'Here You Have' Spam Outbreak Leaves Enterprises Reeling

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

While the source of the "Here you have" virus that spread like wildfire throughout corporate email servers around the globe may have finally been shut down, enterprise IT departments are still dealing with the fallout from one of the most virulent and fast-moving viruses in recent history.

According to security researchers at Cisco's (NASDAQ: CSCO) IronPort division, the "Here you have" email worm peaked Thursday when the sneaky "download-and-run" malware accounted for a staggering 14.2 percent of all spam messages circulating the Internet -- or more than 42 billion individual spam messages.

Security software firm Sophos, which identified the malware as W32/Autorun-BHO, said the U.K.-based website responsible for spreading the Windows-based virus was shut down sometime Friday, bringing an end to the upheaval.

In the interim, however, the "Here you have" virus clogged corporate email servers around the world. Researchers at Cisco and Sophos reported that outbreak disrupted email systems at large companies, including Comcast, Wells Fargo, Coca-Cola and Google.

Despite its destructiveness, the "Here you have" virus is actually just a new take on an old socially engineered malware scam, according to Sophos security analyst Graham Cluley -- a scam that conjures up memories of the infamous Anna Kournikova spam that devastated email servers some eight years ago.

Similarly to the Kournikova virus, the new W32/Autorun-BHO works by duping users into clicking on an infected email with either the "Here you have" or "Just for you" subject titles. The email then provides a link to what it promises are important PDF documents or pornographic WMV videos.

Instead, those foolish enough to click on the link got an executable file that immediately tried to shut off any legitimate security software applications running on their computer or mobile device.

The virus then sends spam messages to all of the contacts in the victim's address book, helping it to spread geometrically and giving "Here you have" even more currency because the next crop of potential victims thought the infected email they received had been sent by a trusted contact.

"The intention of the attack appears to be to steal information," Sophos security analyst Graham Cluley wrote in a blog post. "The malware downloads components and other tools which extract passwords from browsers (Firefox, Chrome, Internet Explorer, Opera), various email clients, and other applications. [It's] clearly sensitive information, which you don't want falling into the wrong hands."

Blast From the Past

Considering that 90 percent of all email traffic -- 300 billion messages a day -- is spam, the fact that this one variant of spam managed to account for more than 14 percent of the total spam traffic attests to the surprising appeal of what are really old-school malware tactics, security researchers said.

In May, another particularly virulent worm weaseled its way into the Yahoo Messenger community, infecting an unknown number of users after tricking them into clicking on a link masquerading as "foto" or "fotos" from someone in their contact list.

Email viruses of this type figure to become more and more common as hackers continue to find opportunities in social networks, such as Twitter and Facebook where large pools of like-minded or similarly interested potential victims gather to share pictures, links and ideas.

"That doesn't surprise me, as this is something of a return to the malware attacks of yesteryear where hackers didn't care whose computers they hit," Cluley wrote. "They just wanted to infect as many as possible."

"Worms like this don't discriminate, deciding their next victim purely by scooping up a list of its next targets from the user's email address book," he added.

Larry Barrett is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Follow eSecurityPlanet on Twitter @eSecurityP.