Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hallmark trojan

From: "Sabo, Eric" <Eric.Sabo () CUP EDU>
Date: Tue, 18 Nov 2008 14:32:21 -0500
Only a couple here and it seems TrendMicro ScanMail is detecting/cleaning them.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St 
Sauver
Sent: Tuesday, November 18, 2008 2:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Hallmark trojan

Hi Dick!

You mentioned:

#We are getting hammered by a Hallmark trojan.  This appears to be what 
#McAfee calls Spam.Mailbot.i.  However, McAfee does not pick it up so it 
#could be a variant of that one.

Are you running with McAfee's heuristic blocking rules enabled? Is it 
catching the C&C traffic and/or the email output, or is spam actually 
being emitted from the compromised hosts? Either way, I would encourage 
you to submit the malware to VirusTotal (see http://www.virustotal.com/ ) 
if you haven't already done so. 

Many of the greeting card trojans are mirc-based, and transmitted as
rar'd or zip'd files. As such, they are particularly approachable for 
analysis, just unrar 'em (or in your case unzip 'em) and then you'll 
commonly see a set of scripts and config files that can be the target 
of further analysis activity or operational use if you're so inclined.

#I am wondering if anyone else is seeing this ?  

Postcard-ware malware spam is a staple, and I suspect that you may being
seeing more of it than normal right now as the miscreants attempt to 
rebuilt their inventory following some, uh, recent events.

#And if you have a sure-fire way to detect and clean it ?

For detection, one easy way to spot spambotted hosts is to check listings
on http://www.senderbase.org for your domain or netblock. If you show see
a dynamic host that's RBL'd on one or more lists, well, there you go. I'd
probably start with the hottest hosts (sort descending by daily magnitude)
and work your way down. Depending on how short your DHCP leases may be,
that may be something else to keep in mind. 

Alternatively, if you have netflow data available, check for flows to/from
the Spamhaus DROP ranges (see the link on the left hand side of
http://www.spamhaus.org/drop/index.lasso for the current list of netblocks),
or just look for inbound flows to your compromised hosts. The problematic
sources tend to stand out like sore thumbs.

When it comes to cleaning...

Nuke-and-pave is really the only sure-fire approach to cleaning the infested
hosts, but I know I'm preaching to the choir there, although sometimes that 
can be difficult or impossible. 

#The result is that none of these appear to completely clean the machine. 
#Any thoughts ?

I'm a huge fan of Lawrence Baldwin's MyNetwatchman SecCheck, see
http://www.mynetwatchman.com/tools/sc/

If it doesn't catch it, I'd suggest trying additional free antivirus 
products (Kaspersky, for example, often seems to find quite a bit) or 
try looking at some of the anti-root kit tools (let me know if you're
interested for suggestions there).

One more suggestion, if you're not already doing so -- consider running
a server side antivirus product (ClamAV, for example) to complement your
desktop antivirus product, and also consider Procmail Email Sanitizer
to handle some "inherently unsafe" email constructs that might otherwise 
slip past (see http://www.impsec.org/email-tools/procmail-security.html ).
Again, probably stuff folks are already doing, but if not, worth 
considering, I think.

Regards to y'all in the crisp and level upper midwest, :-)

Joe St Sauver (joe () oregon uoregon edu)
http://www.uoregon.edu/~joe/
Disclaimer: all opinions strictly my own
Previous By Date Next
Previous By Thread Next

Current thread: