JavaScript worm spreads through Yahoo Mail

By Bill Brenner, Senior News Writer 13 Jun 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A JavaScript worm is spreading via a security hole in Yahoo Mail, and end-users can become victims simply by viewing their email messages.

In an emailed advisory, Cupertino, Calif.-based AV giant Symantec Corp. said JS.Yamanner spreads through Yahoo email contacts when an end-user opens an email infected by the worm. The worm also sends these email addresses to a remote server on the Internet.

"This worm is a twist on the traditional mass-mailing worms that we have seen in recent years," Dave Cole, director at Symantec Security Response, said in a statement. "Unlike its predecessors, which would require the user to open an attachment in order to launch and propagate, JS.Yamanner makes use of a previously unknown security hole in the Yahoo Mail program in order to spread to other Yahoo users, and harvests user information for possible future attacks."

JS.Yamanner exploits a vulnerability that allows scripts embedded in HTML emails to be run by the user's browser. These scripts are normally blocked by Yahoo Mail for security reasons. Symantec has categorized JS.Yamanner as a Level 2 threat on a scale of one to five, with five being most severe.

Only those using contacts with an email address at @yahoo.com or @yahoogroups.com are threatened by this worm, Symantec said. Users of Yahoo Mail Beta don't appear to be affected.

The emails JS.Yamanner sends contains the following title and contents:

From: av3[at]yahoo.com
Subject: New Graphic Site
Body: this is test

Yahoo has reportedly released a fix for its standard and beta clients, and is working to block the malicious messages from its users' inboxes.

Michael Haisley, a handler with the Bethesda, Md.-based SANS Internet Storm Center (ISC), confirmed on the organization's Web site that the worm may spread without the user doing anything other than viewing a malicious email.

However, Haisley added that the worm could be readily modified to spread across many Web application systems that do not escape JavaScript when displaying data from a foreign source. "Many Web developers should reexamine their code," he said, "and make sure that display functions do not deliver potentially malicious code."

After testing several popular Web applications, ISC found that several are in fact vulnerable to the same type of exploit. Haisley said nearly any Web application could be affected, including bulletin boards, webmail programs, Web-based polls and any site that allows comments or uses guestbooks. "I even found one Web-based IRC client that didn't filter JavaScript, so a non-Web user could cause all Web users in a chat to perform some action.

The majority of these types of exploits cause little harm to users, Haisley said, but self-propogation could cause network congestion and generally make it more difficult to separate legitimate messages from malicious ones.

He said good coding practices, such as verifying that users are coming from an authorized form and that they are not submitting malicious code, can protect developers against this type of exploit.

Tags: Malware, Viruses, Trojans and Spyware,  Web Application Security,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Web Application Security Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud Web Server Threats and Countermeasures VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary