Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Worm Wriggles Through Yahoo! Mail Flaw

Zonk posted more than 8 years ago | from the descriptive-imagery dept.

186

Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."

cancel ×

186 comments

Sorry! There are no comments related to the filter you selected.

Very interesting (-1, Troll)

ilovegeorgebush (923173) | more than 8 years ago | (#15523619)

Wonder which browser(s) was affected most....

Why would you use Yahoo! anyway? :D

Re:Very interesting (1)

roman_mir (125474) | more than 8 years ago | (#15523662)

My ISP is Rogers (I live in Toronto, Canada,) they are a fast cable ISP but they outsorced their email handling to Yahoo. So I have an email account @rogers.com and I have to type my full email address to log into Yahoo. So I guess all Rogers customers maybe affected by this worm.

Re:Very interesting (2, Insightful)

o'reor (581921) | more than 8 years ago | (#15523664)

The article only mentions the systems affected (only Windows systems apparently) but not the browsers. However, it is the browser that executes the Javascript code, which steals the e-mail addresses from the Yahoo! address book. So, are they sure that a Linux-based system with Mozilla (such as mine) would not be affected by the worm ?

Re:Very interesting (1)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#15523868)

The article only mentions the systems affected (only Windows systems apparently) but not the browsers.

The list was copied from McAffee's standard bug report. It works on any browser that runs javascripts (properly) by default and opens the message within yahoo mail.

So, are they sure that a Linux-based system with Mozilla (such as mine) would not be affected by the worm ?

I believe it will execute under Linux+Mozilla by default. Enable the "NoScript" plugin to stop it from executing without your permission, or just don't open suspicious messages in Yahoo mail for a few days.

Re:Very interesting (1)

PFI_Optix (936301) | more than 8 years ago | (#15523668)

Any that will execute JS, from the look of it.

FireFox + NoScript for the win.

Re:Very interesting (0)

Anonymous Coward | more than 8 years ago | (#15523800)

The only bad part about this is the new Yahoo Mail client makes extensive use of javascript for all the new ajax.

Re:Very interesting (1)

Rytis (907427) | more than 8 years ago | (#15523804)

But seriously, Yahoo Mail is nothing but a piece of crap. I wouldn't use it if it weren't for the groups which don't accept non Yahoo e-mail addresses. Reasons:
1) slow while browsing and full of annoying ads;
2) impossible to categorize my e-mails;
3) but the worse is that Yahoo messes up my e-mails with non-latin symbols.
GMail is far more convenient and just better.

Re:Very interesting (1)

eln (21727) | more than 8 years ago | (#15524020)

I agree with you that yahoo has way too many ads, however they're all served from the same few hosts. So, a few simple entries in Adblocker, and no more ads on Yahoo.

I use Yahoo mail because I've used Yahoo mail for 10 years, and with Adblocker I find its interface is actually superior to the other free webmail clients I've used, including gmail. That's obviously a matter of personal preference, of course.

Copies available (1, Funny)

Anonymous Coward | more than 8 years ago | (#15523622)

I have a copy of this. I can forward it to anyone with a Yahoo! Mail account for further inspection. Isn't Open Source wonderful?

Re:Copies available (2)

ilovegeorgebush (923173) | more than 8 years ago | (#15523674)

Great! Could you send it to me at symantic@yahoo.com?

Fell for this yestereday (2, Informative)

neonprimetime (528653) | more than 8 years ago | (#15523631)

Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site."

Damn ... I opened an email like this yesterday ... the reason being was because it was "from" one of my friends (they were marked as the sender). As soon as it opened I knew I f!cked up ... per a Javascript popup window shooting up ... grrr ...

This is an example of webmail's suckiness (1)

Sloppy (14984) | more than 8 years ago | (#15523962)

Yet another lesson in why webmail is a such a bad idea. By using the wrong tool (web browser) for the job (email), the user suffers twofold:
  1. Using cryptographic signatures to verify that an email is really from your friend, before you trust its contents, simply isn't an option.
  2. stuff is rendered in too powerful of an environment. Normally, Javascript inside an email would not be a threat, because there wouldn't be any way to execute it -- accidently or even deliberately.
Webmail sucks. Death to webmail.

