Slashdot Mirror
Worm Wriggles Through Yahoo! Mail Flaw
Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."
I have a copy of this. I can forward it to anyone with a Yahoo! Mail account for further inspection. Isn't Open Source wonderful?
Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site."
... I opened an email like this yesterday ... the reason being was because it was "from" one of my friends (they were marked as the sender). As soon as it opened I knew I f!cked up ... per a Javascript popup window shooting up ... grrr ...
Damn
What does that mean? Does that mean that the amount of damage caused by the worm is a 2 out of 5? Or that the chance of infection is 40%? Or that the worm did very poorly in the olympics?
A little more description is needed here.
Anyway, i don't think anyone is using yahoo or other webmails for prefessional activities. So IMHO symantec was right to rate it "2"
With respect to:
Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.'
According to Symantec, "The worm cannot run on the newest version of Yahoo Mail Beta." so I would use that if you are nervous, then again, you could also not open werid emails from people you don't know.
Fixed: At the time of the advisory, there was no patch for the vulnerability. But by later on Monday, Yahoo said it had come up with a fix for the flaw, which it said had affected very few of its customers.
I have to say I agree with the low threat level. All the virus does is propogate and collect email addresses, and only on yahoo. If you have a yahoo email address, you're getting spam anyway, so how will you even know the difference?
Yesterday by The Register
My question is: who thought it was a good idea to enable JavaScript in emails? Someone at Yahoo! wasn't paying attention to basic security.
GetOuttaMySpace - The Anti-Social Network
Users: disable javascript
Devs: Make sure your site is functional without javascript
What's so difficult to grasp here?
I remember few months ago there was another security threat on Mac OS X where if you allowed automatic execution of the downloaded dashboard widgets, it could compromise your syste. Well then don't don't blindly run it. Ok I admit, it is not the same.
My ISP is Rogers (I live in Toronto, Canada,) they are a fast cable ISP but they outsorced their email handling to Yahoo. So I have an email account @rogers.com and I have to type my full email address to log into Yahoo. So I guess all Rogers customers maybe affected by this worm.
You can't handle the truth.
The article only mentions the systems affected (only Windows systems apparently) but not the browsers. However, it is the browser that executes the Javascript code, which steals the e-mail addresses from the Yahoo! address book. So, are they sure that a Linux-based system with Mozilla (such as mine) would not be affected by the worm ?
In Soviet Russia, our new overlords are belong to all your base.
Any that will execute JS, from the look of it.
FireFox + NoScript for the win.
120 characters for a sig? That's bloody useless.
I thought the security of yahoo would have captured a old javascript virus by now. Bu i do not understand: how can this javascript break out the browsers? isn't yahoo just a webmail website? then how would the local pc be affected? why would you have to scan your pc as symantic tells you?
Ok, the virus can send a lot of e-mails and break the yahoo mail system. or si there something about yahoo mail i do not understand?
Redesign CSS now so it does not depend on enabling JavaScript. Enabling downloadable executable content in browsers has always been bad for security.
1: It is a worm
2: barely severe
3: lesser severe
4: less severe
5: most severe
The solution has been automatically distributed to all Yahoo Mail customers, and requires no additional action on the part of the user," a Yahoo representative said.... It takes advantage of a JavaScript vulnerability.
means: they fixed some javascript code and validation and such on their server.
Both Yahoo and Symantec are encouraging people to update the antivirus definitions on their PCs
soon to expect: "Yahoo! Antivirus, a symantec product".
The worm, which was spotted in the wild early this morning
Ofcourse, it was sunny out...
Although the worm is spreading quickly, and no patch has been issued
It was too hyper and running too fast in the wild to be successfully captured and patched with a yahoologo.
As I understand it, this doesn't infect the computer it runs on, it just uses the evils of Javascript to grap addresses from your contacts list and forward a copy to everyone in there while passing them on to a spammer site. There should be nothing left behind to 'infect' the computer it runs on, and it will run on anything that supports Javascript... which is needed to use Yahoo mail in the first place.
Just another reason why Javascript is evil.
Symantec is rating the threat a '2.'
