{"id":641,"date":"2009-02-02T14:03:18","date_gmt":"2009-02-02T19:03:18","guid":{"rendered":"http:\/\/www.merchantaccountblog.com\/?p=641"},"modified":"2009-02-03T12:26:24","modified_gmt":"2009-02-03T17:26:24","slug":"visa-issues-security-alert","status":"publish","type":"post","link":"https:\/\/www.merchantequip.com\/merchant-account-blog\/641\/visa-issues-security-alert","title":{"rendered":"Visa issues security alert"},"content":{"rendered":"

A few days ago, Visa issued a security alert (possibly in reaction to the recent Heartland breach) outlining some specific applications and IP addresses to look out for. What is unique about this alert that I’ve never seen before is that Visa gave a very specific list of malicious applications to search for on a network\/computer, and a specific list of IP’s to block.<\/p>\n

This tells me that Visa has explicitly identified threats, where they are originating from, and these locations are static enough that blocking them would actually do some good (IP blocking is a terrible way to prevent\/stop malicious behavior)<\/em>.<\/p>\n

Download the security alert »<\/a><\/p>\n

<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Table 1, Search for these programs:<\/b><\/td>\n<\/tr>\n
Filename<\/b>\u00a0<\/td>\nPurpose\u00a0<\/b><\/td>\nMD5\/SHA-1 Hash(s) or Registry Key<\/b><\/td>\n<\/tr>\n
appsqlio.exe\u00a0<\/td>\nReverse shell tool\u00a0<\/td>\n387cda6eb91f0b3a054de20c02320338\u00a0<\/td>\n<\/tr>\n
obsqlio.exe\u00a0<\/td>\nSQL output redirector\u00a0<\/td>\nf640e53718bc83cb8bb10b1eafb50edf<\/td>\n<\/tr>\n
blobsqlio.exe\u00a0<\/td>\nPacked version of gsecdump\u00a0<\/td>\n959523fc10584da9bfb31a524ff472aa<\/td>\n<\/tr>\n
sn.exe\u00a0<\/td>\nPacket sniffer\u00a0<\/td>\ne07b83abda5b566b3e9a30515a59ecc3<\/td>\n<\/tr>\n
msdtsc.exe\u00a0<\/td>\nPacket sniffer\u00a0<\/td>\n4724103b13e6ce832fbb2c08a419eac6<\/td>\n<\/tr>\n
svclhost.exe\u00a0<\/td>\nNetwork communication tool\u00a0<\/td>\nda4ab50185c7b246d1d2c8fa7bd7a5ed\u00a0<\/td>\n<\/tr>\n
rexesvr.exe\u00a0<\/td>\nCommand line execution\u00a0<\/td>\n003f6cda98a40529cc87fd1387714fd7<\/td>\n<\/tr>\n
svcl.exe\u00a0<\/td>\nRenamed version of sn.exe\u00a0<\/td>\ne07b83abda5b566b3e9a30515a59ecc3\u00a0<\/td>\n<\/tr>\n
eqslquery.exe\u00a0<\/td>\nScript that automates the installation of rexesvr.exe\u00a0<\/td>\nbc354dcf5221aea9fae8a3283c09504d\u00a0<\/td>\n<\/tr>\n
rarx.exe\u00a0<\/td>\nCompression tool\u00a0<\/td>\nfd729427144044730c572fd5b9be7dd9<\/td>\n<\/tr>\n
Soft.exe\u00a0<\/td>\nBackdoor\u00a0<\/td>\nea75939da539a3879e5b442b11b51f24\u00a0<\/td>\n<\/tr>\n
lsasstd.exe\u00a0<\/td>\nBackdoor\u00a0<\/td>\n07536e77ece9e70f5bf3d6f357c77b04<\/td>\n<\/tr>\n
lsasstm.exe\u00a0<\/td>\nBackdoor\u00a0<\/td>\ne2736b8e0628a07fc3a6dcccad99245e<\/td>\n<\/tr>\n
smn.exe\u00a0<\/td>\nBackdoor\u00a0<\/td>\nb0ff54c190455feda3f67b53c4a4453d<\/td>\n<\/tr>\n
mstsk.exe\u00a0<\/td>\nUtility to inject code on running processes\u00a0<\/td>\nddfd9073a5f222e223f5f2156c71629d\u00a0<\/td>\n<\/tr>\n
Download original…<\/a><\/td>\n<\/tr>\n<\/table>\n

