Significant number of major businesses (POS systems) hit by Backoff malware - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Zscaler spam

FromTheRafters wrote:
Quoted text here. Click to load it

Your post is appreciated, FTR.

Something else I've learnt today!  
http://en.wikipedia.org/wiki/News.admin.net-abuse.email

Now then, PLEASE answer this query!

*HOW* have you gained such comprehensive knowledge of malware, and how  
do you keep up to date?

--  
First they ignore you, then they laugh at you, then they fight you, then  
you win.


Re: Zscaler spam

~BD~ explained on 8/30/2014 :
Quoted text here. Click to load it

My knowledge is nowhere near comprehensive nor up-to-date. I'm learning  
new things all of the time.



Re: Zscaler spam

FromTheRafters wrote:
Quoted text here. Click to load it

<*SIGH*>  :-(

--  
First they ignore you, then they laugh at you, then they fight you, then  
you win.


Re: Zscaler spam (was: Significant number of major businesses...)


Quoted text here. Click to load it

That is possible, as the system could have become infected, and thus
part of a botnet, but the people running it are still responsible for
any abuse of the net, coming from that system.

Quoted text here. Click to load it

Yes, based on what was posted here.

The only header that can be guaranteed not to be forged, is the top most
received header, as it is generated by the mail transfer angent that
received the message. Following received headers that show they sender
is within the same isp can also be trusted. The first received header
that comes from outside of the isp is the last one that can be trusted.
Every thing after that can be forged.

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Zscaler spam (was: Significant number of major businesses...)

David W. Hodgins formulated the question :
Quoted text here. Click to load it

So, would that be Hurricane Electric's responsibility or Zscaler's? I'm  
assuming that HE is the physical custodian of the equipment being  
connected to and Z is merely their client.

[...]



Re: Zscaler spam (was: Significant number of major businesses...)


Quoted text here. Click to load it

Both. Zscaler is responsible, but as the owner of the ip address HE is
also responsible for traffic coming from their systems. A responsible
isp is supposed to either contact their customer, to get the traffic
to stop, or block the traffic from that customer, until the system is
cleaned up, or if it is intentional spamming, drop the customer as a
client.

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Zscaler spam

David W. Hodgins wrote:
Quoted text here. Click to load it


OFF TOPIC!

Someone is asking for your help, David!

Here: Message-ID:  


--  
First they ignore you, then they laugh at you, then they fight you, then  
you win.


Re: Zscaler spam (was: Significant number of major businesses...)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday, 29 August 2014 09:59 -0400,  

Quoted text here. Click to load it


Feel free, to guess again.

$ dig +short -x 216.218.133.250
250.192-26.133.218.216.in-addr.arpa.
qtn1a-out-s6.mail.zscaler.net.

$ dig +short qtn1a-out-s6.mail.zscaler.net
216.218.133.250

$ rwhois -s rwhois.he.net 216.218.133.250
Results:

ID                            NET-216.218.133.192/26
Auth-Area                     nets
Class-Name                    network
Network-Name                  NET-216.218.133.192/26
Parent                        NET-216.218.128.0/17
IP-Network                    216.218.133.192/26
Org-Contact                   POC-CE-2921
Tech-Contact                  POC-HE-NOC
Abuse-Contact                 POC-HE-ABUSE
NOC-Contact                   POC-HE-NOC
Created                       20111220181845000
Updated                       20111220181845000

ID                            POC-CE-2921
Auth-Area                     contacts
Class-Name                    contact
Name                          Jay Chaudhry
Company                       ZScaler
Street-Address                110 Baytech Dr, Ste 100
City                          San Jose
Province                      CA
Postal-Code                   95134
Country-Code                  US
Phone                         +1-510-580-4100
E-mail                        hostmaster@he.net
Created                       20111207203002000
Updated                       20130228163002000

ID                            POC-HE-NOC
Auth-Area                     contacts
Class-Name                    contact
Name                          Network Operations Center
Company                       Hurricane Electric
Street-Address                760 Mission Ct
City                          Fremont
Province                      CA
Postal-Code                   94539
Country-Code                  US
Phone                         +1-510-580-4100
E-Mail                        noc@he.net
Created                       20100901200738000
Updated                       20100901200738000

