Worm Wriggles Through Yahoo! Mail Flaw

Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."

Fell for this yestereday

[neonprimetime]

Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site."

Damn ... I opened an email like this yesterday ... the reason being was because it was "from" one of my friends (they were marked as the sender). As soon as it opened I knew I f!cked up ... per a Javascript popup window shooting up ... grrr ...

Re:Not everyone affected...

[neonprimetime]

you could also not open werid emails from people you don't know

Yeah, but this spreads via your Yahoo! contact list ... and thus I received this worm email "from" one of my friends ... so it's not just coming from random accounts, it's coming from people who have you in their contact list.

Re:"This worm is a 2."

[BobVH]

Just copy-pasted this off symantec:

Category 5 - Very Severe
Highly dangerous threat type, very difficult to contain. All machines should download the latest virus definitions immediately and execute a scan. Email servers may need to come down. All three threat metrics must be High.

        * Wild: High
        * Damage: High
        * Distribution: High

Category 4 - Severe
Dangerous threat type, difficult to contain. The latest virus definitions should be downloaded immediately and deployed.

        * Wild: High
        * Damage or Distribution: High

Category 3 - Moderate
Threat type characterized either as highly wild (but reasonably harmless and containable) or potentially dangerous (and uncontainable) if released into the wild.

        * Wild: High
            or
        * Damage: High and Distribution: High

Category 2 - Low
Threat type characterized either as low or moderate wild threat (but reasonably harmless and containable) or non-wild threat characterized by an unusual damage or spread routine, or perhaps by some feature of the virus that makes headlines in the news.

        * Damage: High
            or
        * Distribution: High
            or
        * Wild: Low or Moderate

Category 1 - Very Low
Poses little threat to users. Rarely even makes headlines. No reports in the wild.

        * Wild: Low
        * Damage or Distribution: Low

Here ya go

[hal9000(jr)]

from Learn about threat levels [symantec.com].
ThreatCon Level 1
Low : Basic network posture This condition applies when there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating. Under these conditions, only a routine security posture, designed to defeat normal network threats, is warranted. Automated systems and alerting mechanisms should be used.
Threatcon Level 2
Medium : Increased alertness
This condition applies when knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating. Under this condition, a careful examination of vulnerable and exposed systems is appropriate, security applications should be updated with new signatures and/or rules as soon as they become available and careful monitoring of logs is recommended. Changes to the security infrastructure are not required.
Threatcon Level 3
High : Known threat
This condition applies when an isolated threat to the computing infrastructure is currently underway or when malicious code reaches a severe risk rating. Under this condition, increased monitoring is necessary, security applications should be updated with new signatures and/or rules as soon as they become available and redeployment and reconfiguration of security systems is recommended. People should be able to maintain this posture for a few weeks at a time, as threats come and go.
Threatcon Level 4
Extreme : Full alert
This condition applies when extreme global network incident activity is in progress. Implementation of measures in this Threat Condition for more than a short period probably will create hardship and affect the normal operations of network infrastructure.

Behavior

[kevin_conaway]

The article doesn't really mention the behavior of the worm and is actually slightly misleading. It doesn't "infect" your computer per se, it harvests your address book contacts and then spams them. From a different article: [theregister.co.uk]

Once executed, the worm forwards itself to an infected users' contacts on Yahoo! Mail. It also harvests these address and sends them to a remote internet server. Only contacts with an email address of either @yahoo.com or @yahoogroups.com are hit by this behaviour.

Here is the Source, Luke.

[fatboy]

Lameness filter got me. Here is a link [groovin.net].

The subject field is important

[trifish]

If you did not open a mail whose subject was "New Graphic Site", you are not infected.

Reference: Symantec advisory at http://securityresponse.symantec.com/avcenter/venc /data/js.yamanner@m.html [symantec.com]

The warm may not be as "innocent"

[trifish]

Some people tend to think that this worm is harmless (just "spreading itself"). But the worm actually sends the harvested email adresses to an external site - www.av3.net [which I wouldn't dare to browse to].