Please note that normal windows processes may run under the same filename. Do not assume that a process is suspect unless the MD5 hash matches the one in the table. If you need a MD5 hash generator, try this one for free<\/a>.<\/em><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Table 2, Block these IP addresses:<\/b><\/td>\n<\/tr>\n
90.15.59.86\u00a0<\/td>\n85.221.136.196<\/td>\n216.55.164.44\u00a0<\/td>\n82.13.14.61\u00a0<\/td>\n<\/tr>\n
85.221.196.131<\/td>\n77.253.115.137<\/td>\n200.115.173.25\u00a0<\/td>\n83.99.227.209\u00a0<\/td>\n<\/tr>\n
85.221.138.252<\/td>\n213.84.163.246<\/td>\n85.17.239.11\u00a0<\/td>\n89.114.215.182\u00a0<\/td>\n<\/tr>\n
64.247.58.239\u00a0<\/td>\n83.110.17.228\u00a0<\/td>\n82.13.14.61\u00a0<\/td>\n91.177.6.209\u00a0<\/td>\n<\/tr>\n
89.37.241.180\u00a0<\/td>\n12.210.14.103\u00a0<\/td>\n193.11.110.32\u00a0<\/td>\n216.55.126.167\u00a0<\/td>\n<\/tr>\n
83.4.164.214\u00a0<\/td>\n74.138.172.183<\/td>\n207.255.204.160<\/td>\n216.55.185.9\u00a0<\/td>\n<\/tr>\n
72.36.215.253\u00a0<\/td>\n85.17.239.11\u00a0<\/td>\n216.244.34.155\u00a0<\/td>\n212.126.1.244\u00a0<\/td>\n<\/tr>\n
202.71.103.77\u00a0<\/td>\n69.244.206.15\u00a0<\/td>\n24.159.22.70\u00a0<\/td>\n212.126.9.154\u00a0<\/td>\n<\/tr>\n
194.146.248.7\u00a0<\/td>\n69.141.149.138<\/td>\n67.182.137.29\u00a0<\/td>\n212.126.11.27\u00a0<\/td>\n<\/tr>\n
85.17.105.34\u00a0<\/td>\n88.156.44.152\u00a0<\/td>\n67.85.92.181\u00a0<\/td>\n212.126.12.89\u00a0<\/td>\n<\/tr>\n
91.193.63.15\u00a0<\/td>\n216.80.124.225<\/td>\n68.50.185.130\u00a0<\/td>\n212.126.14.197<\/td>\n<\/tr>\n
89.37.240.118\u00a0<\/td>\n76.100.75.1\u00a0<\/td>\n68.94.212.161\u00a0<\/td>\n212.126.18.171<\/td>\n<\/tr>\n
91.145.136.65\u00a0<\/td>\n216.196.173.93<\/td>\n69.110.26.21\u00a0<\/td>\n212.126.20.83\u00a0<\/td>\n<\/tr>\n
82.232.177.64\u00a0<\/td>\n75.64.114.45\u00a0<\/td>\n69.14.110.49\u00a0<\/td>\n212.126.22.64\u00a0<\/td>\n<\/tr>\n
89.76.218.105\u00a0<\/td>\n89.32.130.86\u00a0<\/td>\n69.212.211.243\u00a0<\/td>\n212.126.25.247<\/td>\n<\/tr>\n
89.37.241.241\u00a0<\/td>\n58.65.239.58\u00a0<\/td>\n70.162.2.249\u00a0<\/td>\n212.126.31.182<\/td>\n<\/tr>\n
89.76.220.36\u00a0<\/td>\n66.36.229.201\u00a0<\/td>\n71.238.147.129\u00a0<\/td>\n212.126.32.67\u00a0<\/td>\n<\/tr>\n
83.55.141.204\u00a0<\/td>\n74.54.131.130\u00a0<\/td>\n71.239.155.202\u00a0<\/td>\n212.126.46.199<\/td>\n<\/tr>\n
216.55.169.234<\/td>\n74.53.114.16\u00a0<\/td>\n72.242.241.189\u00a0<\/td>\n212.126.47.93\u00a0<\/td>\n<\/tr>\n
89.43.45.232\u00a0<\/td>\n203.190.175.39\u00a0<\/td>\n74.62.212.143\u00a0<\/td>\n212.126.53.23\u00a0<\/td>\n<\/tr>\n
62.21.81.104\u00a0<\/td>\n203.190.172.18\u00a0<\/td>\n75.118.180.255\u00a0<\/td>\n212.126.55.166<\/td>\n<\/tr>\n
89.37.242.28\u00a0<\/td>\n69.70.122.98\u00a0<\/td>\n76.204.117.205\u00a0<\/td>\n212.126.57.215<\/td>\n<\/tr>\n
89.43.45.159\u00a0<\/td>\n65.111.171.20\u00a0<\/td>\n76.22.3.137\u00a0<\/td>\n212.126.72.14\u00a0<\/td>\n<\/tr>\n
77.253.108.16\u00a0<\/td>\n65.111.171.21\u00a0<\/td>\n76.239.29.46\u00a0<\/td>\n212.126.73.220<\/td>\n<\/tr>\n
91.189.139.168<\/td>\n174.36.196.207\u00a0<\/td>\n76.242.106.40\u00a0<\/td>\n212.126.78.153<\/td>\n<\/tr>\n
79.9.108.226\u00a0<\/td>\n208.43.74.19\u00a0<\/td>\n79.118.160.231\u00a0<\/td>\n212.126.83.57\u00a0<\/td>\n<\/tr>\n
88.214.208.44\u00a0<\/td>\n216.55.162.167\u00a0<\/td>\n79.139.245.79\u00a0<\/td>\n212.126.84.117<\/td>\n<\/tr>\n
212.126.94.174<\/td>\n212.126.92.167<\/td>\n <\/td>\n <\/td>\n<\/tr>\n
Download original…<\/a><\/td>\n<\/tr>\n<\/table>\n

