Forgot your password?
typodupeerror

Worm Wriggles Through Yahoo! Mail Flaw 186

Posted by Zonk
from the descriptive-imagery dept.
Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."
This discussion has been archived. No new comments can be posted.

Worm Wriggles Through Yahoo! Mail Flaw

Comments Filter:
  • by Anonymous Coward
    I have a copy of this. I can forward it to anyone with a Yahoo! Mail account for further inspection. Isn't Open Source wonderful?
  • Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site."

    Damn ... I opened an email like this yesterday ... the reason being was because it was "from" one of my friends (they were marked as the sender). As soon as it opened I knew I f!cked up ... per a Javascript popup window shooting up ... grrr ...
    • Yet another lesson in why webmail is a such a bad idea. By using the wrong tool (web browser) for the job (email), the user suffers twofold:
      1. Using cryptographic signatures to verify that an email is really from your friend, before you trust its contents, simply isn't an option.
      2. stuff is rendered in too powerful of an environment. Normally, Javascript inside an email would not be a threat, because there wouldn't be any way to execute it -- accidently or even deliberately.

      Webmail sucks. Death to webmail

      • Using cryptographic signatures to verify that an email is really from your friend, before you trust its contents, simply isn't an option.

        well, the email *was* from his friend. His friend was infected. If his friend was using a standalone email client and using cryptographic signatures, then most likely, his friend would have entered his password for PGP or whatever, and that password would be stored in memory, and then when the virus took over his account and started sending mail, the virus would sign the
        • This is in theory possible. But PGP and similar signing mechanisms are SO rare that, so far, few viruses or worms bothered to implement a routine to actually sign your mails properly.

          It will be a problem as soon as it becomes common practice, that's a given.
        • If his friend was using a standalone email client ...then when the virus took over his account and started sending mail, the virus would sign the mail.

          This virus uses Javascript. So unless your email clinet automatically runs Javascript, you're safe. I don't think even OE does that any more.

          • Given that it only affects Yahoo Mail users reading through the web interface, I'd say their clients probably do run Javascript :)

            Yahoo sanitises emails to disable Javascript, but the worm exploits a bug in their code in order to get around this restriction.

            The sane option, of course, would be for webmail clients to just operate in plain text mode - convert any text/html parts to text/plain (lynx -dump, perhaps) before the user sees them. I suspect a large number of people would complain that they couldn'

      • I agree with the parent on the bullet points, but I think the conclusion "death to webmail" is barking up the wrong tree. The real issue goes back to point number two: rendered in too powerful an environment. If e-mail was ALWAYS treated as text, instead of trying to support HTML and mime types blah blah then having a safe webmail interface would simply mean a control that shows the text as text only with no possible execution. Simple and what e-mail was always meant to be. If you need to send "pretty"
        • by Anonymous Coward
          I don't have a problem with rendering HTML in webmail or any other mail. Javascript is not HTML, however, and should NEVER be activated with webmail. A proper webmail client needs to filter out all script tags before display. They are not needed.
    • Your "JavaScript"? (Score:4, Insightful)

      by Elixon (832904) on Tuesday June 13, 2006 @11:02AM (#15524041) Homepage Journal
      "flaw in JavaScript" - you really mean "flaw in JavaScript" or flaw in the implementation of the so-called "JavaScript"? I mean - all browsers with "JavaScript" are affected? Including mobile devices, linuxes, unixes...?
    • Oh well, you pays your money and you takes your choice....
    • Do a search on Sourceforge for it. Let's you download all your Yahoo mail with any POP3 compatable client. There are others for hotmail and other services, but of course Yahoo POPS is the relevant one to this issue. As you can see, there is already an incentive to start using it instead - keeps away those nasty web-based worms. You can always still disable images/javascript in your e-mail client just the same as your browser. Think how many times do you need javascript on to read an e-mail versus make a
  • With respect to:
    Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.'
    According to Symantec [symantec.com], "The worm cannot run on the newest version of Yahoo Mail Beta." so I would use that if you are nervous, then again, you could also not open werid emails from people you don't know.
    • you could also not open werid emails from people you don't know

      Yeah, but this spreads via your Yahoo! contact list ... and thus I received this worm email "from" one of my friends ... so it's not just coming from random accounts, it's coming from people who have you in their contact list.
  • Fixed. (Score:4, Insightful)

    by Se7enLC (714730) on Tuesday June 13, 2006 @10:10AM (#15523657) Homepage Journal
    Fixed: At the time of the advisory, there was no patch for the vulnerability. But by later on Monday, Yahoo said it had come up with a fix for the flaw, which it said had affected very few of its customers.

