Email worms have become the subject of headlines in recent days with over 200,000 detections of ‘Here You Have' spam detected.
McAfee Avert Labs said that the mass-mailing worm hit the internet on Thursday 9th September. It said that the threat arrives via email and contains a link that appears to direct to a PDF file, but instead goes to a malicious program.
The email contains little content, with a subject line of ‘Here you have or Just For you' with the message reading: ‘This is The Document I told you about, you can find it Here' and a link to the PDF given. Alternatively the text says ‘This is The Free Dowload (sic) Sex Movies, you can find it Here', with a link given to a .wmv file.
Craig Schmugar, threat researcher for McAfee Avert Labs, said that clicking on the link and activating the malware results in the worm attempting to disable security software and send itself to all the contacts in the user's address book.
He said: “The URL does not actually lead to a PDF document, but rather an executable in disguise served from a different domain, though the URL is no longer active and the email propagation vector is believed to be crippled at this time (though already infected hosts may continue to spread email messages).
“When a user chooses to manually follow the hyperlink, they will be prompted to download or execute the virus. When run, the virus installs itself to the Windows directory as CSRSS.EXE (not to be confused with the valid CSRSS.EXE file within the Windows System directory).
“Once infected the worm attempts to send the aforementioned message to email address book recipients. It can also spread through accessible remote machines, mapped drives and removable media via autorun replication.”
Luis Chapetti, lead security analyst at Barracuda Networks, said that over 200,000 emails were seen by its email monitoring systems over a six-hour period and volume dropped off rapidly once the account hosting the malware was shut down.
He said: “This outbreak was simple, it spammed itself out. They could have just as easily added a password stealer to the download list, and with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time.”
Websense Security Labs ThreatSeeker Network said that it was tracking the campaign over a 24-period. On Friday it said that the Multimania user area account that hosted the malicious SCR file has been deactivated; however the email campaign is still occurring. As of Monday morning the VirusTotal detection of the file was around 30 per cent.
Websense said: “We are aware that this threat has been a major issue for many organisations. We have confirmed that we have had detection for the file in the Websense Security Gateway since November 2009. Please be aware that this worm has also been known to spread via different routes other than email, such as USB autorun and file shares.”
Francis Montesino, manager of malware processing team at GFI Labs said: “The worm is pretty much is the same as all the other email worms I've encountered in the past. I guess this just got more attention because of the scope of the infection.
“It's another demonstration perhaps of how powerful a technique social engineering still is: it uses an interesting email subject and wording; it contains a link that pretends to point to a PDF or wmv but in reality an executable which has the icon of a PDF.”
So, while the threat now seems to be redundant, a report by thewrap.com claimed that ABC/Disney was one of the companies hardest hit by the virus, which worked its way through several areas of the company including Radio Disney, ABC News and local affiliate stations. It also claimed that Google, Coca Cola, NASA and Comcast were also hit.
Graham Cluley, senior technology consultant at Sophos, said: “That doesn't surprise me, as this is something of a return to the malware attacks of yesteryear - where hackers didn't care whose computers they hit, they just wanted to infect as many as possible. Worms like this don't discriminate, deciding their next victim purely by scooping up a list of its next targets from the user's email address book.
“If you think the subject line ‘Here you have' rings a bell, then you've been following computer security for a fair old time. It was also used by the VBS/SST-A virus (better known as Anna Kournikova) back in 2001. Mass-mailing malware like Kournikova hit a lot of people in the past, let's hope that more people have their wits about them this time and don't get tricked by this latest attack.”
According to a report by computerworld.com, the culprit is a hacker known as Iraq Resistance who revealed no details about their identity, but said: “The creation of this is just a tool to reach my voice to people maybe... or maybe other things."
However the YouTube video posted by Iraq Resistance with the alias ‘Iqziad' shows a map of southern Spain.
Luis Corrons, technical director of Panda Security, said: “The video shows a still image of Andalusia with a photo and a shield, presumably identifying the group itself.
“A few hours ago, a person that identifies himself as the creator of the worm, has published a video, signed by ‘Iraq Resistance – Leader of Tarek Bin Ziad Group'. The user alias publishing the video is ‘Iqziad', 26 years old, from Spain, according to the data the creator has added in his Youtube profile.
“According to the video, this worm has been created targeting mainly to the United States, and it justifies it in two reasons: to commemorate the September 11 attacks and to demand respect to Islam, refering to the Terry Jones incident last week, when he wanted to burn a Koran in public.
“The video shows a static picture of Andalucia, a region in the South of Spain. We have already sent all the information to the Spanish Guardia Civil, and we are doing some more research on this, so we'll be probably publishing more information in the near future.”
The video also gives the name ‘Tariq ibn Ziyad al-Layti', who was a Berber general who led the Muslim invasion of the Iberian Peninsula in the eighth century, conquering the Visigothic as historiography traditionally accepted, based on Arabic chronicles of the tenth and 11th centuries.