'Here you have' worm - email security fails again
Is ‘Here you have’ a worm, a virus or perhaps a cleverly-disguised Trojan? A quick look at its design and it’s clear that it is, sneakily, all three rolled into one, and that is perhaps what is so intriguing about it. Wearing...
Wearing the mask of a worm, it spreads rapidly via an email-born link thinly disguised as a PDF hyperlink, it spreads further using the ancient Outlook contacts list lookup trick and via any attached or networked drives and removable media with Windows autorun enabled. It also tries to turn off a wide range of antivirus and malware programs, its virus self-defence face.
Corporate and consumer email users will today be asking how it has been so easy for ‘Here you have’ ‘worm’ to cause chaos using a primary attack method that was last common a decade ago.
A check on user forums suggests that the worm has had a surprising level of success in the last 24 hours. According to third-party sources, companies such as Comcast, ABC and Coca Cola have been hit badly. Other companies have been forced to shut down email servers to limit the worm’s spread.
Crucially, there are differences compared to old-style worms, starting with it being served in a confusing range of variants, with different subject lines and offered download lures. Worms from the early part of this decade also attacked using attachments whereas ‘Here you have’ adopts the contemporary technique of directing people to remote servers.
These techniques give it a more Trojan-like character in that the payload can be varied to a range of possible end effects that will take time to work out. The polymorphism of the email attack makes it harder to block using simple rules.
But how is it that these emails got into inboxes in the first place? It has always been assumed that anti-spam systems had rendered mass-mailing worms less potent, backed up by systems for detecting and blocking large volumes of outbound traffic.
The last resort is always pulling the plug on the mail server and that’s the tried and trusted if crude method that admins fallen back to using.
The malware appears to have bypassed security software in some cases, another example of how impotent this line of defence can be to state-of-the-art attacks. It is, however, likely that the attack volume against companies is via poorly-protected botnet PCs generating the initial traffic.
Email might look like a crude way to attack, but it is superb at finding a single point of weakness and levering it open to great effect. It only takes one PC to be vulnerable or one user to click on a link and that single failure can generate huge amounts of trouble.
According to McAfee, the first major antivirus vendor to report on the worm, the remote servers used by at least some of its variants have been ‘sinkholed’, which should limit its spread. But once again, a decade or more after these attacks were common, questions are once again being asked about email's vulnerability to an obvious form of attack.
ShareTwitter Facebook Google Plus