Re:This is an example of webmail's suckiness (2, Insightful)

oni (41625) | more than 8 years ago | (#15524048)

Using cryptographic signatures to verify that an email is really from your friend, before you trust its contents, simply isn't an option.

well, the email *was* from his friend. His friend was infected. If his friend was using a standalone email client and using cryptographic signatures, then most likely, his friend would have entered his password for PGP or whatever, and that password would be stored in memory, and then when the virus took over his account and started sending mail, the virus would sign the mail.

So in this particular instance, I don't see how a standalone client would help things.

Re:This is an example of webmail's suckiness (1)

Opportunist (166417) | more than 8 years ago | (#15524259)

This is in theory possible. But PGP and similar signing mechanisms are SO rare that, so far, few viruses or worms bothered to implement a routine to actually sign your mails properly.

It will be a problem as soon as it becomes common practice, that's a given.

Your "JavaScript"? (3, Insightful)

Elixon (832904) | more than 8 years ago | (#15524041)

"flaw in JavaScript" - you really mean "flaw in JavaScript" or flaw in the implementation of the so-called "JavaScript"? I mean - all browsers with "JavaScript" are affected? Including mobile devices, linuxes, unixes...?

Re:Fell for this yestereday (0)

Anonymous Coward | more than 8 years ago | (#15524153)

I opened the message with Firefox, but didn't get the Javascript window. I don't know if that means the worm failed or not. I don't recall ever disabling Javascript. What browser were you using?

Using IE in Windows by any chance? (1)

Viol8 (599362) | more than 8 years ago | (#15524165)

Oh well, you pays your money and you takes your choice....

"This worm is a 2." (0, Offtopic)

Evanisincontrol (830057) | more than 8 years ago | (#15523644)

What does that mean? Does that mean that the amount of damage caused by the worm is a 2 out of 5? Or that the chance of infection is 40%? Or that the worm did very poorly in the olympics?

A little more description is needed here.

Re:"This worm is a 2." (3, Informative)

BobVH (930696) | more than 8 years ago | (#15523700)

Just copy-pasted this off symantec:

Category 5 - Very Severe
Highly dangerous threat type, very difficult to contain. All machines should download the latest virus definitions immediately and execute a scan. Email servers may need to come down. All three threat metrics must be High.

        * Wild: High
        * Damage: High
        * Distribution: High

Category 4 - Severe
Dangerous threat type, difficult to contain. The latest virus definitions should be downloaded immediately and deployed.

        * Wild: High
        * Damage or Distribution: High

Category 3 - Moderate
Threat type characterized either as highly wild (but reasonably harmless and containable) or potentially dangerous (and uncontainable) if released into the wild.

        * Wild: High
            or
        * Damage: High and Distribution: High

Category 2 - Low
Threat type characterized either as low or moderate wild threat (but reasonably harmless and containable) or non-wild threat characterized by an unusual damage or spread routine, or perhaps by some feature of the virus that makes headlines in the news.

        * Damage: High
            or
        * Distribution: High
            or
        * Wild: Low or Moderate

Category 1 - Very Low
Poses little threat to users. Rarely even makes headlines. No reports in the wild.

        * Wild: Low
        * Damage or Distribution: Low

Here ya go (2, Informative)

hal9000(jr) (316943) | more than 8 years ago | (#15523719)

from Learn about threat levels [symantec.com] .
ThreatCon Level 1
Low : Basic network posture This condition applies when there is no discernible network incident activity and no malicious code activity with a moderate or severe risk rating. Under these conditions, only a routine security posture, designed to defeat normal network threats, is warranted. Automated systems and alerting mechanisms should be used.
Threatcon Level 2
Medium : Increased alertness
This condition applies when knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating. Under this condition, a careful examination of vulnerable and exposed systems is appropriate, security applications should be updated with new signatures and/or rules as soon as they become available and careful monitoring of logs is recommended. Changes to the security infrastructure are not required.
Threatcon Level 3
High : Known threat
This condition applies when an isolated threat to the computing infrastructure is currently underway or when malicious code reaches a severe risk rating. Under this condition, increased monitoring is necessary, security applications should be updated with new signatures and/or rules as soon as they become available and redeployment and reconfiguration of security systems is recommended. People should be able to maintain this posture for a few weeks at a time, as threats come and go.
Threatcon Level 4
Extreme : Full alert
This condition applies when extreme global network incident activity is in progress. Implementation of measures in this Threat Condition for more than a short period probably will create hardship and affect the normal operations of network infrastructure.

