Joseph (J.B.) Blankenship | September 13, 2010
Harkening back to the “good old days” of oft-occurring worms like Melissa, ILoveYou and Anna Kournikova that ran rampant almost a decade ago, the “Here You Have” or “Just for You” email worm is infecting inboxes all over the world. It has already impacted numerous government agencies and large corporations.
The email, like those of its predecessors, seems to come from a personal contact since the worm forwards itself to contacts in users’ contacts. Once inside a network, it can also spread over network connections and shared folders.
The creators of the “Here You Have” worm use social engineering to entice users to download the payload. Emails with a friendly message like, “This is the document I told you about” come to the users’ inbox and contain a link to what appears to be a PDF file.
Users, being familiar with PDF files, are fooled into downloading the malicious file which is actually an .scr file that is obfuscated as a PDF. The malicious file contains a threat known as W32.Imsolk.B@mm or W32/VBMania@mm.
When users clicks on the link, they are prompted to open the file which executes the malicious payload. After download and execution, the malware copies itself into the Windows directory, using the file name CSRSS.EXE which is identical a legitimate Windows file.
The malware then seeks to deactivate anti-virus and to send itself to other unsuspecting users.
URLs in early versions of the worm have been taken down, but newer variants of the worm may contain updated, active links.
Major anti-virus vendors have released updated signatures to stop the spread of the worm. Gateway email filters with updated anti-virus signatures can also stop the spread.
This type of blended threat (combination of email, web and social engineering) is fairly common in our Web 2.0 world. These threats prey on the naiveté or the emotions of the end-user. Future versions of similar malware may contain references to current news events or a reminder of an event like the 9/11 attacks on the World Trade Center. As is often the case, the weak link in information security is the individual end-user.
While security awareness training and widespread media coverage of the event will improve users’ awareness, organizations are still best-protected by automating security and not leaving it up to the end-user. Up-to-date anti-virus, web and email filtering at the gateway and limiting administrative rights are all prudent steps for preventing the spread of worms such as Here You Have.
So, now you have it. The old attack is new again, this time with a Web 2.0 spin.
POST A COMMENT