Information on Merchant Accounts,
Ecommerce and Credit Card Processing

February 2nd, 2009 by Jamie Estep

Visa issues security alert

Filed in: Fraud, Industry News | 11 comments

A few days ago, Visa issued a security alert (possibly in reaction to the recent Heartland breach) outlining some specific applications and IP addresses to look out for. What is unique about this alert that I’ve never seen before is that Visa gave a very specific list of malicious applications to search for on a network/computer, and a specific list of IP’s to block.

This tells me that Visa has explicitly identified threats, where they are originating from, and these locations are static enough that blocking them would actually do some good (IP blocking is a terrible way to prevent/stop malicious behavior).

Download the security alert »

Table 1, Search for these programs:
Filename  Purpose  MD5/SHA-1 Hash(s) or Registry Key
appsqlio.exe  Reverse shell tool  387cda6eb91f0b3a054de20c02320338 
obsqlio.exe  SQL output redirector  f640e53718bc83cb8bb10b1eafb50edf
blobsqlio.exe  Packed version of gsecdump  959523fc10584da9bfb31a524ff472aa
sn.exe  Packet sniffer  e07b83abda5b566b3e9a30515a59ecc3
msdtsc.exe  Packet sniffer  4724103b13e6ce832fbb2c08a419eac6
svclhost.exe  Network communication tool  da4ab50185c7b246d1d2c8fa7bd7a5ed 
rexesvr.exe  Command line execution  003f6cda98a40529cc87fd1387714fd7
svcl.exe  Renamed version of sn.exe  e07b83abda5b566b3e9a30515a59ecc3 
eqslquery.exe  Script that automates the installation of rexesvr.exe  bc354dcf5221aea9fae8a3283c09504d 
rarx.exe  Compression tool  fd729427144044730c572fd5b9be7dd9
Soft.exe  Backdoor  ea75939da539a3879e5b442b11b51f24 
lsasstd.exe  Backdoor  07536e77ece9e70f5bf3d6f357c77b04
lsasstm.exe  Backdoor  e2736b8e0628a07fc3a6dcccad99245e
smn.exe  Backdoor  b0ff54c190455feda3f67b53c4a4453d
mstsk.exe  Utility to inject code on running processes  ddfd9073a5f222e223f5f2156c71629d 
Download original…

Please note that normal windows processes may run under the same filename. Do not assume that a process is suspect unless the MD5 hash matches the one in the table. If you need a MD5 hash generator, try this one for free.

Table 2, Block these IP addresses:    
Download original…

The IP’s above have somehow been identified as being related to malicious behavior, but by just blocking them you are not making your system inherently secure. Blocking IP addresses is generally not an effective or long-term method of preventing malicious access. There are over 2 Billion possible IP addresses, and each IP can have a virtually unlimited number of computers and networks behind it. If you block an IP address, there are a billion others that could be used for malicious behavior. Also, wrongfully blocking an IP address could potentially restrict a huge number of people from your network. In the case of a website, this could result in significant loss of business. Please make sure you understand exactly what you are doing when searching for applications, or blocking IP’s. If in doubt, contact someone more qualified in network security.

11 Responses to “Visa issues security alert”

  1. Andrew Barratt February 3, 2009 at 8:27 am

    Where is the orignal posted? This isn’t listed on visas site

  2. jestep February 3, 2009 at 8:32 am

    They haven’t posted it up there yet. We usually receive their alerts in an email before they post them publicly. This one seems fairly important, so I’m not sure what’s taking them so long to get it up there.

  3. Tod February 3, 2009 at 10:36 am

    Yes, this seems fairly important … but this really isn’t the way to handle it.

    Table 1 … This is what we have malware scanners for, how does Visa suggest that we scan for this stuff, if not with our existing tools?

    Table 2 … Is Visa serious regarding the fact that they think that we should create a Black List of IP addresses in our Firewalls? The bad guys change IPs and domains more often than we change our underwear.

    This Visa Data Security Alert seems to me to be very ill advised and poorly presented/executed.

    What is their thought process behind this?

  4. Anton Chuvakin February 3, 2009 at 5:33 pm

    “This is what we have malware scanners for”

    Eh.. no. I am sure all of this is custom stuff, which is not picked by AV.

  5. […] it out here. No TweetBacks yet. (Be the first to Tweet this post) Possibly Related Posts (automatically […]

  6. David Bergert February 4, 2009 at 4:29 pm

    “Eh.. no. I am sure all of this is custom stuff, which is not picked by AV.”

    Yeap, not one of these hashes are in the database…

  7. Tod February 4, 2009 at 5:55 pm

    That’s my point … Visa’s proper response was to notify the Malware scanning folks … which they stated they did.

    If not the Malware scanner … how do you recommend scanning for these across your systems?

  8. jestep February 4, 2009 at 6:01 pm

    I think one of the major problems that I’ve read about is that malicious software can be installed in unpartitioned spaces on a hard drive. It’s even possible to make the partition invisible to the current operating system. As far as this goes, make sure you don’t ever leave unpartitioned space on a drive.

    The only way to scan for these would be to use a process monitor and then calculate the hash of a running process that matches the listed filename. You can also search for the filename but I have a suspicion that some of these may be generated on the fly, in which case you could only look for a running process. You would need to manually do this on every computer on a network. Ideally, you don’t ever let an intruder in to install these in the first place, because it’s going to be difficult to detect them.

    If you need a good process monitor, here’s one from Microsoft. This will show you everything that is currently running through the operating system.

  9. Mark February 20, 2009 at 12:40 am

    Big companies has dedicated technical teams who work hard to make the system totally secure. But still these type of instances occure. I don’t know when these type of incidents will stop happenning.

  10. Wenningstedt auf Sylt February 23, 2009 at 9:34 pm

    How are we going to check if the blockers of this IP addresses were doing the right thing in blacklisting? Its not rare that errors occur. I pity those addresses that were included even if they were not in any way doing illegal stuff.

  11. jestep May 20, 2009 at 10:00 am

    Visa posted this on their website finally. 3 months after they issued the alert to their partners.