Re:"This worm is a 2." (2, Funny)

format1337 (957144) | more than 8 years ago | (#15523984)

we're at terror alert orange! Which means something might go down somewhere in some way at some point in time. So look sharp!

Symantec's rate "2" seems ok to me. (0, Flamebait)

palmer_eldridge (906506) | more than 8 years ago | (#15523651)

Anyway, i don't think anyone is using yahoo or other webmails for prefessional activities. So IMHO symantec was right to rate it "2"

Re:Symantec's rate "2" seems ok to me. (0)

Anonymous Coward | more than 8 years ago | (#15523737)

That was a joke, right? Even if what you said was true (it's not), a vulnerability that "only" affects personal mail is still a vulnerability and doesn't deserve a lower rating.

Re:Symantec's rate "2" seems ok to me. (1)

creimer (824291) | more than 8 years ago | (#15523812)

Anyway, i don't think anyone is using yahoo or other webmails for prefessional activities.

Oh, really? As a contractor, I used Yahoo! email to communicate with the outfit that cuts my paycheck and to send in my hours to the manager at the job site. Why? Because I don't have access to my regular email account from the job site due to the firewall configuration. Go figure.

Re:Symantec's rate "2" seems ok to me. (1)

Shadow Of The Sun (951477) | more than 8 years ago | (#15523849)

Yahoo does provide web hosting services. For $12 a month [yahoo.com] , you get 5GB of disk space, and 200GB of data transfer. If you don't want to actually bother administrating your own server, that's a pretty good deal.

I am betting a fair number of small to medium businesses actually do use Yahoo! web hosting. But, since their paid services allow pop3 access, I am wondering how vulnerable those users are.

Re:Symantec's rate "2" seems ok to me. (1)

Arctic Fox (105204) | more than 8 years ago | (#15524278)

Not true.
People think Yahoo/Hotmail are viable email services.

Look at this guy... He's running for Pa Senate, with a yahoo account. http://www.threesources.com/archives/002949.html [threesources.com]

Not everyone affected... (1)

s31523 (926314) | more than 8 years ago | (#15523652)

With respect to:
Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.'
According to Symantec [symantec.com] , "The worm cannot run on the newest version of Yahoo Mail Beta." so I would use that if you are nervous, then again, you could also not open werid emails from people you don't know.

Re:Not everyone affected... (3, Informative)

neonprimetime (528653) | more than 8 years ago | (#15523680)

you could also not open werid emails from people you don't know

Yeah, but this spreads via your Yahoo! contact list ... and thus I received this worm email "from" one of my friends ... so it's not just coming from random accounts, it's coming from people who have you in their contact list.

Re:Not everyone affected... (1)

0123456 (636235) | more than 8 years ago | (#15523722)

"I received this worm email "from" one of my friends ... so it's not just coming from random accounts, it's coming from people who have you in their contact list."

Ditto. I got hit by this because it came from someone I know and had a reasonably plausible subject line.

Re:Not everyone affected... (1)

s31523 (926314) | more than 8 years ago | (#15523762)

It had to start somewhere!

Re:Not everyone affected... (1, Informative)

Anonymous Coward | more than 8 years ago | (#15524543)

Unfortunately, users who have not already switched to the Yahoo Beta can not do it on the fly. You have to 'apply' for the program, and it can take weeks before you are admitted.

Fixed. (3, Insightful)

Se7enLC (714730) | more than 8 years ago | (#15523657)

Fixed: At the time of the advisory, there was no patch for the vulnerability. But by later on Monday, Yahoo said it had come up with a fix for the flaw, which it said had affected very few of its customers.

