA-1 Hash(s) or Registry Key |
| appsqlio.exe | Reverse shell tool | 387cda6eb91f0b3a054de20c02320338 |
| obsqlio.exe | SQL output redirector | f640e53718bc83cb8bb10b1eafb50edf |
| blobsqlio.exe | Packed version of gsecdump | 959523fc10584da9bfb31a524ff472aa |
| sn.exe | Packet sniffer | e07b83abda5b566b3e9a30515a59ecc3 |
| msdtsc.exe | Packet sniffer | 4724103b13e6ce832fbb2c08a419eac6 |
| svclhost.exe | Network communication tool | da4ab50185c7b246d1d2c8fa7bd7a5ed |
| rexesvr.exe | Command line execution | 003f6cda98a40529cc87fd1387714fd7 |
| svcl.exe | Renamed version of sn.exe | e07b83abda5b566b3e9a30515a59ecc3 |
| eqslquery.exe | Script that automates the installation of rexesvr.exe | bc354dcf5221aea9fae8a3283c09504d |
| rarx.exe | Compression tool | fd729427144044730c572fd5b9be7dd9 |
| Soft.exe | Backdoor | ea75939da539a3879e5b442b11b51f24 |
| lsasstd.exe | Backdoor | 07536e77ece9e70f5bf3d6f357c77b04 |
| lsasstm.exe | Backdoor | e2736b8e0628a07fc3a6dcccad99245e |
| smn.exe | Backdoor | b0ff54c190455feda3f67b53c4a4453d |
| mstsk.exe | Utility to inject code on running processes | ddfd9073a5f222e223f5f2156c71629d |
| Download original… | ||
Please note that normal windows processes may run under the same filename. Do not assume that a process is suspect unless the MD5 hash matches the one in the table. If you need a MD5 hash generator, try this one for free.
| Table 2, Block these IP addresses: | |||
| 90.15.59.86 | 85.221.136.196 | 216.55.164.44 | 82.13.14.61 |
| 85.221.196.131 | 77.253.115.137 | 200.115.173.25 | 83.99.227.209 |
| 85.221.138.252 | 213.84.163.246 | 85.17.239.11 | 89.114.215.182 |
| 64.247.58.239 | 83.110.17.228 | 82.13.14.61 | 91.177.6.209 |
| 89.37.241.180 | 12.210.14.103 | 193.11.110.32 | 216.55.126.167 |
| 83.4.164.214 | 74.138.172.183 | 207.255.204.160 | 216.55.185.9 |
| 72.36.215.253 | 85.17.239.11 | 216.244.34.155 | 212.126.1.244 |
| 202.71.103.77 | 69.244.206.15 | 24.159.22.70 | 212.126.9.154 |
| 194.146.248.7 | 69.141.149.138 | 67.182.137.29 | 212.126.11.27 |
| 85.17.105.34 | 88.156.44.152 | 67.85.92.181 | 212.126.12.89 |
| 91.193.63.15 | 216.80.124.225 | 68.50.185.130 | 212.126.14.197 |
| 89.37.240.118 | 76.100.75.1 | 68.94.212.161 | 212.126.18.171 |
| 91.145.136.65 | 216.196.173.93 | 69.110.26.21 | 212.126.20.83 |
| 82.232.177.64 | 75.64.114.45 | 69.14.110.49 | 212.126.22.64 |
| 89.76.218.105 | 89.32.130.86 | 69.212.211.243 | 212.126.25.247 |
| 89.37.241.241 | 58.65.239.58 | 70.162.2.249 | 212.126.31.182 |
| 89.76.220.36 | 66.36.229.201 | 71.238.147.129 | 212.126.32.67 |
| 83.55.141.204 | 74.54.131.130 | 71.239.155.202 | 212.126.46.199 |
| 216.55.169.234 | 74.53.114.16 | 72.242.241.189 | 212.126.47.93 |
| 89.43.45.232 | 203.190.175.39 | 74.62.212.143 | 212.126.53.23 |
| 62.21.81.104 | 203.190.172.18 | 75.118.180.255 | 212.126.55.166 |
| 89.37.242.28 | 69.70.122.98 | 76.204.117.205 | 212.126.57.215 |
| 89.43.45.159 | 65.111.171.20 | 76.22.3.137 | 212.126.72.14 |
| 77.253.108.16 | 65.111.171.21 | 76.239.29.46 | 212.126.73.220 |
| 91.189.139.168 | 174.36.196.207 | 76.242.106.40 | 212.126.78.153 |
| 79.9.108.226 | 208.43.74.19 | 79.118.160.231 | 212.126.83.57 |
| 88.214.208.44 | 216.55.162.167 | 79.139.245.79 | 212.126.84.117 |
| 212.126.94.174 | 212.126.92.167 | ||
| Download original… | |||
