Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: "postcard" spams.
From: "Perry, Jeff" <perry () KU EDU>
Date: Tue, 3 Jul 2007 12:40:56 -0500

Matt,

I would concur with your findings.  We are seeing more varients than the
Sans Handler Diary suggests. 

------------------------------------------------------------------------
----
Jeff Perry, CISSP
Manager, Security Services and Operations
Information Security Office - A Division of Information Services
The University of Kansas
Office +1 785-864-9003
Direct +1 785-864-0489
Fax    +1 785-864-0485
Email perry () ku edu
------------------------------------------------------------------------
----
http://www.security.ku.edu

-----Original Message-----
From: Matthew Gracie [mailto:graciem () CANISIUS EDU] 
Sent: Tuesday, July 03, 2007 12:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] "postcard" spams.

We've been receiving a whole host of "You have received a postcard!"
spam, with malware website links embedded in it.

For details, see: http://isc.sans.org/diary.html?storyid=3063

I haven't had a whole lot of luck finding information on the method of
propagation on this, but it seems to do all of its initial setup from a
source UDP port of 26395. At least, that's my observation from a
deliberately infected machine and a packet sniffer.

Does this jibe with other people's observation of this? The ecard.exe I
downloaded from one of the emails has a different MD5 than listed in the
SANS article, so I fear there might be copycats and variants out there
already.

--Matt

-- 
Matt Gracie                         (716) 888-2403
Information Security Administrator  graciem () canisius edu
Canisius College ITS                425531N / 0785109W
http://www2.canisius.edu/~graciem/graciem_public_key.gpg        

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]