'Here You Have' Worm Floods E-Mail Inboxes

 
 
By Brian Prince  |  Posted 2010-09-09
 
 
 

A mass-mailer worm flooded inboxes at a number of high-profile organizations today.

Dubbed "Here you have" because of its e-mail subject line, the worm struck organizations such as NASA and the Walt Disney Co. In some ways, the worm is a throwback to attacks such as the Anna Kournikova virus, which security researchers at Symantec noted actually had the same subject line when it appeared in 2001.

"This used to be a massive problem when e-mail worms were at their peak, and this re-emergence shows that you can never assume old tried and true methods won't be used again," said Bradley Anstis, vice president of technology strategy at M86 Security.

The body of the e-mail sometimes contained the message "This is The Document I told you about, you can find it Here," followed by a malicious link that appears to be a PDF document but is actually a .SCR file. The e-mail then instructs the recipient to "please check it and reply as soon as possible." Other versions of the worm have the subject "Just For you" and "This is The Free Dowload [sic] Sex Movies,you can find it Here" in the body.

According to a report by ABC News, the worm wiggled its way into a number of organizations, including the Florida Department of Transportation and Wells Fargo. Once on a PC, the malware attempts to disable security software and propagate, blasting itself out to e-mail contacts in the victim's address book. As a result, an organization's e-mail infrastructure can be overloaded, researchers at McAfee warned.  

"Most e-mail systems will block e-mails with executable files and scripts attached to them by default," Sam Masiello, director of messaging security research at McAfee, told eWEEK. "This attack went around such defenses by instead containing a link to a Website which was hosting the malicious screen saver file. The Website that was hosting the malicious file is a legitimate Web host in the UK that is owned by Lycos, so the entire Website could not be blocked proactively."

In addition to e-mail, the worm attempts to spread through mapped drives, accessible remote machines and removable media with AutoRun enabled, Masiello added.

"The addresses that the worm will attempt to replicate through via e-mail are being harvested from the infected user's address book," he said. "Although we aren't sure exactly how many messages have been sent out from infected machines, we do believe at this time that the e-mail propagation vector has been crippled because the site that was hosting the malicious file has been removed. It is very possible that new variants may emerge, so we can't consider ourselves to be out of the woods. Machines that are already infected may still attempt to propagate through e-mail and available network shares and removable media."

It is very difficult for users to work out what is dangerous and what is not, and the bulk of spam should be stopped at the e-mail gateway, Anstis said.

"Why does the average user need to get file types other than the typical document types ... this recent case uses a .SCR file. E-mail administrators should be limiting file type distribution as much as possible," he said.

Security pros advised users to be wary of unsolicited e-mails with suspicious links.

"Mass-mailers went out of style simply because this MO [modus operandi] would not work for cyber-criminals, especially if they want to remain hidden below the radar when they are conducting their nefarious activities like information-stealing or spamming campaigns," said Ivan Macalintal, senior threats researcher with Trend Micro. "Mass-mailers create noise, and their malicious creations will soon be found out with [antivirus] and other security products being able to have coverage ASAP.

"If the authors of this attack found this method beneficial for them, they may opt to do this again," he added. "If they have been nipped in the bud, they will regroup and find other opportunities."


Rocket Fuel