Two months ago the Trojan called Here-you-have had it’s fifteen minutes of fame, infesting mail servers around the world and clogging the networks of more than a few large institutions.
One key feature that allowed this trojan to replicate was a deception that, while not exactly new, fooled a large number of people. The file carrying the trojan had the extension of .SCR, which Windows uses for screensavers. A Windows screensaver is just another type of program, but many users are unaware of this and clicked on run – and spread the Trojan.
Since the Here-you-have outbreak, Barracuda Labs has seen a very significant increase in the number of attacks that attempt to deliver malware by disguising the payload in the very same way. According to Barracuda Networks Security Researcher Luis Chapetti, at one point in early November over 50% of all emails containing HTML-style links seen by our honeypots were attempting to deliver malware with a .SCR extension. The examples seen are silent, but deadly, as we show below.
A typical attack starts with a convincing tax form spam targeting financial professionals
At least nothing you can see. You could click that link multiple times and see nothing at all, eventually assuming something was wrong somewhere and just giving up and moving on. What really does happen though is that a file is downloaded and added to Internet Explorer
Browser Helper Objects have access to everything that the browser does, including web page traffic before encryption is applied. Therefore, what the malicious AcroIEHelper2.dll does chillingly well is to steal any username and password pair that you enter into your browser, even if the site is HTTPS enabled. We tested this with Chase Bank’s secure online banking logon page
it’s worth noting that the BHO would not install if the Vista or Windows 7 user account has User Access Controls enabled, or if the XP user account is a limited account. Limited accounts and UAC may seem inconvenient but they exist to keep things like this from happening.
The bottom line message is clear – don’t click on links you don’t recognize, and learn the lesson that here-you-have has been teaching the malware you are exposed to – .SCR files are not something you want to open or run.
Dave Michmerhuizen, Security Researcher