Skip to content

Bit9

← Back to Blog
10 Sep 2010

Here you have AntiVirus Companies Scrambling Again

Harry Sverdlove

Yesterday, at around 2:00 PM, a new virus hit major companies across the world. You’ve probably already read about it by now (see here and here). It hit companies like ABC, Coca Cola and NASA. Comcast even had to shut down its email servers after being attacked. Most of the major antivirus vendors did not stop it. McAfee and Symantec released updated definition files by Thursday evening – too late to stop the damage. One of the attributes of this virus is that it may disable or entirely delete your security software, so remediation becomes that much more difficult.

It’s a case of oldies but goodies. ‘Here you have’ is not a zero-day attack. It does not use some advanced never-before-seen technique to infect your PC. It is mass-mailing worm using simple social engineering to infect and common techniques to propagate. All it takes is a few unsuspecting folks to click on a link from a benign looking email. Instead of getting the PDF attachment or whatever they think they are opening, an SCR virus file is dropped on their system. This file then proceeds to email itself to everyone in the victim’s address book, while also dropping other malicious files onto the system. Then, a whole new set of people receive the email, except this time it’s from someone they likely trust, and the process repeats itself with victim computers growing in numbers exponentially. The virus payload is still being analyzed, but it does a lot more than simply mass email itself. It propagates to mapped drives and removable drives, disables various security products and may attempt to steal passwords. It creates files with official sounding names like csrss.exe (although it places those files in different locations than the original/official versions). It changes system configuration settings and generally just makes a mess of your system.

We saw this before with the ILOVEYOU worm in 2000 and Anna Kournikova worm in 2001. But wait, we can go back even further. Mass-mailing worms first hit the world stage in 1999 with the Melissa virus. Each of those cases wreaked havoc on a global scale. More than 10 years later and the world is still getting fooled by the same tricks. A decade has passed and traditional antivirus security still can’t stop the next variant. This is madness, simply madness.

I hate sounding like a broken record, but it needs to be said yet again… traditional detect and react security does not work. Advanced whitelisting, like Bit9 Parity, can and does stop the ‘Here you have’ worm, and it will stop the next one too. It’s quite simple – if a file tries to execute that is not approved, it is blocked. It doesn’t matter if the person sending the email is someone you trust. It doesn’t matter if the file trying to run sounds official. We weren’t up late last night trying to update malware signatures because we don’t use malware signatures. We already have customers calling us to thank us for protecting them from this attack.

To those companies and users currently down because of ‘Here you have’, I feel your pain but after more than 10 years of the same thing happening over and over again, maybe it’s time to re-think your defenses. To our customers who slept well last night, you’re welcome.

email

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy this password:

* Type or paste password here:

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Our Solutions

Our Products

  • Blog

+1 617-393-7400 US