Worm Wriggles Through Yahoo! Mail Flaw

Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."

Fell for this yestereday

[neonprimetime (528653)]

Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site."

Damn ... I opened an email like this yesterday ... the reason being was because it was "from" one of my friends (they were marked as the sender). As soon as it opened I knew I f!cked up ... per a Javascript popup window shooting up ... grrr ...

This is an example of webmail's suckiness

[Sloppy (14984)]

Yet another lesson in why webmail is a such a bad idea. By using the wrong tool (web browser) for the job (email), the user suffers twofold:

1. Using cryptographic signatures to verify that an email is really from your friend, before you trust its contents, simply isn't an option.
2. stuff is rendered in too powerful of an environment. Normally, Javascript inside an email would not be a threat, because there wouldn't be any way to execute it -- accidently or even deliberately.

Webmail sucks. Death to webmail

Re:This is an example of webmail's suckiness

[oni (41625)]

Using cryptographic signatures to verify that an email is really from your friend, before you trust its contents, simply isn't an option.

well, the email *was* from his friend. His friend was infected. If his friend was using a standalone email client and using cryptographic signatures, then most likely, his friend would have entered his password for PGP or whatever, and that password would be stored in memory, and then when the virus took over his account and started sending mail, the virus would sign the

Re:This is an example of webmail's suckiness

[bobcat7677 (561727)]

I agree with the parent on the bullet points, but I think the conclusion "death to webmail" is barking up the wrong tree. The real issue goes back to point number two: rendered in too powerful an environment. If e-mail was ALWAYS treated as text, instead of trying to support HTML and mime types blah blah then having a safe webmail interface would simply mean a control that shows the text as text only with no possible execution. Simple and what e-mail was always meant to be. If you need to send "pretty"

Your "JavaScript"?

[Elixon (832904)]

"flaw in JavaScript" - you really mean "flaw in JavaScript" or flaw in the implementation of the so-called "JavaScript"? I mean - all browsers with "JavaScript" are affected? Including mobile devices, linuxes, unixes...?

Fixed.

[Se7enLC (714730)]

Fixed: At the time of the advisory, there was no patch for the vulnerability. But by later on Monday, Yahoo said it had come up with a fix for the flaw, which it said had affected very few of its customers.

I have to say I agree with the low threat level. All the virus does is propogate and collect email addresses, and only on yahoo. If you have a yahoo email address, you're getting spam anyway, so how will you even know the difference?

Re:Fixed.

[tehwebguy (860335)]

yes, actually i was the one who came up with the fix for it.
it went something like this:

$body = strip_tags($body);

Re:Fixed.

[lobsterGun (415085)]

You may just be unlucky with your Yahoo account.

I have a yahoo mail address that I have used actively for years, and only receive a few spam a week.

Re:Fixed.

[peragrin (659227)]

My gmail account recieves about 25-40 a week. of course the filter catches them all. It even smetimes catches mail that it isn't supposed to.

My juno account however recieves 20-30 a day and it's filter catches 3-5.

It's a good thing I just use juno for junk mail filtering.

First reported

[Billosaur (927319)]

Yesterday by The Register [theregister.co.uk]

My question is: who thought it was a good idea to enable JavaScript in emails? Someone at Yahoo! wasn't paying attention to basic security.

Re:First reported

[Sloppy (14984)]

My question is: who thought it was a good idea to enable JavaScript in emails?

My question is: who thought it was a good idea to enable Javascript in web browsers?

Re:First reported

[Bogtha (906264)]

The article is wrong when it claims that it's "a flaw in JavaScript", it's a flaw in Yahoo's webmail. So the answer to your question is almost certainly: nobody thought it was a good idea to enable JavaScript in emails, the developers working on Yahoo's webmail didn't escape things properly and nobody was doing decent QA to catch the mistake the developers made. So basically, it's a management error.

There doesn't seem to be detailed technical information available anywhere, but it sounds very much like it's just a specialised form of an XSS attack, where you sneak code into the application in such a way that the application doesn't encode it properly for output to another user.

Medireview virus attacks yahoo.

[leuk_he (194174)]

I thought the security of yahoo would have captured a old [wikipedia.org] javascript virus by now. Bu i do not understand: how can this javascript break out the browsers? isn't yahoo just a webmail website? then how would the local pc be affected? why would you have to scan your pc as symantic tells you?

