'Here You Have' Virus Shows Security Weakness

A worm known affectionately as "Here You Have" based on the subject line of the infected e-mail used to propagate it has quickly spread into a global malware attack. The efficacy of the simple, and poorly worded e-mail luring users to click on a malicious link demonstrates why we need a whole new approach to malware defense.

If the subject line sounds déjà vu, it's because it is if you've been around long enough. The Anna Kournikova virus that spread around the world in 2001 used the exact same subject line. Here we are nearly a decade later and essentially the same attack that worked in 2001 is once again compromising tens of thousands of machines around the globe.

A McAfee spokesperson contacted me and explained the threat in a nutshell "The threat arrives via e-mail and contains a link that appears to direct to a PDF file, but instead goes to a malicious program," adding "Clicking on the link and activating the malware results in the worm attempting to disable security software and send itself to all the contacts in the user's address book. As a result, e-mail infrastructures of organizations could cripple under the e-mail load."

A Symantec spokesperson offered this sage advice to guard against the threat "Computer users should remember best practices and keep virus definitions up-to-date, and avoid clicking on links and/or attachments in email messages. Network administrators are encouraged to configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. The file used in this case is an .SCR file."

This is 2010--going on 2011! Shouldn't users just know by now that poorly worded e-mail messages imploring you to click on cryptic links or file attachments are always bad news even if the message claims to be from their own mother? Shouldn't all IT and security admins have already configured network and e-mail gateways to filter and block executable file attachments?

Those are rhetorical questions, and the answer to both is "yes". So, since security best practices that have been the standard preached for nearly a decade are still insufficient to protect networks against such a rudimentary attack, perhaps it's time for a new malware defense strategy.

One possible alternative is to switch from a reactionary, defensive security posture based on letting attackers make the first strike and then scrambling to develop and deploy the malware signatures necessary to detect and defend against it. Instead, organizations can use tools like AppLocker which is part of Windows 7, or third-party utilities like McAfee Application Control to flip the model around and use a proactive, offensive strategy that defines what is allowed to run rather than trying to block what isn't.

To be fair, this is not the only alternative. It is safe to say, though, when an attack that is essentially a decade old can still be successful, and when the recommended response from security professionals is to ensure standard security practices that have existed for a decade are followed, apparently that security model is flawed and needs to evolve somehow.

Subscribe to the Security Watch Newsletter

Comments