Yahoo Webmail Worm on the Loose
Security experts are warning of a new e-mail worm that takes advantage of a flaw in Yahoo's Web mail system to redirect users to advertising sites and to spread the worm to everyone in the victim's e-mail address book.
There may well be different versions of this bugger going around, but the one being tracked at the moment has "firstname.lastname@example.org" in the sender field, with the subject "New Graphic site." Symantec said users of Yahoo Mail Beta do not appear to be vulnerable to the worm.
When I followed the redirects on a test version of Windows XP, it launched two Web sites -- one advertising various online animations and graphics, and another that asks the visitor to download "Casino Tropez," an online-gambling program apparently operated out of the Caribbean island of Antigua (its entry at SiteAdvisor indicates this company is known for advertising via spam with forged e-mail headers).
The site hawking the online animations is registered to an Alireza Lavaei in Ontario, Canada. The server that hosts the site also hosts about 50 other marketing sites, most of them written in Arabic. It's important not to read too much into the registration information, as it is most likely fraudulent. Still, it is interesting to note that the server also hosts a (currently inactive) site called Yahoo-Incs.com; people who work for Yahoo have e-mail addresses that end in yahoo-inc.com, so such a site could be fairly effective if leveraged in tandem with future social engineering attacks on Yahoo users.
This attack does not appear to try to foist malware on visitors, but according to Web security firm Websense, a trivial reconfiguration to the worm could direct victims to sites that do. I have a call in to the people at Yahoo, but until this vulnerability is fixed, you're probably best off taking Websense's advice and using another Web mail program like Gmail or Hotmail.
SANS also says it's aware of two versions of this worm going around, released just two hours apart: "The [quick] release of a new version ... which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out."
Update, 5:42 p.m. ET: A spokeswoman for Yahoo said the company had put in place some kind of mechanism to filter out messages trying to exploit the flaw, though she could not offer specifics about the steps the company had taken.
The comments to this entry are closed.