Ok, the virus can send a lot of e-mails and break the yahoo mail system. or si there something about yahoo mail i do not understand?

Re:Medireview virus attacks yahoo.

[42Penguins (861511)]

A JavaScript ..erm...script should be treated as an executable. Sure, it's based on Yahoo's servers, but when you open it, it's run on YOUR PC and will do whatever good/evil deeds it's written to do.

I think that a bigger detriment to your system comes with running modern Symantec products! AVG, ZA, and S&D make my day.

Re:Medireview virus attacks yahoo.

[larkost (79011)]

The poster's question is valid. He/she is asking if the JavaScript worm can actually do anything other that work within the browser, as in how can the worm "infect" the computer. The answer is that it can't. It only harvests the email addresses that are on your Yahoo addressbook, and emails itself to them, once again though Yahoo. So everything is done within the browser, and there is no compromise outside the browser's sandbox.

With a little creativity, this could be extended to grab a file off the HD, and send the data to any site it chose, but it does not sound like that is the case here.

Infecting the computer?

[0123456 (636235)]

As I understand it, this doesn't infect the computer it runs on, it just uses the evils of Javascript to grap addresses from your contacts list and forward a copy to everyone in there while passing them on to a spammer site. There should be nothing left behind to 'infect' the computer it runs on, and it will run on anything that supports Javascript... which is needed to use Yahoo mail in the first place.

Just another reason why Javascript is evil.

Can't we all just leave each other alone?

[NotQuiteReal (608241)]

Ironically, those of us with no contacts in our yahoo mail make for the best of friends!

Symantec

[omeomi (675045)]

Symantec is rating the threat a '2.'

The lowball number is interesting, especially given the fact that Symantec is the company charged with the task of keeping an outbreak like this from happening:

Symantec to scan Yahoo Mail for viruses [infoworld.com]

Re:Makes you wonder.

[hesiod (111176)]

> The worm itself (at least from the description here) sounds relatively serious

Huh? All the descriptions I've seen say it just forwards itself to people in your Yahoo! contact list. I've seen nothing about it doing any damage to your PC, browser, or even your Yahoo! mail account. How is that worthy of a rating more than two? Unless I'm missing something, 2 sounds too high. Is there some other evil effect that was discovered and not posted in the messages I've seen so far?

Exploits a javascript bug?

[NynexNinja (379583)]

The article is lacking many details, like specifically which browsers seem to be vulnerable to this problem, or even if this is a browser bug that it is exploiting.... It could be a server side problem they are exploiting, or a client side browser bug. It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder, although from the article it is impossible to determine this.

Re:Exploits a javascript bug?

[99BottlesOfBeerInMyF (813746)]

The article is lacking many details, like specifically which browsers seem to be vulnerable to this problem, or even if this is a browser bug that it is exploiting.... It could be a server side problem they are exploiting, or a client side browser bug.

It is a server side bug. They allow javascript to run in mail messages.

It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder

I saw it work under OS X 10.4 and Safari in my GF's account. For

Re:Exploits a javascript bug?

[Nutria (679911)]

It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder, although from the article it is impossible to determine this.

I was wondering this, too. Why aren't users of Firefox/Linux affected?

Re:Exploits a javascript bug?

[fatboy (6851)]

From what I can see [groovin.net], it checks window.XMLHttpRequest and if that fails, it uses ActiveXObject('Microsoft.XMLHTTP').

I checked it and it does work in Firefox.

Here's the flaw that's exploited

[fizbin (2046)]

It's fixed on yahoo's servers now, but according to the source link posted earlier, the flaw that's being exploited seems to be a bug in how yahoo parses html attributes. The bug sends itself as:

<img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ ma_mail_1.gif'
target=""onload="whole bunch of crappy javascript here that uses only
single quotes and just goes on and on">

Note the lack of a space between the 'target' bit and the 'onload' bit. Now, apparently "target" is one of the HTML attributes that yahoo allows through on an IMG tag (why?). Anyway, it appears that yahoo's servers see both the target and the onload bit as one big long target attribute and let it through, whereas most browsers see that as a separate "target" and "onload" attribute and execute the javascript as soon as the image (one of the standard yahoo mail images, so it'll likely already be in the browser cache) is loaded.

The lesson here? I'm not really sure, beyond "double- and triple-check your parsing routines, since they will be used in security-sensitive code".

Spread?

