Verify virus definition hashes

I work with POS software and want to verify that current norton antivirus definitions include certain hash values.  If they are not included I would like to know how to manually add such definitions to the software myself.

 

PDF Files from visa describing the vulnerabilities:

 

http://usa.visa.com/download/merchants/alert-prevent-grocer-malware-attacks-04112013.pdf

http://usa.visa.com/download/merchants/Bulletin__Memory_Parser_Update_082013.pdf

 

List of the files, description, size and hashes from first link (second one wouldn't allow copy)

 

rtcli.dll Information stealer / downloader 118272 4bd819d9e75e4e8ecf1a9599f44af12a
mstdc.exe Backdoor 64512 57703973ff74503376a650224aa43dfa
mstdc.bak Backdoor 106496 67ed156e118b9aa65ed414a79633a3d4
msaudit.dll Memory-parsing malware 97792 27bfffa7d034a94b79d3e6ffdda50084
mn32.exe Prefetch file indicating execution of the malicious code 179200 89a8844c1214e7fc977f026be675a92a
si.vbs Visual basic script used by hacker to deploy malware onto POS systems 2772 0efe7632b01116eefaba438c9bcee34
sd32.exe Anti-forensic utility to remove malware from POS systems 134000 9c3a1d3829c7a46d42d5a19fe05197f3

TcpAdaptorService.exe Memory-parsing malware 73728 cfee737692e65e0b2a358748a39e3bee
118784 85f94d85cfeff32fa18d55491e355d2b
Osql.exe, svchosts.exe Tool used with TcpAdaptorService.exe to send track data to bad IP 122880 4b9b36800db395d8a95f331c4608e947
oposwin.exe Memory-parsing malware 245760 3446cd1f4bee2890afc2e8b9e9eb76a2

svcmon.exe Memory-parsing malware 253952 0fff972080248406103f2093b6892134
nYmTxGSJhLLFfagQ.bat Batch file used to whitelist malware executables on FIM 74 eae4718ea5a860cc372b5728e96af656
tbcsvc.exe Performs cryptographic operations 293583 1aa662d329cc7c51d2e9176024fedee8
mssec.exe Attempts outbound communication via port 443 135242 d7e5e85ccb6c71a39b99a9228313cc33
msproc.exe Malicious unknown purpose 184128 2e567707730ed2c76b162a97dcf28c05

 

Hi QRSSupport,

 

I'm looking for more technical information to provide for you from people far smarter than me. This is an excellent question, and I'll get back to you soon. Thanks.

Most of the samples for files around known as POS RamScappers are detected by Symantec (Norton) including samples you did not list in message 1.

 

But not as a commom family name,   From Trojan Bancos to Hacktool to WS Reputation 1.

 

 

Quads

2 more detection names by Symantec for files are:

 

Infostealer.Dexter
Infostealer.Vskim

 

 

Quads

Perhaps someone from Norton av team must look into the files listed and comment.
Norton, like any other av is updated with most latest versions of virus signatures as they are detected. Since POS involves a lot of risks, you should set its firewall and anti virus tight and updated as well as your systems.

I have many samples of this family (POS RAM Scrap)  so it is easy to see if Noerton Detects them, including the ones the thread creator listed.

 

Quads


QRSsupport wrote:

 

I work with POS software and want to verify that current norton antivirus definitions include certain hash values.  If they are not included I would like to know how to manually add such definitions to the software myself.

 

PDF Files from visa describing the vulnerabilities:

 

http://usa.visa.com/download/merchants/alert-prevent-grocer-malware-attacks-04112013.pdf

http://usa.visa.com/download/merchants/Bulletin__Memory_Parser_Update_082013.pdf

 

List of the files, description, size and hashes from first link (second one wouldn't allow copy)

 

rtcli.dll Information stealer / downloader 118272 4bd819d9e75e4e8ecf1a9599f44af12a
mstdc.exe Backdoor 64512 57703973ff74503376a650224aa43dfa
mstdc.bak Backdoor 106496 67ed156e118b9aa65ed414a79633a3d4
msaudit.dll Memory-parsing malware 97792 27bfffa7d034a94b79d3e6ffdda50084
mn32.exe Prefetch file indicating execution of the malicious code 179200 89a8844c1214e7fc977f026be675a92a
[...]

 


You can use VirusTotal’s Search facility to perform a search for detections based on the MD5 Hash value. Keep in mind that the results are ‘as at’ the Analysis Date and therefore should be treated as a guide only. Please read the following VirusTotal Statistics FAQ to get a better understanding of the results you are seeing:

 

Why do not you include statistics comparing antivirus performance?

 

As an example, here are the MD5 search results for the first five files in your list above:

 

 

FileSizeMD5 Hash ValueVirusTotal Analysis DateSymantec Detection
rtcli.dll1182724bd819d9e75e4e8ecf1a 9599f44af12aFile not foundN/A
mstdc.exe6451257703973ff74503376a6 50224aa43dfa2014-01-02 06:05:34 UTC ( 1 week, 6 days ago ) Suspicious.Cloud.5 
mstdc.bak10649667ed156e118b9aa65ed4 14a79633a3d4File not foundN/A
msaudit.dll9779227bfffa7d034a94b79d3 e6ffdda500842014-01-03 10:22:25 UTC ( 1 week, 5 days ago ) Infostealer.Somabix 
mn32.exe17920089a8844c1214e7fc977f 026be675a92a2014-01-02 06:22:11 UTC ( 1 week, 6 days ago ) 
Infostealer.Somabix 

 

 

Signature detection is just one component of the overall mitigation strategy. It would still be prudent to work through Visa’s Recommended Mitigation Strategy lists outlined in those documents above and cover off as many of those items as you can.

 

 

 

OK, If I do it that way, If I use Virustotal on a sample I think is my latest POS family

 

 

https://www.virustotal.com/en/file/7453db8231fdcfb29cc3024e4dd60558d75b95efcf791146c64e8f4cba9771eb/analysis/

 

 

Quads

Got some more sample around 20 mins ago and Norton detects these also.

 

Quads