Worm Wriggles Through Yahoo! Mail Flaw 186
Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."
Copies available (Score:1, Funny)
Re:Copies available (Score:1)
Fell for this yestereday (Score:2, Informative)
Damn
This is an example of webmail's suckiness (Score:2)
Webmail sucks. Death to webmail
Re:This is an example of webmail's suckiness (Score:3, Insightful)
well, the email *was* from his friend. His friend was infected. If his friend was using a standalone email client and using cryptographic signatures, then most likely, his friend would have entered his password for PGP or whatever, and that password would be stored in memory, and then when the virus took over his account and started sending mail, the virus would sign the
Re:This is an example of webmail's suckiness (Score:2)
It will be a problem as soon as it becomes common practice, that's a given.
Re:This is an example of webmail's suckiness (Score:2)
Re:This is an example of webmail's suckiness (Score:2)
This virus uses Javascript. So unless your email clinet automatically runs Javascript, you're safe. I don't think even OE does that any more.
Re:This is an example of webmail's suckiness (Score:2)
Given that it only affects Yahoo Mail users reading through the web interface, I'd say their clients probably do run Javascript :)
Yahoo sanitises emails to disable Javascript, but the worm exploits a bug in their code in order to get around this restriction.
The sane option, of course, would be for webmail clients to just operate in plain text mode - convert any text/html parts to text/plain (lynx -dump, perhaps) before the user sees them. I suspect a large number of people would complain that they couldn'
Re:This is an example of webmail's suckiness (Score:3, Insightful)
Re:This is an example of webmail's suckiness (Score:2, Insightful)
Your "JavaScript"? (Score:4, Insightful)
Using IE in Windows by any chance? (Score:2)
You should try Yahoo! POPS (Score:2, Informative)
Not everyone affected... (Score:1)
Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.'
According to Symantec [symantec.com], "The worm cannot run on the newest version of Yahoo Mail Beta." so I would use that if you are nervous, then again, you could also not open werid emails from people you don't know.
Re:Not everyone affected... (Score:3, Informative)
Yeah, but this spreads via your Yahoo! contact list
Re:Not everyone affected... (Score:2)
Ditto. I got hit by this because it came from someone I know and had a reasonably plausible subject line.
Re:Not everyone affected... (Score:1)
Fixed. (Score:4, Insightful)
I have to say I agree with the low threat level. All the virus does is propogate and collect email addresses, and only on yahoo. If you have a yahoo email address, you're getting spam anyway, so how will you even know the difference?
Re:Fixed. (Score:1)
Great point. Is it only me or has Yahoo Mail hit the bottom of the barrel? My hotmail account (and it's used for domain registrations) gets 2-3 spam emails a day (and these go to the junk mail folder 99% of the time). My gmail account gets about 2 a week. Yahoo gets over 50 a day and I don't even use it that much.
Re:Fixed. (Score:2)
I have a yahoo mail address that I have used actively for years, and only receive a few spam a week.
Re:Fixed. (Score:2)
Just since reactivating the account about 20 minutes ago, I already have 5 bulk mails.
Re:Fixed. (Score:2)
Mine was the same, till about three months ago, when I started getting Japanese spam promoting porn sites. Now I get about 20 a day like that, and recently Pakistani stock market "tips" and Nigerian 419s. Occasionally I get a blank message; presumably some bastard has bought my address and is testing it before sending more spam. So I activated Yahoo's spam filters, which gets most of it. But it occasionally
Re:Fixed. (Score:2)
My juno account however recieves 20-30 a day and it's filter catches 3-5.
It's a good thing I just use juno for junk mail filtering.
Re:Fixed. (Score:3, Funny)
it went something like this:
First reported (Score:5, Insightful)
Yesterday by The Register [theregister.co.uk]
My question is: who thought it was a good idea to enable JavaScript in emails? Someone at Yahoo! wasn't paying attention to basic security.
Re:First reported (Score:2, Funny)
My question is: who thought it was a good idea to enable Javascript in web browsers?
Re:First reported (Score:2, Funny)
Re:First reported (Score:4, Informative)
The article is wrong when it claims that it's "a flaw in JavaScript", it's a flaw in Yahoo's webmail. So the answer to your question is almost certainly: nobody thought it was a good idea to enable JavaScript in emails, the developers working on Yahoo's webmail didn't escape things properly and nobody was doing decent QA to catch the mistake the developers made. So basically, it's a management error.
There doesn't seem to be detailed technical information available anywhere, but it sounds very much like it's just a specialised form of an XSS attack, where you sneak code into the application in such a way that the application doesn't encode it properly for output to another user.