ID                            POC-HE-ABUSE
Auth-Area                     contacts
Class-Name                    contact
Name                          Abuse Department
Company                       Hurricane Electric
Street-Address                760 Mission Ct
City                          Fremont
Province                      CA
Postal-Code                   94539
Country-Code                  US
Phone                         +1-510-580-4100
E-Mail                        abuse@he.net
Created                       20100901200738000
Updated                       20100901200738000
Comment                       For email abuse (spam) only

- --  
 Be kind to animals; kiss a shark.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlQAm7wACgkQUrwpmRoS3uvH2wCfZakyvwetEFk/DL3aCXvlO8dM
Y/AAnjTTdvd23562Ix34kQwoNvcd/APd
=ZKTm
-----END PGP SIGNATURE-----

Re: Significant number of major businesses (POS systems) hit by Backoff malware


Quoted text here. Click to load it

No, they wouldn't. They could use all that additional code to instead,  
carry more complicated payloads and or outright modules to extend their  
capacity beyond what the author originally intended.

The complicated malware would still remain a mystery to the script  
kiddies. They aren't willing to put the time in and want a quick fix,  
so complicated malware is not ever going to be an issue from the script  
kiddies.

Even if it's semi automated for them, they'll fuck that up too. :)
  


--  
I know you tried to show me the light, I feed on the darkness
I've lost control, I'm down in a hole, I'm broken and helpless
The noose is getting tight, so tight, will I make it through the night  
It's time to surrender to myself and crawl out of this hell, the battle  
is in my head, there is nobody else

Re: Significant number of major businesses (POS systems) hit by Backoff malware


Quoted text here. Click to load it

I'm bored and can't sleep yet.. so what the hell. Figured I'd give  
this newsgroup a new post. [g]
  
Quoted text here. Click to load it

AV/AM protection isn't a myth. Without those tools, Known malware  
would have free reign on any machines that weren't properly secured  
with other means. And even then, some malware is still going to make  
that box it's home. AV/AM protection is generally retroactive in  
nature; it can primarily detect what it knows about. So, based on the  
very logic of a computer, it's entirely possible to write something  
they won't detect.  

This does *not* mean the products are useless; it means you have  
something new and unknown and really shouldn't expect most programs  
to do anything with it. It's new code. No machine, other than yours  
has seen this new code yet. You can't expect it to be 'detected' and  
prevented in those cases.

That's just unrealistic and shows a lack of understanding of how  
computers work and what they're really meant to do. They are designed  
to be programmable. They follow instructions. There's lots of ways of  
giving the computer instructions that look different, but accomplish  
the same end result.  

This flexibility is by design and as a direct result of it, can be  
abused by writing new code that tells the computer to do something  
you *don't* want it doing.

Without this ability, many legitimate programs cannot exist either!

Quoted text here. Click to load it

That may not be the fault of the AV/AM software itself. If it has  
older definitions that are not aware of the new malware, but have  
been released, it's an administration issue; not the fault of the  
computer or the AV/AM software. In other words, it's a user error.

And this is all too common. People install the AV/AM software and  
just think that's all that needs to be done. Some will do the initial  
scan, some order the software to skip it.  

Software that begs for an update upon installation has a higher  
chance of the user letting it than a program that waits for a live  
internet connection and updates later.  AV/AM software doesn't always  
get the updates on it's own. It's upto the user/system administrator  
to be vigilant in the security and AV/AM updates on their  
workstations and servers.

To do otherwise is irresponsible and, again, shows a lack of  
understanding of the principles and concepts that allow these  
machines to exist. Computer science is a real field, you know.
  
Quoted text here. Click to load it

Trickle down effect. The vendors were already compromised and made  
things much worse.
  
  
Quoted text here. Click to load it

That's pretty much a summary of what I explained above.
  
Quoted text here. Click to load it

I suspect there's more to this...These details are vague.

  


--  
I know you tried to show me the light, I feed on the darkness
I've lost control, I'm down in a hole, I'm broken and helpless
The noose is getting tight, so tight, will I make it through the  
night It's time to surrender to myself and crawl out of this hell,  
the battle is in my head, there is nobody else

Re: Significant number of major businesses (POS systems) hit by Backoff malware

On 8/28/2014 11:29 PM, Dustin wrote:
Quoted text here. Click to load it
Everybody,

The malware quips don't help anyone. Please, let's have some solid  
evidence as to the better antimalware programs that work against the new  
stuff coming out every day or so it seems.

riserman


Site Timeline