Here are the technical details of the worm:

1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:

From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.

2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.

3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.

4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.

5) Contacts the following URL:

[http://]www.av3.net/index.htm

6) Sends a list of email addresses gathered to the above URL.

Re:Medireview virus attacks yahoo.

[larkost]

The poster's question is valid. He/she is asking if the JavaScript worm can actually do anything other that work within the browser, as in how can the worm "infect" the computer. The answer is that it can't. It only harvests the email addresses that are on your Yahoo addressbook, and emails itself to them, once again though Yahoo. So everything is done within the browser, and there is no compromise outside the browser's sandbox.

With a little creativity, this could be extended to grab a file off the HD, and send the data to any site it chose, but it does not sound like that is the case here.

Re:First reported

[Bogtha]

The article is wrong when it claims that it's "a flaw in JavaScript", it's a flaw in Yahoo's webmail. So the answer to your question is almost certainly: nobody thought it was a good idea to enable JavaScript in emails, the developers working on Yahoo's webmail didn't escape things properly and nobody was doing decent QA to catch the mistake the developers made. So basically, it's a management error.

There doesn't seem to be detailed technical information available anywhere, but it sounds very much like it's just a specialised form of an XSS attack, where you sneak code into the application in such a way that the application doesn't encode it properly for output to another user.

Re:Not everyone affected...

[Anonymous Coward]

Unfortunately, users who have not already switched to the Yahoo Beta can not do it on the fly. You have to 'apply' for the program, and it can take weeks before you are admitted.

Re:The warm may not be as "innocent"

[mamer-retrogamer]

If not a full-fledged email harvester, it may well be a simple proof of concept. I went to the above site from a sandboxed browser on an obscure platform and other than an innocent enough looking graphics site, I found it was hosting a webstats4u counter. If not after the (relatively spam-laden) Yahoo email addresses, this may well be what the originator of the virus was targeting--just a test to see what kind of traffic this virus could achieve. Looking at the following graph: Page views per day [webstats4u.com], it appears the site had virtually no traffic on or before June 10th. All of a sudden (when the virus was released, I assume), it got 34,925 hits on June 11th and then an incredible 149,438 hits on June 12th. Not surprisingly, the majority of this traffic originated from the United States (that is where Yahoo's servers are, right?). Interestingly, 5% of the total hits came from Iran.

Comment removed

[account_deleted]

Comment removed based on user account deletion

You should try Yahoo! POPS

[Friar_MJK]

Do a search on Sourceforge for it. Let's you download all your Yahoo mail with any POP3 compatable client. There are others for hotmail and other services, but of course Yahoo POPS is the relevant one to this issue. As you can see, there is already an incentive to start using it instead - keeps away those nasty web-based worms. You can always still disable images/javascript in your e-mail client just the same as your browser. Think how many times do you need javascript on to read an e-mail versus make a website work? Problem solved.

Here's the flaw that's exploited

[fizbin]

It's fixed on yahoo's servers now, but according to the source link posted earlier, the flaw that's being exploited seems to be a bug in how yahoo parses html attributes. The bug sends itself as:

<img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ ma_mail_1.gif'
target=""onload="whole bunch of crappy javascript here that uses only
single quotes and just goes on and on">

Note the lack of a space between the 'target' bit and the 'onload' bit. Now, apparently "target" is one of the HTML attributes that yahoo allows through on an IMG tag (why?). Anyway, it appears that yahoo's servers see both the target and the onload bit as one big long target attribute and let it through, whereas most browsers see that as a separate "target" and "onload" attribute and execute the javascript as soon as the image (one of the standard yahoo mail images, so it'll likely already be in the browser cache) is loaded.

The lesson here? I'm not really sure, beyond "double- and triple-check your parsing routines, since they will be used in security-sensitive code".