Skip Links

Are "Here You Have" and "David Leadbetter" viruses going after specific targets?

New e-mail borne viruses hitting media companies, utilities

By , Network World
September 10, 2010 12:20 PM ET

Network World - Two distinct types of e-mail-borne viruses, known by their subject lines as "Here You Have" (or "Just for You") and "David Leadbetter's One Point Lesson," have been jamming e-mail boxes for the last day or so and are trying to trick victims into clicking on attachments to infect computers. But unlike the infamous e-mail attacks of a decade ago, such as Melissa, which widely blanketed the Internet, questions are being raised as to whether these latest attacks are far more targeted.

From the NW archives: Melissa virus turning 10

News reports are popping up about ABC/Disney, Comcast, Google, Coca-Cola and NASA being hit by what's being called the "Here You Have" virus while the second totally different "David Leadbetter" e-mail-borne virus is also in circulation. According to Don Gray, chief security strategist at Omaha-based security managed services firm Solutionary, most of the anti-virus security firms now have protections in place against what were zero-day threats. But he also notes that this latest e-mail-borne virus wave could be far more targeted than virus events of several years ago.

"I don't know if it's targeted, but it's not a blanket mass where everyone is getting sent this to them," says Gray. "Seems like they're trying to go after high-value targets."

For instance, out of Solutionary's hundreds of customers, only a handful seem to have been hit by either of the latest e-mail-born virus attacks. Some of them have been utility companies, he notes, raising the question of whether someone is targeting news media for the exposure but also going after preferred targets, perhaps even critical infrastructure targets.

Even as investigators pull together what they know about the latest wave, Gray says the Web sites www.academyhouse.us and www.totalvirus.com -- which appear to have been linked to malicious downloads associated with the "Just For You" wave – have been shut down.

But "Just for You" and the "David Leadbetter One Point Lesson" virus (technically both are viruses, not worms, since they don't aggressively go out looking for new victims) are distinctly different and hence protective measures against them would be different.

Just for You is a .scr pseudo-PDF or in some cases a video and once the victim clicks on the attachment, the malware will go looking for security software on the victim's desktop and try to install a drop file, which gives the attacker a way to do more damage in the future.

The David Leadbetter virus is a real PDF-based attack, and a very sophisticated one, says Gray. It utilizes a stolen VeriSign certificate issued to secure2.ccuu.com and bypasses Windows security protections on Windows Vista and Windows 7, according to Solutionary.

While updated signature-based defense is available (Sourcefire issued its own last night), some Solutionary clients are blocking .csr and other attachments at the gateway due to the virus wave and some for the moment have made the decision to not use desktop Adobe software or disable JavaScript. Other approaches can include endpoint hardening, but Gray notes it's clear that a renewed effort should be made related to "security awareness" among corporate employees.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News