Educause Security Discussion
mailing list archives
Re: Hallmark trojan
From: "Sabo, Eric" <Eric.Sabo () CUP EDU>
Date: Tue, 18 Nov 2008 14:32:21 -0500
Only a couple here and it seems TrendMicro ScanMail is detecting/cleaning them.
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joe St
Sent: Tuesday, November 18, 2008 2:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Hallmark trojan
#We are getting hammered by a Hallmark trojan. This appears to be what
#McAfee calls Spam.Mailbot.i. However, McAfee does not pick it up so it
#could be a variant of that one.
Are you running with McAfee's heuristic blocking rules enabled? Is it
catching the C&C traffic and/or the email output, or is spam actually
being emitted from the compromised hosts? Either way, I would encourage
you to submit the malware to VirusTotal (see http://www.virustotal.com/ )
if you haven't already done so.
Many of the greeting card trojans are mirc-based, and transmitted as
rar'd or zip'd files. As such, they are particularly approachable for
analysis, just unrar 'em (or in your case unzip 'em) and then you'll
commonly see a set of scripts and config files that can be the target
of further analysis activity or operational use if you're so inclined.
#I am wondering if anyone else is seeing this ?
Postcard-ware malware spam is a staple, and I suspect that you may being
seeing more of it than normal right now as the miscreants attempt to
rebuilt their inventory following some, uh, recent events.
#And if you have a sure-fire way to detect and clean it ?
For detection, one easy way to spot spambotted hosts is to check listings
on http://www.senderbase.org for your domain or netblock. If you show see
a dynamic host that's RBL'd on one or more lists, well, there you go. I'd
probably start with the hottest hosts (sort descending by daily magnitude)
and work your way down. Depending on how short your DHCP leases may be,
that may be something else to keep in mind.
Alternatively, if you have netflow data available, check for flows to/from
the Spamhaus DROP ranges (see the link on the left hand side of
http://www.spamhaus.org/drop/index.lasso for the current list of netblocks),
or just look for inbound flows to your compromised hosts. The problematic
sources tend to stand out like sore thumbs.
When it comes to cleaning...
Nuke-and-pave is really the only sure-fire approach to cleaning the infested
hosts, but I know I'm preaching to the choir there, although sometimes that
can be difficult or impossible.
#The result is that none of these appear to completely clean the machine.
#Any thoughts ?
I'm a huge fan of Lawrence Baldwin's MyNetwatchman SecCheck, see
If it doesn't catch it, I'd suggest trying additional free antivirus
products (Kaspersky, for example, often seems to find quite a bit) or
try looking at some of the anti-root kit tools (let me know if you're
interested for suggestions there).
One more suggestion, if you're not already doing so -- consider running
a server side antivirus product (ClamAV, for example) to complement your
desktop antivirus product, and also consider Procmail Email Sanitizer
to handle some "inherently unsafe" email constructs that might otherwise
slip past (see http://www.impsec.org/email-tools/procmail-security.html ).
Again, probably stuff folks are already doing, but if not, worth
considering, I think.
Regards to y'all in the crisp and level upper midwest, :-)
Joe St Sauver (joe () oregon uoregon edu)
Disclaimer: all opinions strictly my own