The IP’s above have somehow been identified as being related to malicious behavior, but by just blocking them you are not making your system inherently secure. Blocking IP addresses is generally not an effective or long-term method of preventing malicious access. There are over 2 Billion possible IP addresses, and each IP can have a virtually unlimited number of computers and networks behind it. If you block an IP address, there are a billion others that could be used for malicious behavior. Also, wrongfully blocking an IP address could potentially restrict a huge number of people from your network. In the case of a website, this could result in significant loss of business. Please make sure you understand exactly what you are doing when searching for applications, or blocking IP’s. If in doubt, contact someone more qualified in network security.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

A few days ago, Visa issued a security alert (possibly in reaction to the recent Heartland breach) outlining some specific applications and IP addresses to look out for. What is unique about this alert that I’ve never seen before is that Visa gave a very specific list of malicious applications to search for on a […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,5],"tags":[],"class_list":["post-641","post","type-post","status-publish","format-standard","hentry","category-fraud","category-news"],"_links":{"self":[{"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/posts\/641","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/comments?post=641"}],"version-history":[{"count":21,"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/posts\/641\/revisions"}],"predecessor-version":[{"id":666,"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/posts\/641\/revisions\/666"}],"wp:attachment":[{"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/media?parent=641"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/categories?post=641"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.merchantequip.com\/merchant-account-blog\/wp-json\/wp\/v2\/tags?post=641"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}