Old-School Ways, Modern Cyberwar Mission

In a week consumed with stories about burning Qurans and mosque protests in New York City, it was easy to overlook word of a new mass-mailing worm fouling in-boxes across corporate America. But could there be a connection between the prolific attack and the high-profile debates regarding Islam in the Unites States?

The worm dubbed “Here You Have,” a nod to the subject line of the offending email, started rolling in on Thursday, Sept. 9, and quickly ensnared machines at corporate heavyweights such as Proctor & Gamble, Disney, Wells Fargo, Google and other places that should have better protection against such attacks. I’m looking at you, IT admins at NASA, who also got victimized.

The success of Here You Have, such as it was, is surprising considering it went with the old-school distribution method of sending mails to all of a compromised user’s Outlook contacts, a move derivative of such classics as the ILoveYou and AnnaKournikova bugs.

Inside the Here You Have e-mail, which also was distributed with other subject lines like “Just For You,” is a message reading "This is The Document I told you about, you can find it Here"  with what appears to be a link to a PDF. The link, in fact, went to a .SCR file hosted in the U.K. that has since been taken offline. Technically, researchers have named the threat W32/VBMania@mm or W32.Imsolk.B@mm.

It’s worth noting that Here You Have, for all its primitive nature, did manage to get around corporate restrictions on executable attachments by hosting the malware remotely and linking to it. There aren’t yet any firm figures on how many machines were compromised, but anecdotal reports indicate corporate email at some of the companies that got hit slowed to a crawl or stopped altogether for parts of last Thursday and Friday as a result of the sheer spam volume created by the worm.

But maybe the most fascinating -- and frightening -- thing about Here You Have, especially in light of current national events, is the possibility that it was part of a cyber Jihad launched by a group called the Brigades of Tariq ibn Ziyad with help from a Libyan hacker known as "iraq_resistance.”

Fueling that speculation is the Here You Have malware’s efforts to phone home to tarekbinziad.no-ip.biz. Researchers also have found "iraq_resistance” in the binary of the worm.

That makes the Here You Have attack all the more troubling, considering Brigades of Tariq ibn Ziyad, which launched a similar mass mailer attack in August, has a very specific goal "to penetrate U.S. agencies belonging to the U.S. Army."

And that would make some sense, since Here You Have had some other old-school attributes, including that it wasn’t designed to steal money or financial data, the sweet spots of today’s hackers. Instead, it was simply looking to boost information by downloading browser components to extract passwords.

As the investigation into the true source of Here You Have continues, one take-away remains quite clear, while enterprises have done a fair job blocking executable files and white-listing applications for corporate desktops, there remains a lot of easy pickings out there due to a lack of basic content and spam filtering. Mass-mailing attacks have been reduced in recent years, but they remain a threat because a lack of IT and end-user vigilance continues to make even the most simplistic attack beneficial for the bad guys.