The lowball number is interesting, especially given the fact that Symantec is the company charged with the task of keeping an outbreak like this from happening:
Symantec to scan Yahoo Mail for viruses
ZuluPad, the wiki notepad on crack
The article is lacking many details, like specifically which browsers seem to be vulnerable to this problem, or even if this is a browser bug that it is exploiting.... It could be a server side problem they are exploiting, or a client side browser bug. It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder, although from the article it is impossible to determine this.
Ironically, those of us with no contacts in our yahoo mail make for the best of friends!
This issue is a bit more complicated than you think.
I just got a wave of mails in my gmail box that are from random senders, with multiple small 1-4k attachements.
Anyone have any idea if this works on/through gmail too?
-Styopa
from Learn about threat levels.
ThreatCon Level 1
Low : Basic network posture This condition applies when there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating. Under these conditions, only a routine security posture, designed to defeat normal network threats, is warranted. Automated systems and alerting mechanisms should be used.
Threatcon Level 2
Medium : Increased alertness
This condition applies when knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating. Under this condition, a careful examination of vulnerable and exposed systems is appropriate, security applications should be updated with new signatures and/or rules as soon as they become available and careful monitoring of logs is recommended. Changes to the security infrastructure are not required.
Threatcon Level 3
High : Known threat
This condition applies when an isolated threat to the computing infrastructure is currently underway or when malicious code reaches a severe risk rating. Under this condition, increased monitoring is necessary, security applications should be updated with new signatures and/or rules as soon as they become available and redeployment and reconfiguration of security systems is recommended. People should be able to maintain this posture for a few weeks at a time, as threats come and go.
Threatcon Level 4
Extreme : Full alert
This condition applies when extreme global network incident activity is in progress. Implementation of measures in this Threat Condition for more than a short period probably will create hardship and affect the normal operations of network infrastructure.
The article doesn't really mention the behavior of the worm and is actually slightly misleading. It doesn't "infect" your computer per se, it harvests your address book contacts and then spams them. From a different article:
Once executed, the worm forwards itself to an infected users' contacts on Yahoo! Mail. It also harvests these address and sends them to a remote internet server. Only contacts with an email address of either @yahoo.com or @yahoogroups.com are hit by this behaviour.
I just tried to compose an email in my Yahoo! email account and was informed that my contact list failed to load. So did the worm eat my contact list?
I've seen lots of complaints about people using javascript and Yahoo!'s use of it. Yahoo!'s beta version is not effected by this worm.
FTFA, "The Yamanner worm targets all versions of Yahoo Web-based mail except the latest beta version, Symantec said in an advisory released Monday." (Emphisis mine)
Lameness filter got me. Here is a link.
--fatboy
The Cross Site Scripting FAQ
The only bad part about this is the new Yahoo Mail client makes extensive use of javascript for all the new ajax.
But seriously, Yahoo Mail is nothing but a piece of crap. I wouldn't use it if it weren't for the groups which don't accept non Yahoo e-mail addresses. Reasons:
1) slow while browsing and full of annoying ads;
2) impossible to categorize my e-mails;
3) but the worse is that Yahoo messes up my e-mails with non-latin symbols.
GMail is far more convenient and just better.
GO BACK TO THE JURRASIC ERA OF WEB CODING
Important Stuff
Please try to keep posts on topic.
Try to reply to other people's comments instead of starting new threads.
Read other people's messages before posting your own to avoid simply duplicating what has already been said.
Use a clear subject that describes what your message is about.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
If you want replies to your comments sent to you, consider logging in or creating an account
Problems regarding accounts or comment posting should be sent to CowboyNeal.
I'm pretty sure gMail is safe from this particular exploit.
Exactly what did yahoo do to make Symantec angry?
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
The article only mentions the systems affected (only Windows systems apparently) but not the browsers.
The list was copied from McAffee's standard bug report. It works on any browser that runs javascripts (properly) by default and opens the message within yahoo mail.
So, are they sure that a Linux-based system with Mozilla (such as mine) would not be affected by the worm ?
I believe it will execute under Linux+Mozilla by default. Enable the "NoScript" plugin to stop it from executing without your permission, or just don't open suspicious messages in Yahoo mail for a few days.
In short, I believe there should be some very stiff penalties to pay if it is proven that someone has written and deployed malware of this sort. There should be prison time and forfeiture of any money and assets acquired as a result of gains from this activity.