I have to say I agree with the low threat level. All the virus does is propogate and collect email addresses, and only on yahoo. If you have a yahoo email address, you're getting spam anyway, so how will you even know the difference?

Re:Fixed. (1)

cygnusx (193092) | more than 8 years ago | (#15523711)

> If you have a yahoo email address, you're getting spam anyway, so how will you even know the difference?

Great point. Is it only me or has Yahoo Mail hit the bottom of the barrel? My hotmail account (and it's used for domain registrations) gets 2-3 spam emails a day (and these go to the junk mail folder 99% of the time). My gmail account gets about 2 a week. Yahoo gets over 50 a day and I don't even use it that much.

Re:Fixed. (0)

Anonymous Coward | more than 8 years ago | (#15523735)



My gmail spam folder receives between 50-75 a day. My yahoo about 50-75 a week. My hotmail account is by far the lowest at about 10 a week.

Re:Fixed. (1)

lobsterGun (415085) | more than 8 years ago | (#15523794)

You may just be unlucky with your Yahoo account.

I have a yahoo mail address that I have used actively for years, and only receive a few spam a week.

Same Here (0)

Anonymous Coward | more than 8 years ago | (#15524325)

ditto

Re:Fixed. (1)

peragrin (659227) | more than 8 years ago | (#15523852)

My gmail account recieves about 25-40 a week. of course the filter catches them all. It even smetimes catches mail that it isn't supposed to.

My juno account however recieves 20-30 a day and it's filter catches 3-5.

It's a good thing I just use juno for junk mail filtering.

Re:Fixed. (1)

electronerdz (838825) | more than 8 years ago | (#15524266)

Actually, my Yahoo account has the least amount of spam. It is my backup incase all hell breaks loose. I get stuff in the spam folder, but usually only 1 or 2 a day. In the actual Inbox, I'd say about 1 a week if even that. From what I can tell, Yahoo has some pretty good spam blocking. Now if only they'd let me use the new Yahoo mail... but I guess since I am not using IE or Windows for that matter, I don't get to try it.

Re:Fixed. (0)

Anonymous Coward | more than 8 years ago | (#15523763)

Huh?

I've been using Yahoo temporarily because my domain's mail has been hijacked by spammers, the "real" mail address (that I stopped using) was getting hundreds of "bounce" messages.

I have yet to get a single spam from Yahoo, except the spam Yahoo itself sends out.

It even put a response from a newspaper editor I had written to, asking my city for when they printed the letter, was put in the "bulk" folder.

So I guess with everything, YMMV.

Re:Fixed. (2, Funny)

tehwebguy (860335) | more than 8 years ago | (#15523872)

yes, actually i was the one who came up with the fix for it.
it went something like this:
$body = strip_tags($body);

Re:Fixed. (1)

bitflip (49188) | more than 8 years ago | (#15523925)

It collects the addresses from the users' contact lists. So, if somebody you know sends you email from Yahoo, then they now have your address, too.

First reported (4, Insightful)

Billosaur (927319) | more than 8 years ago | (#15523658)

Yesterday by The Register [theregister.co.uk]

My question is: who thought it was a good idea to enable JavaScript in emails? Someone at Yahoo! wasn't paying attention to basic security.

Re:First reported (2, Funny)

Sloppy (14984) | more than 8 years ago | (#15523858)

My question is: who thought it was a good idea to enable JavaScript in emails?

My question is: who thought it was a good idea to enable Javascript in web browsers?

Re:First reported (0)

Anonymous Coward | more than 8 years ago | (#15523863)

Hello!!! Yahoo is a web mail service. You can turn of JavaScript in Mozilla Mail, but you're using Mozilla Navigator to access your Yahoo mail. Wanna turn off JavaScript *everywhere*?

Re:First reported (2, Funny)

ch-chuck (9622) | more than 8 years ago | (#15524053)

Somewhere, there's an advertising executive with big bucks who thinks it would be a great idea to enable ring-0 kernel mode privilidged assembly code in email so they can not only install a new graphics driver, but also set the screen resolution and audio level to appropriate levels for optimum customer experience of their special purchasing opportunity announcements.

