RSA Admin

Tracking the Here You Have Worm

Blog Post created by RSA Admin Employee on Aug 22, 2012

REPOST - ORIGINALLY POSTED SEPTEMBER 10, 2010

 

If you’ve kept a view on security news in the past 24 hours, you may have noticed some press around a new email worm spreading on corporate networks.   Dubbed the “Here You Have” worm, it is a good case study on how to manage emerging threats with your NetWitness technology.  You can find additional info on the worm here:

 

http://isc.sans.edu/diary.html?storyid=9529

 

As a general overview, the worm works in a similar manner as other recent malware observed in the wild.

 

  • It tempts the user to click on an attachment or link with a social engineering hook.
  • When clicked, the malware establishes itself on the targeted machine to run automatically and propogates itself.
  • The malware downloads additional executables intended to steal saved credentials and establishes a beacon mechanism to receive updates or transmit stolen data.

 

Like most emerging threats, research teams at NetWitness analyzed this variant as soon as we found out about it, and I’ll use a few basic incident response questions to demonstrate detection mechanisms using our technology.   One thing to note is that none of this worm’s activity requires any content generation other than simple application rules since the metadata extraction process in our engine  extracts all of the relevant meta by default.

 

1)  Who in my environment was targeted?

 

Targeted email addresses related to this worm’s activity can be detected by simply using a custom-drill in Investigator:

 

subject contains ‘here you have’,'just for you’ && email = ‘iraq_resistance@yahoo.com’

 

This drill will focus the collection on the email sessions related to this activity, and relevant email addresses, ip addresses, hostnames, etc. can be extracted for additional analysis.

 

2) Who in my environment actually clicked on the link or attachment?

 

In this case, there are a few ways to detect this activity.   Once executed, the malware downloads a number of files with the extension “iq”.   Since this is an unusual extension, an initial quick pivot to locate infected hosts is:

 

extension = ‘iq’

 

Or, you could specifically target some of the filenames themselves:

 

filename = ‘ie.iq’,'pspv.iq’,'op.iq’,'im.iq’,'m.iq’,'w.iq’,'gc.iq’,'ff.iq’,'rd.iq’,'tryme.iq’

 

Or, you could look for hits to the alias.host where the files reside:

 

alias.host = members.multimania.co.uk && directory contains ‘yahoophoto’

 

Or, if your sniffing equipment is monitoring a backbone, you could look for the malware being copied to mapped network drives:

 

filename = ‘pdf_document21_025542010_pdf.scr’

 

3) Who in my organization is infected and beaconing?

 

In this case, one of the downloaded files in Step 2 attempts to contact “tarekbinziad.no-ip.biz”, so you can use an alias.host pivot to locate machines that may have transmitted credentials to a third-party:

 

alias.host = ‘tarekbinziad.no-ip.biz’

 

One thing to keep in mind is that both “tarekbinziad.no-ip.biz” and “members.multimania.co.uk/yahoophoto/” have been taken down by the security industry at this point, so with this variant, you are looking at a cleanup effort.   Also keep in mind that infected machines will continue to spam messages until they are cleaned.

 

Happy Hunting!

Outcomes