Security: Here you Have Virus Wreaks Havoc on Inboxes Worldwide
(Page 1 of 2 )
A computer virus that quickly and efficiently wreaks havoc on the world may seem like a nightmare or a bad science fiction novel, but in early September a global e-mail virus, coined the “Here You Have” virus, spammed inboxes, completely putting a stop to work in offices around the world. This article will explain what happened, where it came from, who it affected, and how to stay safe from it.
Countless employees watched in horror as their inboxes filled with e-mails from trusted sources, such as family members and co-workers, with each e-mail having the same identifier--the phrase "Here you have" in the subject line. Many workers had to go without e-mail, as the virus and resulting flood of spam left them out of commission.
So how did this happen; where did it start; who was affected; and how do we protect ourselves against future attacks?
The Source
During the initial outbreak of the virus, officials from the Department of Homeland Security, the U.S. Computer Emergency Readiness Team, and DHS National Cyber Security Division were scrambling to find out how harmful the virus was and where the virus originated using forensic analysis. The scariest part to some was that several federal departments and agencies experienced the virus.
Thankfully, just one day after the virus hit U.S. companies and organizations like NASA, Comcast, AIG, Disney, Proctor & Gamble, the Florida Department of Transportation, and Wells Fargo, the Atlanta-based firm SecureWorks, leaders in managed security services, security information, and event management, were able to identify a link between the virus and a cyber-jihad organization called "Brigades of Tariq ibn Ziyad.”
According to SecureWorks, much of the worm's code is similar to malware that was released early last month, with both “worms” referencing a Libyan hacker who uses the name Iraq Resistance and has been attempting to form a hacking group called Brigades of Tariq ibn Ziyad. Joe Stewart, director of malware research with SecureWorks, is still unsure if this is the person/group responsible for the act. "Either this person is involved with this virus or somebody wants to make it seem like this person's group is involved in this virus," Stewart said. "There are a lot of pointers to that group."
According to a Google translation of Iraq Resistance’s post announcing the group, the goal of Tariq ibn Ziyad is "to penetrate U.S. agencies belonging to the U.S. Army.” It’s still not clear why the earlier version of worm released a month prior did not spread as quickly or widely. As a matter of fact, Symantec rated it a "low" risk. According to Stewart, the most likely theory is that initially, more people were spammed this time around. Also, the latest version of "Here You Have" may have included new components, causing it to spread more efficiently.
According to Computerworld, the August worm used the e-mail address Iraq_resistance@yahoo.com and the words “Iraq Resistance” appeared in the binary code of the latest version of the virus. Not only that, but a feature of the worm put in place by the creators so they could remotely log into an infected system, attempts to connect to a computer using the Tariq ibn Ziyad name. Finally, here’s the last bit of evidence pointing to Iraq Resistance: other facets of the worm, including the e-mail sending software and password stealer, were written in Arabic.
Symantec said the worm is similar to the equally bizarre "Anna Kournikova" virus from 2001, which perhaps not-so-coincidentally also carried the subject line of "Here You Have.” The 2001 virus tricked users into opening an e-mail message that they were led to believe contained an alluring photo of tennis beauty Anna Kournikova.
“Here You Have ….” What?
Different terminology has been thrown around in reference to the attack, which was responsible for hundreds of thousands, if not millions of e-mails. So, was it a virus, malware, a worm, or all of the above? Technically, it was a worm. A “worm” is geek speak for a computer worm, which is a self-replicating malware computer program. Essentially, the worm uses a computer network to send copies of itself to other computers on the network, doing so without any kind of user intervention.
Obviously, organizations like NASA have advanced technology in their offices, but programmers who write worms such as “Here You Have” seek out security shortcomings on target computers. Unlike a virus, worms do not need to attach themselves to existing programs. Usually, worms don’t really harm the network, except for consuming bandwidth. Viruses, on the other hand, almost always corrupt or modify files on targeted computers. As we’ll soon find out, some are of the opinion that “Here You Are” was indeed, a virus.
Dmitri Alperovitch, vice president of threat research at McAfee, told ABCNews.com that the company was investigating the attack. "We do know that it's essentially an e-mail based worm that's propagating that has a link that alleges to be a PDF document that it wants the user to click on," Alperovitch said. "In reality, it's a piece of malware that's obfuscating as a PDF and it has the capabilities to spread virally once it's installed on the machine."
The day after the worm wreaked havoc on computers around the country, McAfee released a report about the virus, saying that the risk for both home and corporate e-mail was low. Essentially, all the worm did was spam a massive number of people, but it made many realize just how quickly a serious virus could spread, possibly debilitating computer networks all over the country.
Next: Who It Affected >>
More Web Hosting Security Articles
More By Joe Eitel