[(arg!)Styopa (232550)]

I just got a wave of mails in my gmail box that are from random senders, with multiple small 1-4k attachements.

Anyone have any idea if this works on/through gmail too?

Didn't get to my wife via her hotmail . . .

[mmell (832646)]

but this doesn't actually infect the user's computer; it harvests e-mails from the user's machine, but it uses Yahoo's server to perpetrate its evil.

I'm pretty sure gMail is safe from this particular exploit.

Re:Spread?

[dtsazza (956120)]

If you're curious, you can presumably use Gmail's POP service to read your messages in a client that doesn't support JavaScript (most, if not all, standalone email clients). That way you can inspect the headers, read the email and even assess the attachment without having to worry about any embedded JS.

While I have a Gmail account, I haven't checked it via the web interface for months now - checking it in Evolution gives me more power over sorting, filtering, etc. And while being able to access your mail

Re:Spread?

[mgblst (80109)]

I just got a wave of mails in my gmail box that are from random senders, with multiple small 1-4k attachements.

Anyone have any idea if this works on/through gmail too?
 
Nah, that was just me, fooling with ya...sorry.

Behavior

[kevin_conaway (585204)]

The article doesn't really mention the behavior of the worm and is actually slightly misleading. It doesn't "infect" your computer per se, it harvests your address book contacts and then spams them. From a different article: [theregister.co.uk]

Once executed, the worm forwards itself to an infected users' contacts on Yahoo! Mail. It also harvests these address and sends them to a remote internet server. Only contacts with an email address of either @yahoo.com or @yahoogroups.com are hit by this behaviour.

As The Worm Turns...

[creimer (824291)]

I just tried to compose an email in my Yahoo! email account and was informed that my contact list failed to load. So did the worm eat my contact list?

BETA version not effected

[Like2Byte (542992)]

I've seen lots of complaints about people using javascript and Yahoo!'s use of it. Yahoo!'s beta version is not effected by this worm.

FTFA, "The Yamanner worm targets all versions of Yahoo Web-based mail except the latest beta version, Symantec said in an advisory released Monday." (Emphisis mine)

Here is the Source, Luke.

[fatboy (6851)]

Lameness filter got me. Here is a link [groovin.net].

Crime and punishment

[erroneus (253617)]

In short, I believe there should be some very stiff penalties to pay if it is proven that someone has written and deployed malware of this sort. There should be prison time and forfeiture of any money and assets acquired as a result of gains from this activity.

People often complain that punishment is too severe for this otherwise 'harmless' activity (and often compared to more heinous crimes such as assault, robbery, murder sex/child related crimes) and that damages are quite often exaggerated beyond reason. I can't say much about exaggerated damages, but I can say that in addition to other classifications of crimes, I also consider the following:

Planned/premeditated or not. Many aspects of the more heinous crimes where punishment is often less than these "white collar" crimes are not planned or premeditated. They are driven by little more than emotional or other motives. There is something more cold, more dark and indeed more arrogant when it comes to crimes such as the act of creating and deploying an internet worm. There is no question that what they are doing is immoral and illegal. They perform the act believing they will not be caught, that they will profit from the act and seemingly that it is somehow their right to take advantages of weaknesses in security simply because they are 'superior' in some way.

I see a noticable decline in the amount of spam in my inboxes of late. People claimed that the current federal legislation regarding spam wasn't enough and yet I see stories of people being prosecuted under these law successfully and when these people are put out of business, most all see a difference -- an improvement. It's working.

We don't need more legislation, but we do need to up the level of aggression in persuing these people and up the amount of punishment they are given when they are caught. While they are thinking about their planned attacks, they need to have cause to consider the potential cost to their lives as well.

The subject field is important

[trifish (826353)]

If you did not open a mail whose subject was "New Graphic Site", you are not infected.

Reference: Symantec advisory at http://securityresponse.symantec.com/avcenter/venc /data/js.yamanner@m.html [symantec.com]

"a flaw in JavaScript"?

[bcmm (768152)]

A flaw in whose JS implementation then?

The warm may not be as "innocent"

[trifish (826353)]

Some people tend to think that this worm is harmless (just "spreading itself"). But the worm actually sends the harvested email adresses to an external site - www.av3.net [which I wouldn't dare to browse to].

Here are the technical details of the worm:

1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:

From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.

2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.

3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.

4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.

5) Contacts the following URL:

[http://]www.av3.net/index.htm

6) Sends a list of email addresses gathered to the above URL.