They did try (Score:2)
Medireview virus attacks yahoo. (Score:5, Interesting)
Ok, the virus can send a lot of e-mails and break the yahoo mail system. or si there something about yahoo mail i do not understand?
Re:Medireview virus attacks yahoo. (Score:2)
I think that a bigger detriment to your system comes with running modern Symantec products! AVG, ZA, and S&D make my day.
Re:Medireview virus attacks yahoo. (Score:5, Informative)
With a little creativity, this could be extended to grab a file off the HD, and send the data to any site it chose, but it does not sound like that is the case here.
Re:Medireview virus attacks yahoo. (Score:2)
Re:Medireview virus attacks yahoo. (Score:2)
Infecting the computer? (Score:2)
Just another reason why Javascript is evil.
Can't we all just leave each other alone? (Score:4, Funny)
Symantec (Score:4, Insightful)
The lowball number is interesting, especially given the fact that Symantec is the company charged with the task of keeping an outbreak like this from happening:
Symantec to scan Yahoo Mail for viruses [infoworld.com]
Makes you wonder. (Score:1, Troll)
Re:Makes you wonder. (Score:3, Interesting)
Huh? All the descriptions I've seen say it just forwards itself to people in your Yahoo! contact list. I've seen nothing about it doing any damage to your PC, browser, or even your Yahoo! mail account. How is that worthy of a rating more than two? Unless I'm missing something, 2 sounds too high. Is there some other evil effect that was discovered and not posted in the messages I've seen so far?
Re:Makes you wonder. (Score:2)
I am humored that Symantec is in charge of virus scanning and they're the ones telling people to scan their systems when they should know tha
Re:Makes you wonder. (Score:2)
Good point. So it rates high for some people using Yahoo (but certainly not all) which, admittedly, is quite a large group. Low rating for everyone else.
Re:Symantec (Score:2, Insightful)
The article you linked to mentions that it is Symantec's job to scan Yahoo attachments for viruses.
This Worm that we are talking about though is not even passed via attachments so there is no way (with the agreement mentioned in that article) that Symantec can actually clean it for Yahoo.
"Unlike its predecessors, which would require the user to open an attachment in order to launch and propagate, JS-Yamanner makes use of a security hole in the Yahoo! web mail program in order to spread to other Yahoo!
Re:Symantec (Score:2)
Re:Symantec (Score:2)
http://img155.imageshack.us/my.php?image=norton2c
Yep, I took that screenshot and sent to Kaspersky.ru saying they should donate AV to Yahoo. I hope it reached Mr. Kaspersky somehow and they didn't ban me from mail servers.
Exploits a javascript bug? (Score:3, Insightful)
Re:Exploits a javascript bug? (Score:1)
My guess is that it's a bug in the yahoo webmail application itself, rather than a bug in javascript per se - therefore it is not limited by which browser you have, as you need javascript enabled to use yahoo mail.
The bug probably lies in the ability to access yahoo's own webmail javascripts to obtain addresses and send mails from a script within the mail itself. Presumably they have tried to block scripts from doing this, but not successfully.
Their webmail beta rocks, by the way - it kicks hotmail's equiv
Re:Exploits a javascript bug? (Score:3, Funny)
The article is lacking many details, like specifically which browsers seem to be vulnerable to this problem, or even if this is a browser bug that it is exploiting.... It could be a server side problem they are exploiting, or a client side browser bug.
It is a server side bug. They allow javascript to run in mail messages.
It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder
I saw it work under OS X 10.4 and Safari in my GF's account. For
Re:Exploits a javascript bug? (Score:2)
I was wondering this, too. Why aren't users of Firefox/Linux affected?
Re:Exploits a javascript bug? (Score:2)
I checked it and it does work in Firefox.
Here's the flaw that's exploited (Score:4, Informative)
<img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma
target=""onload="whole bunch of crappy javascript here that uses only
single quotes and just goes on and on">
Note the lack of a space between the 'target' bit and the 'onload' bit. Now, apparently "target" is one of the HTML attributes that yahoo allows through on an IMG tag (why?). Anyway, it appears that yahoo's servers see both the target and the onload bit as one big long target attribute and let it through, whereas most browsers see that as a separate "target" and "onload" attribute and execute the javascript as soon as the image (one of the standard yahoo mail images, so it'll likely already be in the browser cache) is loaded.
The lesson here? I'm not really sure, beyond "double- and triple-check your parsing routines, since they will be used in security-sensitive code".
Spread? (Score:3, Interesting)
Anyone have any idea if this works on/through gmail too?
Didn't get to my wife via her hotmail . . . (Score:2)
I'm pretty sure gMail is safe from this particular exploit.
Re:Spread? (Score:2)
While I have a Gmail account, I haven't checked it via the web interface for months now - checking it in Evolution gives me more power over sorting, filtering, etc. And while being able to access your mail
Re:Spread? (Score:2)
Anyone have any idea if this works on/through gmail too?
Nah, that was just me, fooling with ya...sorry.
Re:Spread? (Score:2)
No (Score:2)
Behavior (Score:3, Informative)
Once executed, the worm forwards itself to an infected users' contacts on Yahoo! Mail. It also harvests these address and sends them to a remote internet server. Only contacts with an email address of either @yahoo.com or @yahoogroups.com are hit by this behaviour.
As The Worm Turns... (Score:2)
BETA version not effected (Score:2)
I've seen lots of complaints about people using javascript and Yahoo!'s use of it. Yahoo!'s beta version is not effected by this worm.
FTFA, "The Yamanner worm targets all versions of Yahoo Web-based mail except the latest beta version, Symantec said in an advisory released Monday." (Emphisis mine)
Here is the Source, Luke. (Score:4, Informative)
Crime and punishment (Score:4, Interesting)
People often complain that punishment is too severe for this otherwise 'harmless' activity (and often compared to more heinous crimes such as assault, robbery, murder sex/child related crimes) and that damages are quite often exaggerated beyond reason. I can't say much about exaggerated damages, but I can say that in addition to other classifications of crimes, I also consider the following:
Planned/premeditated or not. Many aspects of the more heinous crimes where punishment is often less than these "white collar" crimes are not planned or premeditated. They are driven by little more than emotional or other motives. There is something more cold, more dark and indeed more arrogant when it comes to crimes such as the act of creating and deploying an internet worm. There is no question that what they are doing is immoral and illegal. They perform the act believing they will not be caught, that they will profit from the act and seemingly that it is somehow their right to take advantages of weaknesses in security simply because they are 'superior' in some way.
I see a noticable decline in the amount of spam in my inboxes of late. People claimed that the current federal legislation regarding spam wasn't enough and yet I see stories of people being prosecuted under these law successfully and when these people are put out of business, most all see a difference -- an improvement. It's working.
We don't need more legislation, but we do need to up the level of aggression in persuing these people and up the amount of punishment they are given when they are caught. While they are thinking about their planned attacks, they need to have cause to consider the potential cost to their lives as well.
Re:Crime and punishment (Score:2)
In short, I believe there should be some very stiff penalties to pay if it is proven that someone has written and deployed malware of this sort. There should be prison time and forfeiture of any money and assets acquired as a result of gains from this activity.
Why prison time? Is it that you believe this will work as a deterrent (even though in your post you write "They perform the act believing they will not be caught...") or is it that you believe that prison will reform them, or is it that you believe
Ethical discussion (Score:2)
That describes botnet builders and those like them.
What's appropriate for a case like this one, where there's no visible profit motive? [Bad car analogy]The crime here is sort of like joyriding, a clear infringement of the rights of others but (by default) not doing permanent damage (though certainly risking it) and not profiting the perpetrators.[/Bad car analogy]
Never mind (Score:2)
The subject field is important (Score:3, Informative)
Reference: Symantec advisory at http://securityresponse.symantec.com/avcenter/ven
"a flaw in JavaScript"? (Score:3, Insightful)
Re:"a flaw in JavaScript"? (Score:2)
It's not a JS implementation flaw, it's a programming flaw. The programming was done in JavaScript, which is why they said "a flaw in JavaScript." It's Yahoo's programmers who are at fault.
Re:"a flaw in JavaScript"? (Score:2)
Re:"a flaw in JavaScript"? (Score:2)
It doesn't "infect" anyone, although it does execute the code on your PC.
Re:"a flaw in JavaScript"? (Score:2)
The warm may not be as "innocent" (Score:5, Informative)
Here are the technical details of the worm:
1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:
From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.
2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.
3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.
4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.
5) Contacts the following URL:
[http://]www.av3.net/index.htm
6) Sends a list of email addresses gathered to the above URL.
Re:The warm may not be as "innocent" (Score:2, Informative)
Re: (Score:3, Informative)
I used wget to grab the site. (Score:2)
meta name="GENERATOR"
content="Microsoft FrontPage 6.0"
And they're using a free counter from webstats4u.com for their site statistics.
I don't think I'll be loading it in a web browser anytime soon. Anyone care to comment on what the site looks like when you open it with something other than VIM?
Why isn't Yahoo saying anything about this? (Score:3, Insightful)
That's pretty shitty. How hard would it be to add a warning and some helpful directions to the template of the login page?
Yay for NoScript! (Score:3, Interesting)
Does it affect limited user accounts? (Score:2)
Re:Very interesting (Score:2)
Re:Very interesting (Score:3, Insightful)
Re:Very interesting (Score:2)
The article only mentions the systems affected (only Windows systems apparently) but not the browsers.
The list was copied from McAffee's standard bug report. It works on any browser that runs javascripts (properly) by default and opens the message within yahoo mail.
So, are they sure that a Linux-based system with Mozilla (such as mine) would not be affected by the worm ?
I believe it will execute under Linux+Mozilla by default. Enable the "NoScript" plugin to stop it from executing without your permis
Re:Very interesting (Score:2)
FireFox + NoScript for the win.
Re:Very interesting (Score:1)
1) slow while browsing and full of annoying ads;
2) impossible to categorize my e-mails;
3) but the worse is that Yahoo messes up my e-mails with non-latin symbols.
GMail is far more convenient and just better.
Re:Very interesting (Score:2)
I use Yahoo mail because I've used Yahoo mail for 10 years, and with Adblocker I find its interface is actually superior to the other free webmail clients I've used, including gmail. That's obviously a matter of personal preference, of course.
Re:Very interesting (Score:2)
Yahoo may not provide pop, but the java script html scrappers work much better than the gmail pop server. And it is really handy to create a backup of my work emails with a simple click at yahoo.
since yahoo improved their email search, no need (t
Re:Very interesting (Score:2)
didn't know they brought back pop as a premium service. 6 years ago I paid like $5 a year for pop access, before they canned all premium services. now it's $30 a year for everything, worth considering.
Re:"This worm is a 2." (Score:3, Informative)
Category 5 - Very Severe
Highly dangerous threat type, very difficult to contain. All machines should download the latest virus definitions immediately and execute a scan. Email servers may need to come down. All three threat metrics must be High.
* Wild: High
* Damage: High
* Distribution: High
Category 4 - Severe
Dangerous threat type, difficult to contain. The latest virus definitions shoul
Here ya go (Score:3, Informative)
ThreatCon Level 1
Low : Basic network posture This condition applies when there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating. Under these conditions, only a routine security posture, designed to defeat normal network threats, is warranted. Automated systems and alerting mechanisms should be used.
Threatcon Level 2
Medium : Increased alertness
This condition applies when knowledge or the expectation of attack
Re:"This worm is a 2." (Score:2, Funny)
Re:JavaScript and CSS (Score:2, Funny)
Re:JavaScript and CSS (Score:2)
As far as I'm aware, the only browser which tied JavaScript and CSS support together was the craptacular Netscape 4.x. Modern browsers let you enable/disable them independently.
Re:Symantec's rate "2" seems ok to me. (Score:2)
Oh, really? As a contractor, I used Yahoo! email to communicate with the outfit that cuts my paycheck and to send in my hours to the manager at the job site. Why? Because I don't have access to my regular email account from the job site due to the firewall configuration. Go figure.
Re:Javascript == web security problem number 1 (Score:2, Funny)
Re:Javascript == web security problem number 1 (Score:2)
Not to sound like a jerk or anything, but I really don't care. Sometimes things happen in life -- including those over which you have no control -- that cause you to not be able to do everything as easily as you once could -- or at all. Sure it sucks, but it's not my fault; it's not my problem either.
It's like that girl who sued her school because they wouldn't let her run track... and she was in a wheel
Re:Javascript == web security problem number 1 (Score:2)
If she got all high and mighty in my face, sure I would. If she tried to defend her actions and didn't do a very good job of it, yes. If she explained herself in a way that was not explained in the articles I read and I found out the story wasn't right and she WASN'T suing her school to do something physically impossible, then I would apologize.
Re:Javascript == web security problem number 1 (Score:2)
Re:Lacks information (Score:2)
It doesn't affect any web browser, per se, as it's not a browser exploit. It uses Yahoo's javascript code. It _should_ work on any browser with JavaScript enabled that can view a regular Yahoo! mail account.
Re:Mac users aren't directly affected by this (Score:2)
Correct: in exactly the same way that PC users aren't directly affected by this... Or Linux users...
The platform doesn't matter, you tool: the flaw is in Yahoo! Mail, not in the browser. It should spread in exactly the same way on any browser that has JavaScript turned on. You mentioned turning off HTML... Did you think about that a second? There is no EMail client involved in this.
You DO know that Yahoo! Mail options work the same on all platforms, right?
Re:Mac users aren't directly affected by this (Score:2)
Re:I thought... (Score:2)