Not a “Halmark” Greetings Card

Since this is my second post on the Commtouch blog I have added a brief intro – I have been working in the antivirus industry since 2004. I’ve served as an Escalation Anti-Virus Engineer at Trend Micro, Inc., a Senior Anti-Malware Analyst at F-Secure, Inc., and currently work as a Computer Virus Analyst at Commtouch, in the Antivirus Division (previously Authentium) – now on to the post…   

With the holiday season just around the corner we were not surprised to receive some greeting card emails. Viewing the “from address” of the email as shown below gives a hint that it’s truly spam. The email is from ”Halmark Greetings”? – “Halmark” with a single ‘L’? The correct spelling is of course ‘Hallmark’ (the largest manufacturer of greeting cards in the United States).

Clicking the link takes recipients to a site that looks like this:

We analyzed the website and found the code obfuscated.

De-obfuscating the code shows the real intention of the attacker – downloading and executing malware through exploits. The malware exploits a range of vulnerabilities in RealPlayer, JAVA, Flash Player and Adobe Reader.

Following a successful exploit the software may download and execute malware from the following links (Command Antivirus detection is listed on the Right):

  • hxxp://122..72/b/ctyvytasbljuxle.jar – Java/ByteVerify.F
  • hxxp://122..72/b/bwcucwatjtfo4.swf – SWF/Expl.H
  • hxxp://122..72/b/kub.php?i=2 – W32/Poison.U
  • hxxp://122..72/b/kub.php?i=7&&&&& – W32/Poison.U
  • hxxp://122..72/b/dqjmymytbvyzj9.pdf – PDF/Expl.IK
  • hxxp://122..72/b/jvkzfnxlgnfz.pdf – PDF/Expl.IL

Attackers will surely use this opportunity to spread malware so don’t fall for these emails as the holidays approach.

Happy Holidays!