    I have to say I agree with the low threat level. All the virus does is propogate and collect email addresses, and only on yahoo. If you have a yahoo email address, you're getting spam anyway, so how will you even know the difference?
    • > If you have a yahoo email address, you're getting spam anyway, so how will you even know the difference?

      Great point. Is it only me or has Yahoo Mail hit the bottom of the barrel? My hotmail account (and it's used for domain registrations) gets 2-3 spam emails a day (and these go to the junk mail folder 99% of the time). My gmail account gets about 2 a week. Yahoo gets over 50 a day and I don't even use it that much.

      • You may just be unlucky with your Yahoo account.

        I have a yahoo mail address that I have used actively for years, and only receive a few spam a week.
        • I have a Yahoo Mail account that I haven't actively used for almost 5 years, signed up for back in (I think) 1996 or 1997 when it was still under Geocities. When I checked the account back in November of this year, I had 4,630 bulk mails, and 1,829 mails in the inbox, 99.99% of which was also useless junk.

          Just since reactivating the account about 20 minutes ago, I already have 5 bulk mails.
        • I have a yahoo mail address that I have used actively for years, and only receive a few spam a week.

          Mine was the same, till about three months ago, when I started getting Japanese spam promoting porn sites. Now I get about 20 a day like that, and recently Pakistani stock market "tips" and Nigerian 419s. Occasionally I get a blank message; presumably some bastard has bought my address and is testing it before sending more spam. So I activated Yahoo's spam filters, which gets most of it. But it occasionally

      • My gmail account recieves about 25-40 a week. of course the filter catches them all. It even smetimes catches mail that it isn't supposed to.

        My juno account however recieves 20-30 a day and it's filter catches 3-5.

        It's a good thing I just use juno for junk mail filtering.
    • Re:Fixed. (Score:3, Funny)

      by tehwebguy (860335)
      yes, actually i was the one who came up with the fix for it.
      it went something like this:
      $body = strip_tags($body);
  • First reported (Score:5, Insightful)

    by Billosaur (927319) * <wgrother@NosPAm.optonline.net> on Tuesday June 13, 2006 @10:10AM (#15523658) Journal

    Yesterday by The Register [theregister.co.uk]

    My question is: who thought it was a good idea to enable JavaScript in emails? Someone at Yahoo! wasn't paying attention to basic security.

    • by Sloppy (14984)
      My question is: who thought it was a good idea to enable JavaScript in emails?

      My question is: who thought it was a good idea to enable Javascript in web browsers?

    • Somewhere, there's an advertising executive with big bucks who thinks it would be a great idea to enable ring-0 kernel mode privilidged assembly code in email so they can not only install a new graphics driver, but also set the screen resolution and audio level to appropriate levels for optimum customer experience of their special purchasing opportunity announcements.

    • Re:First reported (Score:4, Informative)

      by Bogtha (906264) on Tuesday June 13, 2006 @11:25AM (#15524276)

      The article is wrong when it claims that it's "a flaw in JavaScript", it's a flaw in Yahoo's webmail. So the answer to your question is almost certainly: nobody thought it was a good idea to enable JavaScript in emails, the developers working on Yahoo's webmail didn't escape things properly and nobody was doing decent QA to catch the mistake the developers made. So basically, it's a management error.

      There doesn't seem to be detailed technical information available anywhere, but it sounds very much like it's just a specialised form of an XSS attack, where you sneak code into the application in such a way that the application doesn't encode it properly for output to another user.

    • Yahoo! has been fighting a bitter battle with much collateral damage for years to keep Javascript out of email bodies. In 2002, they're the ones who got hit by the discovery that legacy code in browsers would recognize every single obsolete code name that Javascript ever had as a script tag. Yahoo! attracted some criticism when people discovered that the word "mocha" was getting rewritten. See Wikipedia for details.
  • by leuk_he (194174) on Tuesday June 13, 2006 @10:14AM (#15523679) Homepage Journal
    I thought the security of yahoo would have captured a old [wikipedia.org] javascript virus by now. Bu i do not understand: how can this javascript break out the browsers? isn't yahoo just a webmail website? then how would the local pc be affected? why would you have to scan your pc as symantic tells you?

