Latest “Here you have” malware campaign – blast from the past

  • Article

Two days ago on Sept 9, a new worm started propagating throughout the Internet.  I wasn’t going to comment on this except that there have been a couple of incidents close to me where this has come up (family member asked about it, people were discussing it in other forums).  Threatpost.com has a good summary of it:

There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending malicious emails to all of the names in a user's email address book.

The worm arrives via emails with the subject line "Here You Have" or something similar, and the messages contain a link to a site that will download a malicious file to the victim's PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file, according to an analysis by McAfee researchers. 

"The URL does not actually lead to a PDF document, but rather an executable in disguise, such as PDF_Document21_025542010_pdf.scr served from a different domain, such as members.multimania.co.uk," the analysis says.

From there, it's 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim's Outlook address book. The malware also tries to stop any security software or anti-malware programs running on the machine. McAfee's researchers found that the worm also can spread via network shares and AutoRun.

This infection routine was made famous and perfected by malware authors in the early part of the 2000s, most notably with mass-mailing viruses such as ILoveYou. The difference with those earlier attacks is that the emails typically carried the malicious file itself and didn't rely on a link to a downloading site. But the technique used to entice users to click on the attachment or malicious link is the same: Offer the user something he wants to see.

In the case of older viruses, they typically promised pictures of Anna Kournikova or Britney Spears. Now, it's down to mundane things like "the document I told you about." There appear to be several variants of the new worm making the rounds already.

This is a blast from the past as it is the same subject line that was used in the malware from 2001 when messages promising pictures of Anna Kournikova turned out to be malware links.  Some things never change.  The messages contained what looked like a pdf file but using basic HTML were actually downloads to a .scr file,  case a malicious URL.

In this particular case, the malware was hosted on multimania.co.uk, a free web hosting service where you can upload files.  The miscreant opened up an account on this page, uploaded the malware and then proceeded to send out blitzes of spam.  The spammer uses this hosting service because spam filters would not ordinarily employ URL filtering against a free site.  The volume of legitimate mail that contains URLs to this is far larger than the ones that contains spam and so they are hiding amongst the good reputation of others – spam filters cannot block these messages without incurring many false positives that would drive up user complaints.  They create the account, rent the botnet and then send spam.  The other reason that they might use a free service like this is because it’s free; they don’t have to pay for hosting of the malware, they just need to abuse the service.

Multimania has since shut down the account (they did it pretty quickly), but this is not much different than other free file uploading sites being abused, such as YouSendIt.  Many of these sites are trying to drive traffic and hence build revenue, and in the meantime it’s easy to overlook the fact that because they are free, they are a target for abuse.  Whereas some URL shortening services have started to implement URL filtering, file sharing sites absolutely need to utilize malware filtering for any file that is uploaded to them.

This gets to be a little trickier when the issue is a zero-day virus (Sophos starting blocking it on September 9, 2010 which is the same day as the spam run; Microsoft started blocking it at the same time).  What do file sharing sites do in this case?  They may already have anti-malware scanning software installed.  But if it is a new variant, it will not be detected.  It will be a false negative and then all the protection steps will be for naught.

All of the A/V vendors did eventually issue updates for this but it was too late in some cases – I heard of complaints where users clicked links and started distributing spam en masse.  In fact, that’s how we first noticed it, we started seeing a lot of outbound spam that we were catching and detected an anomalous spike in behavior.  Ultimately, while A/V is one of the better lines of defense, users have to know not to click on links that are suspicious.  In this case, the social engineering looked benign since it was from a trusted user in somebody’s address book.  The only clue is the ambiguous language and hovering the mouse over the link showed it went to a .scr.  This problem is a difficult one to figure out.

Gary Warner from the University of Alabama has his summary here.  Sophos’s take is here.  The Internet Storm Center’s write up is here.