The IP’s above have somehow been identified as being related to malicious behavior, but by just blocking them you are not making your system inherently secure. Blocking IP addresses is generally not an effective or long-term method of preventing malicious access. There are over 2 Billion possible IP addresses, and each IP can have a virtually unlimited number of computers and networks behind it. If you block an IP address, there are a billion others that could be used for malicious behavior. Also, wrongfully blocking an IP address could potentially restrict a huge number of people from your network. In the case of a website, this could result in significant loss of business. Please make sure you understand exactly what you are doing when searching for applications, or blocking IP’s. If in doubt, contact someone more qualified in network security.
Where is the orignal posted? This isn’t listed on visas site http://usa.visa.com/merchants/risk_management/cisp_alerts.html#anchor_2
Thanks
They haven’t posted it up there yet. We usually receive their alerts in an email before they post them publicly. This one seems fairly important, so I’m not sure what’s taking them so long to get it up there.
Yes, this seems fairly important … but this really isn’t the way to handle it.
Table 1 … This is what we have malware scanners for, how does Visa suggest that we scan for this stuff, if not with our existing tools?
Table 2 … Is Visa serious regarding the fact that they think that we should create a Black List of IP addresses in our Firewalls? The bad guys change IPs and domains more often than we change our underwear.
This Visa Data Security Alert seems to me to be very ill advised and poorly presented/executed.
What is their thought process behind this?
“This is what we have malware scanners for”
Eh.. no. I am sure all of this is custom stuff, which is not picked by AV.
[…] it out here. No TweetBacks yet. (Be the first to Tweet this post) Possibly Related Posts (automatically […]
“Eh.. no. I am sure all of this is custom stuff, which is not picked by AV.”
Yeap, not one of these hashes are in the ThreatExpert.com database…
That’s my point … Visa’s proper response was to notify the Malware scanning folks … which they stated they did.
If not the Malware scanner … how do you recommend scanning for these across your systems?
I think one of the major problems that I’ve read about is that malicious software can be installed in unpartitioned spaces on a hard drive. It’s even possible to make the partition invisible to the current operating system. As far as this goes, make sure you don’t ever leave unpartitioned space on a drive.
The only way to scan for these would be to use a process monitor and then calculate the hash of a running process that matches the listed filename. You can also search for the filename but I have a suspicion that some of these may be generated on the fly, in which case you could only look for a running process. You would need to manually do this on every computer on a network. Ideally, you don’t ever let an intruder in to install these in the first place, because it’s going to be difficult to detect them.
If you need a good process monitor, here’s one from Microsoft. This will show you everything that is currently running through the operating system.
Big companies has dedicated technical teams who work hard to make the system totally secure. But still these type of instances occure. I don’t know when these type of incidents will stop happenning.
How are we going to check if the blockers of this IP addresses were doing the right thing in blacklisting? Its not rare that errors occur. I pity those addresses that were included even if they were not in any way doing illegal stuff.
Visa posted this on their website finally. 3 months after they issued the alert to their partners.