'Here you Have' Virus Tries to Delete Your Security Software
Alessondra Springmann, PCWorld
Sep 10, 2010 6:14 pm
On Thursday, a new worm hit the Internet, and it’s been spreading by emailing the address books of infected users, according to McAfee Labs. By masquerading as a benign PDF, the worm looks something like this when it shows up in your inbox:
Subject: Here you have (or “Just for you”)
Body: This is The Document I told you about, you can find it
Here. [link]
Please check it and reply as soon as possible.
Cheers,
As you may have guessed, the URL doesn’t actually take you to a PDF, but instead to an executable with the extension .scr. While the domain linked to in these infected e-mails is no longer live, infected computers can still be spreading virus messages. When the virus is run, it installs itself as CSRSS.EXE in the Windows directory, then e-mails the contents of your address book. It also spreads through mapped drives, remote machines, and removable media. The virus then attempts to download files and delete security software, including virus protection?
What can you do to prevent the spread of this virus? First off, don’t click suspicious links in email, even if you know the sender. Second, have you updated your virus definitions lately? McAfee, Norton, and other security software companies have updated their definitions file to handle the “Here you have” worm.
Microsoft also offers free Security Essentials for Windows users, which helps protect against viruses, malware, and worms such as “Here you have”. If you’ve been infected, disconnect your machine from the Internet, install the latest version of an antivirus program on a removable drive, then use it to disinfect your machine.
Anti-US Hacker Takes Credit for 'Here You Have' Worm
A hacker who claims he was behind a fast-spreading e-mail worm that crippled corporate networks last week said that the worm was designed, in part, as a propaganda tool.
The hacker, known as Iraq Resistance, responded to inquiries sent to an e-mail address associated with the "Here you have" worm, which during a brief period early Thursday accounted for about 10 percent of the spam on the Internet. He (or she) revealed no details about his identity, but said, "The creation of this is just a tool to reach my voice to people maybe... or maybe other things."
He said he had not expected the worm to spread as broadly as it had, and noted that he could have done much more damage to victims. "I could smash all those infected but I wouldn't," said the hacker. "I hope all people understand that I am not negative person!" In other parts of the message, he was critical of the U.S. war in Iraq.
On Sunday, Iraq Resistance posted a video echoing these sentiments and complaining, through a computer-generated voice, that his actions were not as bad as those of Terry Jones. Jones is the pastor at a small Florida church who received worldwide attention this week for threatening to burn copies of the Koran.
Security experts agree that the worm could have caused more damage. However, it did include some very malicious components, such as password logging software and a backdoor program that could have been used to allow its creator to control infected machines. But because the software was not terribly sophisticated, it was quickly shut down as Web servers that it used to infect machines and issue new commands were taken offline last week.
"Here you have" spread when victims clicked on a Web link and then allowed a malicious script to run on their computer.It is the more-successful follow-up to an August worm that included the e-mail address that Iraq Resistance used to communicate with the IDG News Service.
According to Cisco, the worm accounted for between 6 percent and 14 percent of the world's spam for a few hours Thursday. It primarily gummed up corporate e-mail networks in the U.S.
It is the first worm in years to have such a widespread and noisy effect, hearkening back to the days of the Anna Kournikova worm. Nowadays, most malware writers don't want to draw attention to their activities, because they generally want to keep their malicious software hidden away on victims' computers as long as possible.
Disney, Proctor and Gamble, Wells Fargo and the U.S. National Aeronautics and Space Administration (NASA) are among the organizations reported to have been hit by the worm.
SecureWorks Researcher Joe Stewart believes that Iraq Defense is a Libyan hacker who is trying to gain followers for a cyber jihad hacking group called Brigades of Tariq ibn Ziyad.
Tariq ibn Ziyad was the eighth century commander who conquered much of Spain on behalf of the Umayyad Caliphate. Iraq Resistance's YouTube video has a Spanish theme too. It shows a map of Andalucia, and Iraq Resistance lists his location as "Spain" in his YouTube profile.
In his e-mails, Iraq Resistance did not answer questions about his identity, saying that he was worried about his safety. "I think this information is enough for you and having more looks like [an] investigation," he said. "I don't see myself that criminal."
Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com
Hackers Exploit New PDF Zero-day Bug, Warns Adobe
By Gregg Keizer, Computerworld
Adobe today warned users that attacks have begun exploiting an unpatched bug in its popular Reader and Acrobat
The company issued an advisory on short notice today, saying that it had learned of in-the-wild attacks only on Tuesday.
"A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh," Adobe's warning read. This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.
"Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability," the advisory added.
Other than to say that "at this point, [attacks] appear to be limited," Adobe offered little information on the bug today.
But Mila Parkour, the independent security researcher who reported the bug to Adobe on Tuesday, had plenty in a post to her Contagio Malware Dump blog.
Parkour uncovered a malicious e-mail message with a rogue PDF attachment that urged recipients to open the document. "Want to improve your score? In these golf tips, David Leadbetter shows you some important principles," the message read.
Leadbetter , a well-known golf coach and author on the game, operates more than two dozen golf academies in 13 countries, and claims the title of "master of the art of teaching the golf swing."
Symantec pegged the threat with a score of 8.5 out of possible 10, while Danish vulnerability tracker Secunia rated the vulnerability as "Extremely critical,"its highest-possible threat level.
According to a Symantec, the bug is in Reader's and Acrobat's parsing of PDF files that contain malformed TIFF image files. Specifically, said the company in an alert to customers, "the issue occurs due to a heap-memory corruption issue in 'cooltype.dll.'"
CoolType is an Adobe font-rendering technology, similar to Microsoft 's ClearType.
Adobe did not spell out a timetable for patching the Reader/Acrobat zero-day vulnerability, nor did it offer users any ad hoc defensive measures they could employ until a fix is ready.
The next regularly-scheduled patch date for Reader and Acrobat is Oct. 13, but Adobe has been known to issue so-called "out-of-band" emergency updates when active attacks spike.
An Adobe spokeswoman hinted that the latter could easily occur. "With exploit code publicly available, [the current limited-only attack] could change," she said, talking about the exploit that Parkour has posted online.
Parkour has not released the exploit publicly, however, but has password-protected the malicious PDF she discovered, and will release it only to people who e-mail her.
Symantec urged Reader and Acrobat users not to open PDFs from untrusted or unknown senders.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at@gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com .
Read more about security in Computerworld's Security Topic Center.PDF viewing and creation software.