Re:The warm may not be as "innocent"

[houghi (78078)]

www.av3.net [which I wouldn't dare to browse

I did.
1) whois info:
Domain name: av3.net
Registrant Contact:
Whois Privacy Protection Service, Inc.
Whois Agent (skxbmllxtv@whoisprivacyprotect.com)
+1.4252740657
Fax: +1.4256960234
PMB 368, 14150 NE 20th St - F1
C/O av3.net
Bellevue, WA 98007
US

2) houghi@penne : curl -I www.av3.net
HTTP/1.1 302 Objec

Why isn't Yahoo saying anything about this?

[shotgunefx (239460)]

Don't see anything on the home page, my.yahoo, or even the login page of yahoo mail.

That's pretty shitty. How hard would it be to add a warning and some helpful directions to the template of the login page?

Yay for NoScript!

[gardyloo (512791)]

Bless Firefox and the NoScript (https://addons.mozilla.org/firefox/722/ [mozilla.org]) extension.

Re:Very interesting

[roman_mir (125474)]

My ISP is Rogers (I live in Toronto, Canada,) they are a fast cable ISP but they outsorced their email handling to Yahoo. So I have an email account @rogers.com and I have to type my full email address to log into Yahoo. So I guess all Rogers customers maybe affected by this worm.

Re:Very interesting

[o'reor (581921)]

The article only mentions the systems affected (only Windows systems apparently) but not the browsers. However, it is the browser that executes the Javascript code, which steals the e-mail addresses from the Yahoo! address book. So, are they sure that a Linux-based system with Mozilla (such as mine) would not be affected by the worm ?

Re:Very interesting

[99BottlesOfBeerInMyF (813746)]

The article only mentions the systems affected (only Windows systems apparently) but not the browsers.

The list was copied from McAffee's standard bug report. It works on any browser that runs javascripts (properly) by default and opens the message within yahoo mail.

So, are they sure that a Linux-based system with Mozilla (such as mine) would not be affected by the worm ?

I believe it will execute under Linux+Mozilla by default. Enable the "NoScript" plugin to stop it from executing without your permis

Re:Very interesting

[PFI_Optix (936301)]

Any that will execute JS, from the look of it.

FireFox + NoScript for the win.

Re:Not everyone affected...

[neonprimetime (528653)]

you could also not open werid emails from people you don't know

Yeah, but this spreads via your Yahoo! contact list ... and thus I received this worm email "from" one of my friends ... so it's not just coming from random accounts, it's coming from people who have you in their contact list.

Re:Not everyone affected...

[0123456 (636235)]

"I received this worm email "from" one of my friends ... so it's not just coming from random accounts, it's coming from people who have you in their contact list."

Ditto. I got hit by this because it came from someone I know and had a reasonably plausible subject line.

Re:"This worm is a 2."

[BobVH (930696)]

Just copy-pasted this off symantec:

Category 5 - Very Severe
Highly dangerous threat type, very difficult to contain. All machines should download the latest virus definitions immediately and execute a scan. Email servers may need to come down. All three threat metrics must be High.

* Wild: High
* Damage: High
* Distribution: High

Category 4 - Severe
Dangerous threat type, difficult to contain. The latest virus definitions shoul

Here ya go

[hal9000(jr) (316943)]

from Learn about threat levels [symantec.com].
ThreatCon Level 1
Low : Basic network posture This condition applies when there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating. Under these conditions, only a routine security posture, designed to defeat normal network threats, is warranted. Automated systems and alerting mechanisms should be used.
Threatcon Level 2
Medium : Increased alertness
This condition applies when knowledge or the expectation of attack

Re:"This worm is a 2."

[format1337 (957144)]

we're at terror alert orange! Which means something might go down somewhere in some way at some point in time. So look sharp!

Re:JavaScript and CSS

[fputs(shit, slashdot (645337)]

Redesign CSS now so it does not depend on enabling JavaScript.

Try:

crack-cocaine { smoke: false; }

Re:Symantec's rate "2" seems ok to me.

[creimer (824291)]

Anyway, i don't think anyone is using yahoo or other webmails for prefessional activities.

Oh, really? As a contractor, I used Yahoo! email to communicate with the outfit that cuts my paycheck and to send in my hours to the manager at the job site. Why? Because I don't have access to my regular email account from the job site due to the firewall configuration. Go figure.