Educause Security Discussion mailing list archives
Re: Hallmark trojan
From: "Sabo, Eric" <Eric.Sabo () CUP EDU>
Date: Tue, 18 Nov 2008 14:32:21 -0500
Only a couple here and it seems TrendMicro ScanMail is detecting/cleaning them. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St Sauver Sent: Tuesday, November 18, 2008 2:32 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Hallmark trojan Hi Dick! You mentioned: #We are getting hammered by a Hallmark trojan. This appears to be what #McAfee calls Spam.Mailbot.i. However, McAfee does not pick it up so it #could be a variant of that one. Are you running with McAfee's heuristic blocking rules enabled? Is it catching the C&C traffic and/or the email output, or is spam actually being emitted from the compromised hosts? Either way, I would encourage you to submit the malware to VirusTotal (see http://www.virustotal.com/ ) if you haven't already done so. Many of the greeting card trojans are mirc-based, and transmitted as rar'd or zip'd files. As such, they are particularly approachable for analysis, just unrar 'em (or in your case unzip 'em) and then you'll commonly see a set of scripts and config files that can be the target of further analysis activity or operational use if you're so inclined. #I am wondering if anyone else is seeing this ? Postcard-ware malware spam is a staple, and I suspect that you may being seeing more of it than normal right now as the miscreants attempt to rebuilt their inventory following some, uh, recent events. #And if you have a sure-fire way to detect and clean it ? For detection, one easy way to spot spambotted hosts is to check listings on http://www.senderbase.org for your domain or netblock. If you show see a dynamic host that's RBL'd on one or more lists, well, there you go. I'd probably start with the hottest hosts (sort descending by daily magnitude) and work your way down. Depending on how short your DHCP leases may be, that may be something else to keep in mind. Alternatively, if you have netflow data available, check for flows to/from the Spamhaus DROP ranges (see the link on the left hand side of http://www.spamhaus.org/drop/index.lasso for the current list of netblocks), or just look for inbound flows to your compromised hosts. The problematic sources tend to stand out like sore thumbs. When it comes to cleaning... Nuke-and-pave is really the only sure-fire approach to cleaning the infested hosts, but I know I'm preaching to the choir there, although sometimes that can be difficult or impossible. #The result is that none of these appear to completely clean the machine. #Any thoughts ? I'm a huge fan of Lawrence Baldwin's MyNetwatchman SecCheck, see http://www.mynetwatchman.com/tools/sc/ If it doesn't catch it, I'd suggest trying additional free antivirus products (Kaspersky, for example, often seems to find quite a bit) or try looking at some of the anti-root kit tools (let me know if you're interested for suggestions there). One more suggestion, if you're not already doing so -- consider running a server side antivirus product (ClamAV, for example) to complement your desktop antivirus product, and also consider Procmail Email Sanitizer to handle some "inherently unsafe" email constructs that might otherwise slip past (see http://www.impsec.org/email-tools/procmail-security.html ). Again, probably stuff folks are already doing, but if not, worth considering, I think. Regards to y'all in the crisp and level upper midwest, :-) Joe St Sauver (joe () oregon uoregon edu) http://www.uoregon.edu/~joe/ Disclaimer: all opinions strictly my own
Current thread:
- Hallmark trojan Dick Jacobson (Nov 18)
- <Possible follow-ups>
- Re: Hallmark trojan Ken Connelly (Nov 18)
- Re: Hallmark trojan Woodle, I Wesley (Wes) (Nov 18)
- Re: Hallmark trojan Daniel Bennett (Nov 18)
- Re: Hallmark trojan Joe St Sauver (Nov 18)
- Re: Hallmark trojan Sabo, Eric (Nov 18)