Not since Nimda and Code Red has there been so much excitement over a virus propagated around the Internet; the news channels are rolling out all sorts of experts for their doom and gloom opinions, and the dollar amount of lost business is already being totted up by those affected. The list of companies hit so far includes some household names like Comcast, Coca-Cola, ABC and NASA.
The similarities of the ‘Here you have’ worm and the likes of the ILOVEYOU and AnnaKournikova worms have not gone unnoticed – for example HYH uses the same subject line as AnnaKournikova!
Today I expect many of those affected by the HYH worm will be asking how it managed to propagate so well using mechanisms that have been in such wide use of the past 15 years. You have to give it to the writers of HYH, that’s a real retro-worm right there.
HYH has done alarmingly well since it was first spotted in the wild. It’s Worm like characteristics of using email as a distribution mechanism are not new, but the fact that HYH dodged so many security systems is a big surprise. Could this be because too many organizations have not yet protected their users from web borne threats by implementing URL scanning technology in both email and web browsing sessions? The Trojan like qualities of its socially engineered download link have duped many into clicking on the malicious link, surely we should know better? HYH will also email itself to your Outlook contacts as well as copy itself through network shares and drives. All in all HYH is a multifaceted nightmare that on the face of it appeared to look like many of the other worms out there today – yet HYH has been hugely successful. This is perhaps a factor of distribution via email and infection via URL where simply not enough zero day exploit protection was afforded to users.
All of this has left many administrators with only one option, and this isn’t something they have considered for a long time – unplug the network, take everything offline until you can get on-top of the problem. A sysadmin or network admins nightmare. Of those affected some may be able to rely on external continuity systems that offer both security and continuity, but the unlucky ones are probably looking at a long weekend of cleaning and patching.
So whilst others pick apart HYH and its impact on networks and the Internet, I can’t help but notice that this whole saga forces us to once more worry about issues we thought were dealt with. The spam and virus threat isn’t something that’s going to go away, and if anything HYH shows us that it is still possible for chaos to erupt at a moment’s notice. Chaos that can clearly come from the most unexpected direction.
Now is the time to review your setup, email security isn’t a done deal it’s a dynamic system that needs attention. If you haven’t already considered the HYH chaos as a source of downtime, and add that scenario to your continuity plan. And, last but not least, go back to the users and re-educate them on the threats that are clearly still out there.