People often complain that punishment is too severe for this otherwise 'harmless' activity (and often compared to more heinous crimes such as assault, robbery, murder sex/child related crimes) and that damages are quite often exaggerated beyond reason. I can't say much about exaggerated damages, but I can say that in addition to other classifications of crimes, I also consider the following:
Planned/premeditated or not. Many aspects of the more heinous crimes where punishment is often less than these "white collar" crimes are not planned or premeditated. They are driven by little more than emotional or other motives. There is something more cold, more dark and indeed more arrogant when it comes to crimes such as the act of creating and deploying an internet worm. There is no question that what they are doing is immoral and illegal. They perform the act believing they will not be caught, that they will profit from the act and seemingly that it is somehow their right to take advantages of weaknesses in security simply because they are 'superior' in some way.
I see a noticable decline in the amount of spam in my inboxes of late. People claimed that the current federal legislation regarding spam wasn't enough and yet I see stories of people being prosecuted under these law successfully and when these people are put out of business, most all see a difference -- an improvement. It's working.
We don't need more legislation, but we do need to up the level of aggression in persuing these people and up the amount of punishment they are given when they are caught. While they are thinking about their planned attacks, they need to have cause to consider the potential cost to their lives as well.
If you did not open a mail whose subject was "New Graphic Site", you are not infected.
c /data/js.yamanner@m.html
Reference: Symantec advisory at http://securityresponse.symantec.com/avcenter/ven
I opened this email yesterday with Firefox, but didn't get the Javascript popup that people have reported. My anti-virus also didn't complain (I use AntiVir), but then if it didn't install anything and just harvested addresses it wouldn't have set off any anti virus. I'll have to check my computer when I get home, but I'm wondering if Firefox saved me from this one.
Eh? The worm itself (at least from the description here) sounds relatively serious; the 2 would seem rather low, until you factor in that the company doing the rating is the same company that's currently failing to stop it.
It's official. Most of you are morons.
- Using cryptographic signatures to verify that an email is really from your friend, before you trust its contents, simply isn't an option.
- stuff is rendered in too powerful of an environment. Normally, Javascript inside an email would not be a threat, because there wouldn't be any way to execute it -- accidently or even deliberately.
Webmail sucks. Death to webmail.As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
... 2 was hand on bosom outside shirt
A flaw in whose JS implementation then?
# cat
Damn, my RAM is full of llamas.
Some people tend to think that this worm is harmless (just "spreading itself"). But the worm actually sends the harvested email adresses to an external site - www.av3.net [which I wouldn't dare to browse to].
Here are the technical details of the worm:
1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:
From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.
2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.
3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.
4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.
5) Contacts the following URL:
[http://]www.av3.net/index.htm
6) Sends a list of email addresses gathered to the above URL.
I agree with you that yahoo has way too many ads, however they're all served from the same few hosts. So, a few simple entries in Adblocker, and no more ads on Yahoo.
I use Yahoo mail because I've used Yahoo mail for 10 years, and with Adblocker I find its interface is actually superior to the other free webmail clients I've used, including gmail. That's obviously a matter of personal preference, of course.
"flaw in JavaScript" - you really mean "flaw in JavaScript" or flaw in the implementation of the so-called "JavaScript"? I mean - all browsers with "JavaScript" are affected? Including mobile devices, linuxes, unixes...?
Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
It would be nice to know if the worm affects any Web Browser or only the usual suspect (it seems so, for the platforms affected are only Windows 95-2003)
Don't see anything on the home page, my.yahoo, or even the login page of yahoo mail.
That's pretty shitty. How hard would it be to add a warning and some helpful directions to the template of the login page?
-William Shatner can be neither created nor destroyed.
Oh well, you pays your money and you takes your choice....
and still collecting all those addresses
http://www.av3.net/
and the whois is of course using that American whois "privacy" service, perhaps the FBI would like to sift through their computers, iam sure a lot of online crime could be cleared up quite quickly
ditto
Looking at the source, it's a Frontpage generated monstrosity covered with animated GIFs and links to Animated GIFs
meta name="GENERATOR"
content="Microsoft FrontPage 6.0"
And they're using a free counter from webstats4u.com for their site statistics.
