'Here You Have' Exposes Internet Security's Achilles' Heel
Google, NASA, Wells Fargo, Comcast, ABC/Disney, Coca-Cola and the Florida Department of Transportation are among the many organizations whose services reportedly have been disrupted by the "Here you have" worm. The attack, based on a simple phishing scheme, raises the question of whether new approaches to Internet security are needed beyond educating users, which seems doomed to failure.
Sep 10, 2010 11:30 AM PT
A worm dubbed "Here you have" -- the subject line of the email it hides in -- is spreading wildly across the Internet.
The attack comes in the form of a link purporting to take the reader to a PDF file, but instead leads to an executable that tries to send copies of the worm to people listed in the victim's email address book.
Several variants of the worm are out on the Web, according to McAfee.
While the email attack has been crippled, infected hosts may continue to spread the worm, the security firm said.
Why are attacks through infected or malicious links so easy to propagate? Isn't there anything businesses can do to prevent their spreading, apart from telling employees not to click on links or attachments indiscriminately?
About the 'Here you Have' Worm
The "Here you Have" worm consists of an infected link sent in an email with the subject line that gave it its name.
The body contains this message: "This is the document I told you about, you can find it here" followed by what looks like a link to a PDF file, Craig Schmugar wrote in the McAfee Labs blog.
The message asks the reader to check the link and "reply as soon as possible."
Alternatively, the message reads: "This is the free download sex movies, you can find it here" followed by a link purportedly leading to a Windows Media Video file with the .wmv extension. "Enjoy your time," the message concludes.
In both cases, the URL leads to an executable in disguise served from a different domain, Schmugar wrote. This URL is no longer active, and the email propagation vector is believed to be crippled, although infected hosts may continue to spread the worm, he pointed out.
Gnawing at the System
Users who click on the link will be prompted to download or execute the worm, which then installs itself in the Windows directory as CSRSS.EXE, Schmugar wrote.
This is not the same as the valid CSRSS.EXE file within the Windows System directory, he warned.
The worm will then try to email the tainted message to everyone listed in the victim's email address book. It can also spread through accessible remote machines, mapped drives on a network, and removable media, through the "Autorun" replication feature.
The worm tries to stop and delete various security services, including Web and mail scanners, Schmugar wrote. It also tries to download several files.
Email Is an Owie
However, threats spread through email attachments and embedded links made a comeback in 2009 and into the first half of 2010, Sophos said.
Is there any way to stop the spread of worms sent through malicious links or infected attachments?
Corporations can have their email servers look for executable files and block them at the server, use services like Postini to quarantine them before they get to the email server, block execution of executable files in many email clients, or remove administrative privileges so that users can't run executable files that install programs, Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
Corporations can also monitor traffic, put in place a user notification program so users can report questionable emails easily, and put in place automated tools that either look for anomalies and notify IT or block suspicious internal email traffic, or both, Enderle pointed out.
Another option is to enforce the use of best practices that have been known for years, such as network segmentation, Sam Masiello, director of messaging security research at McAfee, told TechNewsWorld.
"If you have different subsets of your network for different departments, you can isolate the attack to one subset instead of having it spread throughout your network," Masiello explained.
Although some corporations do implement best practices such as network segmentation, many do not, he added.
Know Thy Sender
What about corporate policies forbidding users from clicking on links or attachments unless they have verified who the sender is and that the link or attachment actually came from the sender?
"A lot of companies do have policies in place, but the reality is, it's much easer to click on the link or attachment, because a lot of people are busy and don't have the time to verify the sender's identity," Masiello said.
A common standard for establishing the identity of anyone who sends emails might be a solution, Enderle suggested.
"The core of this problem is that we still don't have a consistently used common way to ensure the identity of people on the Web, so it's relatively easy to steal people's identities and use them to do harm," Enderle explained. "Until that problem is fixed, attacks that successfully use identity theft as a vehicle will be impossible to fully mitigate."
The White House has posted online a draft plan for trusted identity system aimed at making Internet transactions more secure and convenient. This is known as the "National Strategy for Trusted Identities in Cyberspace."
Teach Your Users Well
Ultimately, the best defense is user education.
"You can protect your own computer, but you probably can't prevent email from being delivered to you," pointed out Randy Abrams, director of technical education at ESET. "Attacks like this latest worm are social engineering, and companies and individuals need to invest in education to really make a difference."
User ignorance and curiosity are the major factors that help phishing attacks succeed, Abrams told TechNewsWorld.
"Fundamentally, we have to get serious education about social engineering and how it relates to computers into the educational system starting from grade school," Abrams said. "Computer security education needs to be a part of the fabric of society."