Network News

X My Profile
View More Activity

Yahoo Webmail Worm on the Loose

Security experts are warning of a new e-mail worm that takes advantage of a flaw in Yahoo's Web mail system to redirect users to advertising sites and to spread the worm to everyone in the victim's e-mail address book.

According to an advisory issued by Symantec, "JS.Yamanner" exploits an unpatched Javascript vulnerability that kicks in when the user opens an e-mail infected by the worm. Unlike most e-mail-based worms -- which launch when the recipient clicks on an infected file attachment -- this one spreads merely by getting the user to open the e-mail.

There may well be different versions of this bugger going around, but the one being tracked at the moment has "av@yahoo.com" in the sender field, with the subject "New Graphic site." Symantec said users of Yahoo Mail Beta do not appear to be vulnerable to the worm.

When I followed the redirects on a test version of Windows XP, it launched two Web sites -- one advertising various online animations and graphics, and another that asks the visitor to download "Casino Tropez," an online-gambling program apparently operated out of the Caribbean island of Antigua (its entry at SiteAdvisor indicates this company is known for advertising via spam with forged e-mail headers).

The site hawking the online animations is registered to an Alireza Lavaei in Ontario, Canada. The server that hosts the site also hosts about 50 other marketing sites, most of them written in Arabic. It's important not to read too much into the registration information, as it is most likely fraudulent. Still, it is interesting to note that the server also hosts a (currently inactive) site called Yahoo-Incs.com; people who work for Yahoo have e-mail addresses that end in yahoo-inc.com, so such a site could be fairly effective if leveraged in tandem with future social engineering attacks on Yahoo users.

This attack does not appear to try to foist malware on visitors, but according to Web security firm Websense, a trivial reconfiguration to the worm could direct victims to sites that do. I have a call in to the people at Yahoo, but until this vulnerability is fixed, you're probably best off taking Websense's advice and using another Web mail program like Gmail or Hotmail.

However, according to a writeup on this by the SANS Internet Storm Center, there may no easy way to fix this vulnerability. SANS incident handler Arrigo Triulzi wrote that turning off Javascript on your browser will prevent you from reading your Yahoo Webmail.

SANS also says it's aware of two versions of this worm going around, released just two hours apart: "The [quick] release of a new version ... which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out."

Update, 5:42 p.m. ET: A spokeswoman for Yahoo said the company had put in place some kind of mechanism to filter out messages trying to exploit the flaw, though she could not offer specifics about the steps the company had taken.

By Brian Krebs  |  June 12, 2006; 3:32 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Releases Windows Malware Stats
Next: Spam Spotted Using TinyURL

No comments have been posted to this entry.

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company