Red Condor Identifies Possible Source Of Recent Malware Campaigns

Compromised accounts used to host malware laden spam payloads

August 13, 2010

3 Min Read


San Diego, Calif. – August 12, 2010 – St. Bernard’s Red Condor security team today issued a warning of a new sophisticated email malware threat that is disguised as misdirected personal emails with executable attachments. The spam messages, which have a variety of subject lines, including “You are in invited to another show!”, “FW: Resume as discussed” and “FW: Car & Car loan” appear to consist of content that was likely stolen from compromised email accounts and computers and appear to have multiple connections with the ongoing one-click plug-and-play (PNP) malware campaigns that Red Condor has been monitoring the past several months. Red Condor also identified a possible source of the spam payloads at compromised accounts on the social media/networking site, The executables in this new campaign have been identified as TR/Dropper.Gen / FraudTool.Win32.AVSoft (v) / Malware-Cryptor.Win32.Limpopo. At the time this campaign was blocked, only 4 out of 41 anti-virus engines had detected the malware.

Among the commonalities between this new spate of spam and the one-click malware campaigns are the following:

Both are being used to distribute similar malware strains (Bredolab for the attached executables and Zeus for the drive-by) both of which are associated with Fake AV applications at some point in the infection cycle. Although, because these are Trojans, any cocktail of malware can be downloaded and installed once a foothold into a victim's system is achieved.

Both employ new strains of malware that are for the most part undetected by AV engines.

Both appear to be primarily designed to compromise computers instead of advertising goods and services.

Both employ novel social engineering hooks such as spoofing brands (for PNP) or “misdirected personal communications” to entice recipients to perform the call to action.

The strongest link is the co-occurrence of the payloads showing up on a narrow set of compromised blog accounts at the free blog hosting site,

“It's common to see spam show up on blog sites, but this particular situation is different,” commented Jim Sackman, vice president of engineering for email security at St. Bernard. “These payloads are not showing up on other blog sites, and there is very little in the way of other types of spam in these posts that one typically encounters with comment spam and black-hat SEO tricks. It appears that these blog postings provide a mechanism for distributing content to spam-spewing botnets.”

Sackman continued, “A particularly disturbing emergence with this new wave of campaigns is the use of what appear to be actual emails, presumably lifted from the hard drives of compromised computers and email accounts. Dozens of messages have been selected that in some way refer to an attachment, as is typical in normal person-to-person email communications. These are then employed by the spammers to craft a legitimate looking email and may convince the recipient to view the attachment, which will install rogue software on their computers.”

The new spam campaign was filtered by one of Red Condor’s sender reputation-based filters. As with all threats captured by Red Condor, once identified, campaigns are quarantined and reviewed as rules are written and automatically distributed to Red Condor’s antispam appliance and Hosted Service customers.

Screen captures and images of campaign are available upon request.

About St. Bernard Software

St. Bernard Software develops and markets Internet security appliances and services that empower IT professionals to effectively, efficiently and intelligently manage their enterprise’s Internet-based resources. Originally founded in 1995 as a market-leader in data security with its flagship product, Open File Manager™, the company is now recognized for delivering today’s #1 Web filtering and security appliance, iPrism'. With millions of end users worldwide in more than 5,000 enterprises, educational institutions, SMB, and government agencies, St. Bernard strives to deliver simple, high performance solutions that offer excellent value to our customers.

Based in San Diego, California, St. Bernard (OTCBB: SBSW) markets its solutions through a network of value-added resellers, distributors, system integrators, OEM partners and directly to end users. For more information about St. Bernard Software, visit

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights