Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Cisco: 'Here you have' worm caused brief havoc

For a few hours, it accounted for between six per cent and 14 per cent of all spam

The "Here you have" worm that clogged e-mail systems on Thursday briefly caused one of the worst spam outbreaks of 2010, according to Cisco Systems.

For a few hours -- between 17:45 and 20:30 GMT -- the worm accounted for between six per cent and 14 per cent of all spam measured by Cisco's IronPort group.

It was the biggest spam outbreak since scammers pounced on the iPad launch back in March to try to trick people into visiting malicious websites, said Nilesh Bhandari, a product manager with Cisco. "That is humongous," he said.

"Here you have" spread primarily via e-mail, in messages that tried to entice victims into visiting a website that would install a malicious script on their computers. That script then scoured the victim's Outlook contacts list and sent similar messages to new victims. The worm also spread over the network, using a special PsExec script and via USB drives.

The worm's advance has been halted now for two reasons: Antivirus companies have added detection for the worm, and the website that hosted the malicious script has been taken offline. Cisco's data shows that by 12:00 GMT Friday it accounted for virtually none of the spam Cisco was tracking.

The worm primarily affected business networks in the U.S., Microsoft said in an analysis of the incident, posted late Friday. "For the first twelve hours of attack activity we monitored, 91 per cent of the infections and infection attempts were reported from our corporate clients -- the opposite of the pattern we normally see," Microsoft said.

It reportedly slowed down networks at Disney, Procter & Gamble, Wells Fargo and NASA.

This type of mass-mailing worm has largely been off the radar since the days of the Anna Kournikova and I Love You outbreaks in the early 2000s, but security experts say there are a few unusual things about "Here You Have."

There are several signs that may link it to a Libyan jihadist hacker named Iraq Resistance, SecureWorks said on Friday.

Most agree that the worm is not particularly sophisticated. Its success shows that it's still possible to infect a lot of computers by finding ways to trick people into doing things they shouldn't -- such as clicking on links and running malicious files. "[It] just shows that the human exploit is the easiest vector," said Alex Lanstein, a researcher with security vendor FireEye, in an e-mail message.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ASA, Cisco, Cisco Systems, etwork, FireEye, IDG, IronPort, Microsoft, NASA, SecureWorks, Wells Fargo
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Cisco Systems, internet, malware, security
Latest Blog Posts
Whitepapers
  • Data Center Physical Infrastructure: Optimising Business Value
    To stay competitive in today’s rapidly changing business world, companies must update the way they view the value of their investment in data center physical infrastructure (DCPI). No longer are simply availability and upfront cost sufficient to make adequate business decisions. Agility, or business flexibility, and low total cost of ownership have become equally important to companies that will succeed in a changing global marketplace.
    Learn more »
  • Closing the print security gap - The market landscape for print security
    Today, many organisations continue to rely on printing to support business processes, particularly in the public sector, finance industry and legal profession. Whilst MFPs and printers have improved business productivity, they pose the same security risk as any networked device if left unprotected. With reported data breaches on the rise and growing industry and regulatory requirements around information security, businesses may suffer financial and reputational damage if they ignore the risks of unsecured printing. Read more.
    Learn more »
  • Transforming Software Delivery: An IBM Rational Case Study
    The IBM Rational® software development organization consists of more than 2000 analysts, architects, project managers, developers, and quality professionals distributed over 15 locations on six continents. Our mission is to ensure the success of our customers through the development of a robust portfolio of software and systems delivery products. We create and maintain 57 product families that span distributed, System z®, and Power® operating environments.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments