‘Here You Have’ Exposes Internet Security’s Achilles’ Heel

A worm dubbed “Here you have” — the subject line of the email it hides in — is spreading wildly across the Internet.

The attack comes in the form of a link purporting to take the reader to a PDF file, but instead leads to an executable that tries to send copies of the worm to people listed in the victim’s email address book.

Several variants of the worm are out on the Web, according to McAfee.

While the email attack has been crippled, infected hosts may continue to spread the worm, the security firm said.

Why are attacks through infected or malicious links so easy to propagate? Isn’t there anything businesses can do to prevent their spreading, apart from telling employees not to click on links or attachments indiscriminately?

About the ‘Here you Have’ Worm

The “Here you Have” worm consists of an infected link sent in an email with the subject line that gave it its name.

The body contains this message: “This is the document I told you about, you can find it here” followed by what looks like a link to a PDF file, Craig Schmugar wrote in the McAfee Labs blog.

The message asks the reader to check the link and “reply as soon as possible.”

Alternatively, the message reads: “This is the free download sex movies, you can find it here” followed by a link purportedly leading to a Windows Media Video file with the .wmv extension. “Enjoy your time,” the message concludes.

In both cases, the URL leads to an executable in disguise served from a different domain, Schmugar wrote. This URL is no longer active, and the email propagation vector is believed to be crippled, although infected hosts may continue to spread the worm, he pointed out.

Gnawing at the System

Users who click on the link will be prompted to download or execute the worm, which then installs itself in the Windows directory as CSRSS.EXE, Schmugar wrote.

This is not the same as the valid CSRSS.EXE file within the Windows System directory, he warned.

The worm will then try to email the tainted message to everyone listed in the victim’s email address book. It can also spread through accessible remote machines, mapped drives on a network, and removable media, through the “Autorun” replication feature.

The worm tries to stop and delete various security services, including Web and mail scanners, Schmugar wrote. It also tries to download several files.

Email Is an Owie

Over the years, the Web has overtaken email as the primary means of distributing malware, Sophos said in its mid-2010 security threat report.

However, threats spread through email attachments and embedded links made a comeback in 2009 and into the first half of 2010, Sophos said.

Is there any way to stop the spread of worms sent through malicious links or infected attachments?

The Cure

Corporations can have their email servers look for executable files and block them at the server, use services like Postini to quarantine them before they get to the email server, block execution of executable files in many email clients, or remove administrative privileges so that users can’t run executable files that install programs, Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.

Corporations can also monitor traffic, put in place a user notification program so users can report questionable emails easily, and put in place automated tools that either look for anomalies and notify IT or block suspicious internal email traffic, or both, Enderle pointed out.

Another option is to enforce the use of best practices that have been known for years, such as network segmentation, Sam Masiello, director of messaging security research at McAfee, told TechNewsWorld.

“If you have different subsets of your network for different departments, you can isolate the attack to one subset instead of having it spread throughout your network,” Masiello explained.

Although some corporations do implement best practices such as network segmentation, many do not, he added.

Know Thy Sender

What about corporate policies forbidding users from clicking on links or attachments unless they have verified who the sender is and that the link or attachment actually came from the sender?

“A lot of companies do have policies in place, but the reality is, it’s much easer to click on the link or attachment, because a lot of people are busy and don’t have the time to verify the sender’s identity,” Masiello said.

A common standard for establishing the identity of anyone who sends emails might be a solution, Enderle suggested.

“The core of this problem is that we still don’t have a consistently used common way to ensure the identity of people on the Web, so it’s relatively easy to steal people’s identities and use them to do harm,” Enderle explained. “Until that problem is fixed, attacks that successfully use identity theft as a vehicle will be impossible to fully mitigate.”

The White House has posted online a draft plan for trusted identity system aimed at making Internet transactions more secure and convenient. This is known as the “National Strategy for Trusted Identities in Cyberspace.”

Teach Your Users Well

Ultimately, the best defense is user education.

“You can protect your own computer, but you probably can’t prevent email from being delivered to you,” pointed out Randy Abrams, director of technical education at ESET. “Attacks like this latest worm are social engineering, and companies and individuals need to invest in education to really make a difference.”

User ignorance and curiosity are the major factors that help phishing attacks succeed, Abrams told TechNewsWorld.

“Fundamentally, we have to get serious education about social engineering and how it relates to computers into the educational system starting from grade school,” Abrams said. “Computer security education needs to be a part of the fabric of society.”

2 Comments

    • To quote Gregory House, "People are idiots." Seriously though, it bugs the hell out of me when an ISP insists that it knows better than I do what is and isn’t a "safe" link. As a coder, its hardly improbable that I might send a link, or even an attachment, containing an EXE, which isn’t a virus. The problem here is two fold, really. #1: People will click on damn near anything. #2: Operating systems either won’t let you run things at all from email, or they let them run within the main OS, with no sandboxing, and no way of knowing what they are doing.

      Now, a *sane* solution would be to have a virtual sand box. You run the thing, it tells you what other applications its trying to talk to, which ports, if any, its opening, and even *where* its trying to send stuff. But, that would require that MS get its head out of its backside and provide a way to get that kind of data from something executing from inside an email. The alternative is to do the other, which is just not allow something to run *at all*, unless cleared by the user, and that only solves the problem for people that don’t automatically click, "Ok, let it run." Mind, this is, at least partly, the fault of other people too. Everyone relies on, for example, scripting so much on the net that just "seeing" a page can sometimes require turning on the scripts, before you even know if the page is safe, so its way too easy for even someone careful to get into the habit of turning them on, the moment they get to an unknown page. And, if you don’t.. Well, last time I didn’t, the email + page confirming an order never showed up, so I ended up ordering two of an item, instead of one, from someone’s site. Rather than make sure the script was on, to start, they gave no warning you had to have it on, then things blew up when the order finished… Similar problems arise when trying to read your damn email (what is it with a) MS Hotmail randomly blocking legit site’s email, but always letting through viagra ads, for example?, and b) until the latest version, there was almost no way to tell Thnderbird, "Stop blocking stuff from this sender, its always legit!"). So, in the former case, you are not protected, except from the stuff you wanted in the first place, and the later, you got in the habit of clicking, "Show remote content", anyway, because you couldn’t tell if it was something that was "supposed" to be there, or not, but was just being blocked, due to everything being blocked.

      Bloody mess.

      Mind, this is old, old, old, OLD news, so this new virus hardly "exposes" anything we didn’t already know. lol

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels