Are "Here You Have" and "David Leadbetter" viruses going after specific targets?

New e-mail borne viruses hitting media companies, utilities

Two distinct types of e-mail-borne viruses, known by their subject lines as "Here You Have" (or "Just for You") and "David Leadbetter's One Point Lesson," have been jamming e-mail boxes for the last day or so and are trying to trick victims into clicking on attachments to infect computers. But unlike the infamous e-mail attacks of a decade ago, such as Melissa, which widely blanketed the Internet, questions are being raised as to whether these latest attacks are far more targeted.

From the NW archives: Melissa virus turning 10

News reports are popping up about ABC/Disney, Comcast, Google, Coca-Cola and NASA being hit by what's being called the "Here You Have" virus while the second totally different "David Leadbetter" e-mail-borne virus is also in circulation. According to Don Gray, chief security strategist at Omaha-based security managed services firm Solutionary, most of the anti-virus security firms now have protections in place against what were zero-day threats. But he also notes that this latest e-mail-borne virus wave could be far more targeted than virus events of several years ago.

"I don't know if it's targeted, but it's not a blanket mass where everyone is getting sent this to them," says Gray. "Seems like they're trying to go after high-value targets."

For instance, out of Solutionary's hundreds of customers, only a handful seem to have been hit by either of the latest e-mail-born virus attacks. Some of them have been utility companies, he notes, raising the question of whether someone is targeting news media for the exposure but also going after preferred targets, perhaps even critical infrastructure targets.

Even as investigators pull together what they know about the latest wave, Gray says the Web sites www.academyhouse.us and www.totalvirus.com -- which appear to have been linked to malicious downloads associated with the "Just For You" wave – have been shut down.

But "Just for You" and the "David Leadbetter One Point Lesson" virus (technically both are viruses, not worms, since they don't aggressively go out looking for new victims) are distinctly different and hence protective measures against them would be different.

Just for You is a .scr pseudo-PDF or in some cases a video and once the victim clicks on the attachment, the malware will go looking for security software on the victim's desktop and try to install a drop file, which gives the attacker a way to do more damage in the future.

The David Leadbetter virus is a real PDF-based attack, and a very sophisticated one, says Gray. It utilizes a stolen VeriSign certificate issued to secure2.ccuu.com and bypasses Windows security protections on Windows Vista and Windows 7, according to Solutionary.

While updated signature-based defense is available (Sourcefire issued its own last night), some Solutionary clients are blocking .csr and other attachments at the gateway due to the virus wave and some for the moment have made the decision to not use desktop Adobe software or disable JavaScript. Other approaches can include endpoint hardening, but Gray notes it's clear that a renewed effort should be made related to "security awareness" among corporate employees.

E-mail-borne viruses were commonplace a decade ago, but this week represents a new wave not seen for a long time. Younger employees may be used to clicking on apps and it may be they're not as aware of the risks associated with e-mail attachments and executables, says Gray. It's all "basic," he notes, but has to be reinforced with a new generation of employees.

Joe Stewart, researcher at managed services firm SecureWorks, says he's also inclined to view the Here You Have (aka  "Only for You") attacks as very targeted. There are many SecureWorks customers that haven't seen any evidence whatsoever of Here You Have, he notes, and don't understand what all the uproar is about. But others are getting hit and "many in the commercial sector and the government are very concerned about this," Stewart says, adding the military is especially concerned. "It's targeted to some degree."

Stewart and others point out there's binary code in the Here You Have virus that was first noticed in 2008 and linked to what's believed to be a Libyan hacker trying to organize a cyber-jihad group loosely known as the "Brigade of Tariq ibn Ziyad," a reference to an 8th century Berber Muslim general.

The trojan code in question was first used to try and steal passwords, and Stewart thinks that's what's trying to be done in this latest Here You Have attack. It's not known if the current Here You Have attack can be traced to this older cyber-jihadist push, but with the U.S. officially ending its combat role in Iraq and the current tension related to possible burning of the Quran by a Florida pastor along the rancorous debate over building an Islamic center near the site of ground zero, the attacks might have their roots in some cyber-jihad group that's now stirred up.

However, the Here You Have attack wave hasn't been hugely effective, Stewart points out. He also adds he sees no evidence Here You Have hit consumers at all.

Symantec and McAfee, though, insist that Here You Have is indiscriminate. "This hit a huge range of our customers," says Greg Leah, malware analyst at Symantec hosted services. "These attacks are not targeted," claims Sam Masiello, director of messaging security research at McAfee. "It's hitting a wide number of customers." Neither McAfee nor Symantec had specific numbers available, however.

Join the discussion
Be the first to comment on this article. Our Commenting Policies