On September 9, Barracuda Labs witnessed an outbreak of a spammed Trojan dubbed “Here You Have” as the subject line of the emails that are sent. According to Luis Chapetti, lead security analyst at Barracuda Networks, the spam first appeared at 8:44AM PDT and over 200,000 were seen by our email monitoring systems over the following six-hour period. Volume dropped off rapidly once the account hosting the malware was shut down. This volume does not include spams sent within enterprises, which could be a substantial number.
Email worms are nothing new, but in the past they sent their executable program as an attachment to the outgoing email. Computer users have mostly absorbed the lesson that you should be very careful with any file that comes to you via email, especially any .exe and .zip files.
This “Here You Have” email worm was just different enough to persuade many users to download and run the payload. The emails offered up a type of file that people trust – an Adobe PDF – and then delivered a file type that most people are unfamiliar with – a .scr file. The .scr file type is commonly used for Windows screen savers, which are executable programs themselves. What's more, the payload file was not directly attached to the email. A small HTML file containing a link to the payload is included instead, making it more difficult to see what was actually being offered. And making it more enticing to click.
The campaign included several different messages, with the most common one titled “Here You Have” that presented a vague “document I told you about” theme. Careful examination of the email shows that what is being offered is not what is being delivered. Saving the file offers further evidence. What the malware authors are hoping will happen is that the user will simply click on the link. Doing so does display a Windows Security Warning dialog, and this dialog does indicate that the file is not a PDF – it is a Screen Saver. The mere presence of this dialog is a dead giveaway that something is wrong. The action for a PDF file is ‘Open' and not ‘Run'.
If ‘Run' is clicked, the malware – named VBMania – proceeds to spam itself to everyone in that user’s address book. This can be a particular problem in large enterprises because as a rule, emails passing between users in the same organization are trusted. One infected user spams everyone in the corporate address book, and once only a few more coworkers click on those emails the spam attack snowballs exponentially.
So while email worms are nothing new and most users understand not to click on an attachment that is an .exe or .zip, the payload included here is an .html leaving unsuspecting users vulnerable.
“This outbreak was actually kind of simple,” says Chapetti. “All it did was spam itself out. They could have just as easily added a password stealer to the download list, and with more sophisticated code, dynamically changed the download site and keep the worm alive for a long time.”
Bottom line? The attack itself is simple and could have been much more severe than it was. It is yet another example of spam containing potentially malicious content and a significant reminder to all users to not run anything received via email if the source is not trusted and the content known.
Barracuda Spam & Virus Firewalls blocked these messages throughout the attack.
By Dave Michmerhuizen, Research Scientist