I don't think I'll be loading it in a web browser anytime soon. Anyone care to comment on what the site looks like when you open it with something other than VIM?
"Live Free or Die." Don't like it? Then keep out of the USA
> The worm itself (at least from the description here) sounds relatively serious
Huh? All the descriptions I've seen say it just forwards itself to people in your Yahoo! contact list. I've seen nothing about it doing any damage to your PC, browser, or even your Yahoo! mail account. How is that worthy of a rating more than two? Unless I'm missing something, 2 sounds too high. Is there some other evil effect that was discovered and not posted in the messages I've seen so far?
It should be standard practice not to even open emails if you're not certain the sender is legitimate, just delete them. Even if it's from someone you know, if you have any reason to be suspicious, (as in, perhaps their system was compromised and a virus is propagating itself by emailing everyone in their address book), don't open it. Check with the person first.
We who are "in the know" about this sort of thing should make sure our less technical family and friends follow this practice.
Facts are stubborn things.
While I love FireFox and NoScript, they may not help you in this case. By default, NoScript allows yahoo.com and yimg.com to execute scripts, as they are required to actually read your email. So, even if you are using FireFox and NoScript you might still be vulnerable.
(Thankfully, I never received/opened that mail in my Yahoo account, so I don't know for sure).
but Gmail is all scripted so you can't simply open messages,etc in seperate tabs with a click. And their pop access is very buggy (at least for me since I use multiple clients during the day) and you can't use it to download other imap/pop emails on other servers.
Yahoo may not provide pop, but the java script html scrappers work much better than the gmail pop server. And it is really handy to create a backup of my work emails with a simple click at yahoo.
since yahoo improved their email search, no need (to me) to creat categories. but you can create folders, and they actually come across with the pop scrapers, unlike gmail.
> Mac users aren't directly affected by this
Correct: in exactly the same way that PC users aren't directly affected by this... Or Linux users...
The platform doesn't matter, you tool: the flaw is in Yahoo! Mail, not in the browser. It should spread in exactly the same way on any browser that has JavaScript turned on. You mentioned turning off HTML... Did you think about that a second? There is no EMail client involved in this.
You DO know that Yahoo! Mail options work the same on all platforms, right?
Mac users ARE affected. I have seen it running on a MacOSX box running safari.
Have a nice day!
Actually Mac are affected by this (unless you keep Java Script disabled). I noticed the virus when I receive a Mail from one of my Mac using friends.
We all should add the following line to our hosts file.
127.0.0.1 av3.net
Doesn't keep you from being infected but will stop spread of the virus.
And on top of that gmail is NOT available to everyone.
..... best things in life are not so free..........
The individual effect is minimal, e.g. it doesn't maliciously do anything on your system. However, the cumulative effect on Yahoo's webmail, especially yahoo! groups, is tremendous. My wife participates in & manages yahoo groups and she was saying yesterday/today that they've taken all the groups off line, from what she can see. I'd say that's a serious DoS, right?
I am humored that Symantec is in charge of virus scanning and they're the ones telling people to scan their systems when they should know that this is a XSS attack that isn't affecting the local system.
I didn't receive the message as an email, but I did open a message yesterday on a Yahoo Group I'm a member of. I basically just saw a message full of text, so would that trigger anything? I got no Java windows, pop-ups, etc.
Do a search on Sourceforge for it. Let's you download all your Yahoo mail with any POP3 compatable client. There are others for hotmail and other services, but of course Yahoo POPS is the relevant one to this issue. As you can see, there is already an incentive to start using it instead - keeps away those nasty web-based worms. You can always still disable images/javascript in your e-mail client just the same as your browser. Think how many times do you need javascript on to read an e-mail versus make a website work? Problem solved.
I received a couple of infected messages through a Yahoo groups subscription, which comes to my gmail account. The javascript was displayed as plain text, and I could see it was issuing requests to the Yahoo webmail system to extract user IDs and contacts. As far as I could tell, if you're not reading the email from within Yahoo's webmail reader, the script is not going to achieve anything.
Bless Firefox and the NoScript (https://addons.mozilla.org/firefox/722/) extension.
Anyone know if the worm is able to wiggle into users with limited accounts?
> However, the cumulative effect on Yahoo's webmail, especially yahoo! groups, is tremendous.
