I work with POS software and want to verify that current norton antivirus definitions include certain hash values. If they are not included I would like to know how to manually add such definitions to the software myself.
PDF Files from visa describing the vulnerabilities:
List of the files, description, size and hashes from first link (second one wouldn't allow copy)
rtcli.dll Information stealer / downloader 118272 4bd819d9e75e4e8ecf1a9599f44af12a mstdc.exe Backdoor 64512 57703973ff74503376a650224aa43dfa mstdc.bak Backdoor 106496 67ed156e118b9aa65ed414a79633a3d4 msaudit.dll Memory-parsing malware 97792 27bfffa7d034a94b79d3e6ffdda50084 mn32.exe Prefetch file indicating execution of the malicious code 179200 89a8844c1214e7fc977f026be675a92a si.vbs Visual basic script used by hacker to deploy malware onto POS systems 2772 0efe7632b01116eefaba438c9bcee34 sd32.exe Anti-forensic utility to remove malware from POS systems 134000 9c3a1d3829c7a46d42d5a19fe05197f3
TcpAdaptorService.exe Memory-parsing malware 73728 cfee737692e65e0b2a358748a39e3bee 118784 85f94d85cfeff32fa18d55491e355d2b Osql.exe, svchosts.exe Tool used with TcpAdaptorService.exe to send track data to bad IP 122880 4b9b36800db395d8a95f331c4608e947 oposwin.exe Memory-parsing malware 245760 3446cd1f4bee2890afc2e8b9e9eb76a2
svcmon.exe Memory-parsing malware 253952 0fff972080248406103f2093b6892134 nYmTxGSJhLLFfagQ.bat Batch file used to whitelist malware executables on FIM 74 eae4718ea5a860cc372b5728e96af656 tbcsvc.exe Performs cryptographic operations 293583 1aa662d329cc7c51d2e9176024fedee8 mssec.exe Attempts outbound communication via port 443 135242 d7e5e85ccb6c71a39b99a9228313cc33 msproc.exe Malicious unknown purpose 184128 2e567707730ed2c76b162a97dcf28c05
I'm looking for more technical information to provide for you from people far smarter than me. This is an excellent question, and I'll get back to you soon. Thanks.
Perhaps someone from Norton av team must look into the files listed and comment. Norton, like any other av is updated with most latest versions of virus signatures as they are detected. Since POS involves a lot of risks, you should set its firewall and anti virus tight and updated as well as your systems.
I work with POS software and want to verify that current norton antivirus definitions include certain hash values. If they are not included I would like to know how to manually add such definitions to the software myself.
PDF Files from visa describing the vulnerabilities:
You can use VirusTotal’s Search facility to perform a search for detections based on the MD5 Hash value. Keep in mind that the results are ‘as at’ the Analysis Date and therefore should be treated as a guide only. Please read the following VirusTotal Statistics FAQ to get a better understanding of the results you are seeing:
As an example, here are the MD5 search results for the first five files in your list above:
File
Size
MD5 Hash Value
VirusTotal Analysis Date
Symantec Detection
rtcli.dll
118272
4bd819d9e75e4e8ecf1a 9599f44af12a
File not found
N/A
mstdc.exe
64512
57703973ff74503376a6 50224aa43dfa
2014-01-02 06:05:34 UTC ( 1 week, 6 days ago )
Suspicious.Cloud.5
mstdc.bak
106496
67ed156e118b9aa65ed4 14a79633a3d4
File not found
N/A
msaudit.dll
97792
27bfffa7d034a94b79d3 e6ffdda50084
2014-01-03 10:22:25 UTC ( 1 week, 5 days ago )
Infostealer.Somabix
mn32.exe
179200
89a8844c1214e7fc977f 026be675a92a
2014-01-02 06:22:11 UTC ( 1 week, 6 days ago )
Infostealer.Somabix
Signature detection is just one component of the overall mitigation strategy. It would still be prudent to work through Visa’s Recommended Mitigation Strategy lists outlined in those documents above and cover off as many of those items as you can.