Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Fast-Spreading Email-based Malware Brings Memories of the Past

First there were boot sector viruses that were carried by floppy disk from computer to computer. Now there are autorun viruses that are carried by USB device from computer to computer. The technology has improved, but the infection vector remains effectively the same.

First there were email-based worms that spread themselves via a user's email address book and caused havoc on networks and victim's computers alike. Now there are email-based worms that spread themselves via a user's email address book and cause havoc on networks and victim's computers. The technology has improved, but the infection vector is exactly the same.

Towards the end of last week, the worm, dubbed "Here You Have" started arriving in inboxes and began causing mayhem. Relying on the user's interaction, the worm masquerades as a PDF file that is really a .scr executable that then installs malware from a variety of sources (changing as the original sources disappeared). From there, the worm attempts to disable a range of antivirus products, attempts to contact a remote controller, and then tries to further its spread through mailing itself to the contents of the infected user's Outlook address book.

With infection relying on the user intentionally (if misguidedly) requesting a file from a remote location, many antivirus and antimalware applications initially failed to detect the hostile intent of the emails. With the payload hiding behind an innocuous looking link, there was little initially to suggest what would happen when the user clicked on the link.

It didn't take long for the antivirus and antimalware vendors to catch up, with both the emails and the linked sites being identified and blocked. The next several working days should show whether this has been enough to halt the voracious spread of the malware, or whether it can modify its appearance enough to avoid the antimalware detection and has a large enough install base to be self-sustaining from now on.

Infection on the end system is enough to warrant a reformat in many cases, but it is the network load induced by the worm emailing everyone in the victim's address book that is causing more problems. It doesn't take many affected users before a company's mail system can be brought to its knees.

A little bit of caution applied when going to follow the link in the email shows that the target of the link is not a .pdf file, rather it is a .scr application. With better user security training and awareness, a little bit of knowledge applied would have arrested the spread of the worm and it would be just another one of the multitude of Windows-based malware, rather than something that is attracting headlines and attention for the effect it is having on networks globally.

11 September 2010

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.