    Ok, the virus can send a lot of e-mails and break the yahoo mail system. or si there something about yahoo mail i do not understand?
    • A JavaScript ..erm...script should be treated as an executable. Sure, it's based on Yahoo's servers, but when you open it, it's run on YOUR PC and will do whatever good/evil deeds it's written to do.

      I think that a bigger detriment to your system comes with running modern Symantec products! AVG, ZA, and S&D make my day.
      • by larkost (79011) on Tuesday June 13, 2006 @11:03AM (#15524052)
        The poster's question is valid. He/she is asking if the JavaScript worm can actually do anything other that work within the browser, as in how can the worm "infect" the computer. The answer is that it can't. It only harvests the email addresses that are on your Yahoo addressbook, and emails itself to them, once again though Yahoo. So everything is done within the browser, and there is no compromise outside the browser's sandbox.

        With a little creativity, this could be extended to grab a file off the HD, and send the data to any site it chose, but it does not sound like that is the case here.
    • Where antivirus fits into this is the module that sniffs incoming HTML for nasty payloads. Anyone who talks about scanning the PD is simply confused and trying to spread their confusion. You're not missing anything.
  • As I understand it, this doesn't infect the computer it runs on, it just uses the evils of Javascript to grap addresses from your contacts list and forward a copy to everyone in there while passing them on to a spammer site. There should be nothing left behind to 'infect' the computer it runs on, and it will run on anything that supports Javascript... which is needed to use Yahoo mail in the first place.

    Just another reason why Javascript is evil.
  • Symantec (Score:4, Insightful)

    by omeomi (675045) on Tuesday June 13, 2006 @10:16AM (#15523691) Homepage
    Symantec is rating the threat a '2.'

    The lowball number is interesting, especially given the fact that Symantec is the company charged with the task of keeping an outbreak like this from happening:

    Symantec to scan Yahoo Mail for viruses [infoworld.com]
    • Exactly what did yahoo do to make Symantec angry?
    • Re:Symantec (Score:2, Insightful)

      by Justin Shreve (943584)

      The article you linked to mentions that it is Symantec's job to scan Yahoo attachments for viruses.

      This Worm that we are talking about though is not even passed via attachments so there is no way (with the agreement mentioned in that article) that Symantec can actually clean it for Yahoo.

      "Unlike its predecessors, which would require the user to open an attachment in order to launch and propagate, JS-Yamanner makes use of a security hole in the Yahoo! web mail program in order to spread to other Yahoo!

    • On the Symantec site, they estimate the number of infections as "50". Sounds like a pretty low threat to me. Also, Yahoo prescans emails for spamminess and moves suspect ones to a bulk folder automatically, so they'll likely be able to handle this "threat" pretty easily.
    • I have a good theory why :) Like norton antivirus wasn't running at all?

      http://img155.imageshack.us/my.php?image=norton2cn .png [imageshack.us]

      Yep, I took that screenshot and sent to Kaspersky.ru saying they should donate AV to Yahoo. I hope it reached Mr. Kaspersky somehow and they didn't ban me from mail servers.
  • by NynexNinja (379583) on Tuesday June 13, 2006 @10:17AM (#15523697)
    The article is lacking many details, like specifically which browsers seem to be vulnerable to this problem, or even if this is a browser bug that it is exploiting.... It could be a server side problem they are exploiting, or a client side browser bug. It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder, although from the article it is impossible to determine this.
    • My guess is that it's a bug in the yahoo webmail application itself, rather than a bug in javascript per se - therefore it is not limited by which browser you have, as you need javascript enabled to use yahoo mail.

      The bug probably lies in the ability to access yahoo's own webmail javascripts to obtain addresses and send mails from a script within the mail itself. Presumably they have tried to block scripts from doing this, but not successfully.

      Their webmail beta rocks, by the way - it kicks hotmail's equiv

    • The article is lacking many details, like specifically which browsers seem to be vulnerable to this problem, or even if this is a browser bug that it is exploiting.... It could be a server side problem they are exploiting, or a client side browser bug.

      It is a server side bug. They allow javascript to run in mail messages.

      It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder

      I saw it work under OS X 10.4 and Safari in my GF's account. For

    • It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder, although from the article it is impossible to determine this.