Good point. So it rates high for some people using Yahoo (but certainly not all) which, admittedly, is quite a large group. Low rating for everyone else.
Does it leave traces behind? Do the outbound emails sent by the worm to propogate itself show up in the Sent folder? I know that I accidently opened one of those "New Graphic Site" emails the day before this hit the headlines; nothing strange happened at the time (e.g., no popups as some users have been mentioning).
I was using webmail on Mozilla on Linux, which usually makes me feel safe from things like this. There goes another false sense of security.
Sigh... I put myself on my own adress book... Man I'm screwed!
When mad at one, try running a mile in their shoes. That way, not only do you have their shoes, but you are a mile away.
It's fixed on yahoo's servers now, but according to the source link posted earlier, the flaw that's being exploited seems to be a bug in how yahoo parses html attributes. The bug sends itself as:
/ ma_mail_1.gif'
<img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma
target=""onload="whole bunch of crappy javascript here that uses only
single quotes and just goes on and on">
Note the lack of a space between the 'target' bit and the 'onload' bit. Now, apparently "target" is one of the HTML attributes that yahoo allows through on an IMG tag (why?). Anyway, it appears that yahoo's servers see both the target and the onload bit as one big long target attribute and let it through, whereas most browsers see that as a separate "target" and "onload" attribute and execute the javascript as soon as the image (one of the standard yahoo mail images, so it'll likely already be in the browser cache) is loaded.
The lesson here? I'm not really sure, beyond "double- and triple-check your parsing routines, since they will be used in security-sensitive code".
Or maybe they do. I have a Yahoo account and use a mail client on my pc to read my mail.
Yahoo! has been fighting a bitter battle with much collateral damage for years to keep Javascript out of email bodies. In 2002, they're the ones who got hit by the discovery that legacy code in browsers would recognize every single obsolete code name that Javascript ever had as a script tag. Yahoo! attracted some criticism when people discovered that the word "mocha" was getting rewritten. See Wikipedia for details.
Come on... If you live in the US, you can send an SMS to get an invite. I'm not sure about other countries however. Besides, in each web forum you can find someone who has loads of invites. You could even try your luck by sending an e-mail to johnny, john.smith or whoever to ask an invite. That is really not a valuable argument.
>They perform the act believing they will not be caught, that they will profit from the act
That describes botnet builders and those like them.
What's appropriate for a case like this one, where there's no visible profit motive? [Bad car analogy]The crime here is sort of like joyriding, a clear infringement of the rights of others but (by default) not doing permanent damage (though certainly risking it) and not profiting the perpetrators.[/Bad car analogy]
-Mike
I'm sorry; I don't know what I was thinking!
It turns out to be a spam harvester. This was done for profit.
You state that JAVA and javascript are required to open and read your email at Yahoo. This is not true, if you go to Yahoo with JAVA and javascript disabled it will give you the option of loading their old client/web access. Do it once and you will not have to repeat it again, although you will see a notice re: JAVA and javascript required to use their current set up, this is unless of course you go there with JAVA and javascript enabled once, in which case it will start loading of their normal email viewer pages and will default to this until you go there with JAVA disabled again. Feel free to test this, I as a general rule keep JAVA and javascript disabled, though it is less of a security problem then activex it is still a gaping security hole any time you allow web sites to download and execute their code on your machine.
Flash isn't even installed, nor will it ever be. Flash required translates as: we are extremely rude, conceited, selfish and generally thoughtless web developers/company/corporation who neither care about you, your computer, your network connection or your interest/business, leave now and never return. I'm always happy to oblige.
Yeah, I know, just condemned my AC behind to -1, pfft {:P)~~~~
didn't know they brought back pop as a premium service. 6 years ago I paid like $5 a year for pop access, before they canned all premium services. now it's $30 a year for everything, worth considering.
I only get one or two emails from them each week so it seems a good deal to me.
I guess that I'll be ok. Not too sure though. I got the "NoScript" extension for FireFox. Hopefully, I can say, "How can it infect me when the script is blocked in the beginning?"
jagossel
Why use a browser in the first place? I use pop mail and an email client. Of course, that comes with my DSL with AT&T.
Ops, I shuld have usd the prevuwe but in.