      I was wondering this, too. Why aren't users of Firefox/Linux affected?
    • by fizbin (2046) <martin@snowplow. o r g> on Tuesday June 13, 2006 @04:39PM (#15527476) Homepage
      It's fixed on yahoo's servers now, but according to the source link posted earlier, the flaw that's being exploited seems to be a bug in how yahoo parses html attributes. The bug sends itself as:

      <img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ ma_mail_1.gif'
      target=""onload="whole bunch of crappy javascript here that uses only
      single quotes and just goes on and on">

      Note the lack of a space between the 'target' bit and the 'onload' bit. Now, apparently "target" is one of the HTML attributes that yahoo allows through on an IMG tag (why?). Anyway, it appears that yahoo's servers see both the target and the onload bit as one big long target attribute and let it through, whereas most browsers see that as a separate "target" and "onload" attribute and execute the javascript as soon as the image (one of the standard yahoo mail images, so it'll likely already be in the browser cache) is loaded.

      The lesson here? I'm not really sure, beyond "double- and triple-check your parsing routines, since they will be used in security-sensitive code".
  • Spread? (Score:3, Interesting)

    by argStyopa (232550) on Tuesday June 13, 2006 @10:19AM (#15523712) Journal
    I just got a wave of mails in my gmail box that are from random senders, with multiple small 1-4k attachements.

    Anyone have any idea if this works on/through gmail too?

    • but this doesn't actually infect the user's computer; it harvests e-mails from the user's machine, but it uses Yahoo's server to perpetrate its evil.

      I'm pretty sure gMail is safe from this particular exploit.

    • If you're curious, you can presumably use Gmail's POP service to read your messages in a client that doesn't support JavaScript (most, if not all, standalone email clients). That way you can inspect the headers, read the email and even assess the attachment without having to worry about any embedded JS.

      While I have a Gmail account, I haven't checked it via the web interface for months now - checking it in Evolution gives me more power over sorting, filtering, etc. And while being able to access your mail
    • I just got a wave of mails in my gmail box that are from random senders, with multiple small 1-4k attachements.

      Anyone have any idea if this works on/through gmail too?

       
      Nah, that was just me, fooling with ya...sorry.
    • This would not surprise me since many parts of Gmail require Javascript.
    • by Scorchio (177053)
      I received a couple of infected messages through a Yahoo groups subscription, which comes to my gmail account. The javascript was displayed as plain text, and I could see it was issuing requests to the Yahoo webmail system to extract user IDs and contacts. As far as I could tell, if you're not reading the email from within Yahoo's webmail reader, the script is not going to achieve anything.
  • Behavior (Score:3, Informative)

    by kevin_conaway (585204) on Tuesday June 13, 2006 @10:21AM (#15523730) Homepage
    The article doesn't really mention the behavior of the worm and is actually slightly misleading. It doesn't "infect" your computer per se, it harvests your address book contacts and then spams them. From a different article: [theregister.co.uk]

    Once executed, the worm forwards itself to an infected users' contacts on Yahoo! Mail. It also harvests these address and sends them to a remote internet server. Only contacts with an email address of either @yahoo.com or @yahoogroups.com are hit by this behaviour.
  • I just tried to compose an email in my Yahoo! email account and was informed that my contact list failed to load. So did the worm eat my contact list?
  • I've seen lots of complaints about people using javascript and Yahoo!'s use of it. Yahoo!'s beta version is not effected by this worm.



    FTFA, "The Yamanner worm targets all versions of Yahoo Web-based mail except the latest beta version, Symantec said in an advisory released Monday." (Emphisis mine)

  • by fatboy (6851) on Tuesday June 13, 2006 @10:27AM (#15523769)
    Lameness filter got me. Here is a link [groovin.net].
  • Crime and punishment (Score:4, Interesting)

    by erroneus (253617) on Tuesday June 13, 2006 @10:48AM (#15523919) Homepage
    In short, I believe there should be some very stiff penalties to pay if it is proven that someone has written and deployed malware of this sort. There should be prison time and forfeiture of any money and assets acquired as a result of gains from this activity.

    People often complain that punishment is too severe for this otherwise 'harmless' activity (and often compared to more heinous crimes such as assault, robbery, murder sex/child related crimes) and that damages are quite often exaggerated beyond reason. I can't say much about exaggerated damages, but I can say that in addition to other classifications of crimes, I also consider the following:

    Planned/premeditated or not. Many aspects of the more heinous crimes where punishment is often less than these "white collar" crimes are not planned or premeditated. They are driven by little more than emotional or other motives. There is something more cold, more dark and indeed more arrogant when it comes to crimes such as the act of creating and deploying an internet worm. There is no question that what they are doing is immoral and illegal. They perform the act believing they will not be caught, that they will profit from the act and seemingly that it is somehow their right to take advantages of weaknesses in security simply because they are 'superior' in some way.

    I see a noticable decline in the amount of spam in my inboxes of late. People claimed that the current federal legislation regarding spam wasn't enough and yet I see stories of people being prosecuted under these law successfully and when these people are put out of business, most all see a difference -- an improvement. It's working.

    We don't need more legislation, but we do need to up the level of aggression in persuing these people and up the amount of punishment they are given when they are caught. While they are thinking about their planned attacks, they need to have cause to consider the potential cost to their lives as well.
    • In short, I believe there should be some very stiff penalties to pay if it is proven that someone has written and deployed malware of this sort. There should be prison time and forfeiture of any money and assets acquired as a result of gains from this activity.

      Why prison time? Is it that you believe this will work as a deterrent (even though in your post you write "They perform the act believing they will not be caught...") or is it that you believe that prison will reform them, or is it that you believe

    • >They perform the act believing they will not be caught, that they will profit from the act

      That describes botnet builders and those like them.

      What's appropriate for a case like this one, where there's no visible profit motive? [Bad car analogy]The crime here is sort of like joyriding, a clear infringement of the rights of others but (by default) not doing permanent damage (though certainly risking it) and not profiting the perpetrators.[/Bad car analogy]
  • by trifish (826353) on Tuesday June 13, 2006 @10:52AM (#15523943)
    If you did not open a mail whose subject was "New Graphic Site", you are not infected.

    Reference: Symantec advisory at http://securityresponse.symantec.com/avcenter/venc /data/js.yamanner@m.html [symantec.com]
  • by bcmm (768152) on Tuesday June 13, 2006 @10:56AM (#15523982)
    A flaw in whose JS implementation then?
  • by trifish (826353) on Tuesday June 13, 2006 @10:57AM (#15523989)
    Some people tend to think that this worm is harmless (just "spreading itself"). But the worm actually sends the harvested email adresses to an external site - www.av3.net [which I wouldn't dare to browse to].

    Here are the technical details of the worm:

    1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:

    From: Varies
    Subject: New Graphic Site
    Message body: Note: forwarded message attached.

    2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.

    3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.

    4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.

    5) Contacts the following URL:

    [http://]www.av3.net/index.htm

    6) Sends a list of email addresses gathered to the above URL.
    • If not a full-fledged email harvester, it may well be a simple proof of concept. I went to the above site from a sandboxed browser on an obscure platform and other than an innocent enough looking graphics site, I found it was hosting a webstats4u counter. If not after the (relatively spam-laden) Yahoo email addresses, this may well be what the originator of the virus was targeting--just a test to see what kind of traffic this virus could achieve. Looking at the following graph: Page views per day [webstats4u.com], it appear
    • www.av3.net [which I wouldn't dare to browse

      I did.
      1) whois info:
      Domain name: av3.net
      Registrant Contact:
      Whois Privacy Protection Service, Inc.
      Whois Agent (skxbmllxtv@whoisprivacyprotect.com)
      +1.4252740657
      Fax: +1.4256960234
      PMB 368, 14150 NE 20th St - F1
      C/O av3.net
      Bellevue, WA 98007
      US

      2) houghi@penne : curl -I www.av3.net
      HTTP/1.1 302 Objec

    • Looking at the source, it's a Frontpage generated monstrosity covered with animated GIFs and links to Animated GIFs

      meta name="GENERATOR"
      content="Microsoft FrontPage 6.0"

      And they're using a free counter from webstats4u.com for their site statistics.

      I don't think I'll be loading it in a web browser anytime soon. Anyone care to comment on what the site looks like when you open it with something other than VIM?
  • by shotgunefx (239460) on Tuesday June 13, 2006 @11:15AM (#15524156) Journal
    Don't see anything on the home page, my.yahoo, or even the login page of yahoo mail.

    That's pretty shitty. How hard would it be to add a warning and some helpful directions to the template of the login page?
  • Yay for NoScript! (Score:3, Interesting)

    by gardyloo (512791) on Tuesday June 13, 2006 @02:25PM (#15526225)
    Bless Firefox and the NoScript (https://addons.mozilla.org/firefox/722/ [mozilla.org]) extension.
  • Anyone know if the worm is able to wiggle into users with limited accounts?

"It's curtains for you, Mighty Mouse! This gun is so futuristic that even *I* don't know how it works!" -- from Ralph Bakshi's Mighty Mouse

Working...