Re:First reported (3, Informative)

Bogtha (906264) | more than 8 years ago | (#15524276)

The article is wrong when it claims that it's "a flaw in JavaScript", it's a flaw in Yahoo's webmail. So the answer to your question is almost certainly: nobody thought it was a good idea to enable JavaScript in emails, the developers working on Yahoo's webmail didn't escape things properly and nobody was doing decent QA to catch the mistake the developers made. So basically, it's a management error.

There doesn't seem to be detailed technical information available anywhere, but it sounds very much like it's just a specialised form of an XSS attack, where you sneak code into the application in such a way that the application doesn't encode it properly for output to another user.

Javascript == web security problem number 1 (0)

Anonymous Coward | more than 8 years ago | (#15523659)

Users: disable javascript
Devs: Make sure your site is functional without javascript

What's so difficult to grasp here?

Re:Javascript == web security problem number 1 (0)

Anonymous Coward | more than 8 years ago | (#15523754)

BUT YOU CANT USE AJAX WITHOUT JAVASCRIPT!

WEB 2.0!!!! TWO POINT Oooh!!!

Savages... Webpages without asynchronous callbacks, without rounded corners and moving layers...

Re:Javascript == web security problem number 1 (0)

Anonymous Coward | more than 8 years ago | (#15523767)

One of the worst websites for people who value their browser's and computer's security is BBC News [bbc.co.uk] with its Javascript-required to play videos. Sure, you can enable Javascript only for the BBC News website, but how many ordinary people do that, and more to the point, why should on earth does the BBC require people to enable Javascript to view a video?

Re:Javascript == web security problem number 1 (1)

GabboFlabbo (595073) | more than 8 years ago | (#15524031)

why should on earth does the BBC require people to enable Javascript to view a video?

More importantly: Why would the BBC require you to use a Browser to view a video?

Re:Javascript == web security problem number 1 (0)

Anonymous Coward | more than 8 years ago | (#15524250)

More importantly: Why would the BBC require you to use a Browser to view a video?
Even more importantly, let's return to the security issue which was that the simple action of clicking on a link to watch a video ludicrously requires everybody to accept poor security by using browsers with Javascript turned on.

YOU PRIMITIVE FUCKING MONKEY (0)

Anonymous Coward | more than 8 years ago | (#15523811)

GO BACK TO THE JURRASIC ERA OF WEB CODING

Important Stuff
Please try to keep posts on topic.
Try to reply to other people's comments instead of starting new threads.
Read other people's messages before posting your own to avoid simply duplicating what has already been said.
Use a clear subject that describes what your message is about.
Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page)
If you want replies to your comments sent to you, consider logging in or creating an account
Problems regarding accounts or comment posting should be sent to CowboyNeal.

Re:Javascript == web security problem number 1 (2, Funny)

GabboFlabbo (595073) | more than 8 years ago | (#15523986)

Users: disable javascript Devs: Make sure your site is functional without javascript What's so difficult to grasp here?
I agree 99%. I'd also recommend turning off your computer and hiding under your desk.

Temp Patch (0)

Anonymous Coward | more than 8 years ago | (#15523661)

How about disabling the java-script ?

I remember few months ago there was another security threat on Mac OS X where if you allowed automatic execution of the downloaded dashboard widgets, it could compromise your syste. Well then don't don't blindly run it. Ok I admit, it is not the same.

that's nothing (-1, Offtopic)

mgabrys_sf (951552) | more than 8 years ago | (#15523665)

Windows Vista runs on the Mac - according to Microsoft's own website!

http://tech.msn.com/business/default.aspx [msn.com]

Clearly seen - the Apple Display, and the Mac keyboard. Running VISTA - wow!

Medireview virus attacks yahoo. (4, Interesting)

leuk_he (194174) | more than 8 years ago | (#15523679)

I thought the security of yahoo would have captured a old [wikipedia.org] javascript virus by now. Bu i do not understand: how can this javascript break out the browsers? isn't yahoo just a webmail website? then how would the local pc be affected? why would you have to scan your pc as symantic tells you?

Ok, the virus can send a lot of e-mails and break the yahoo mail system. or si there something about yahoo mail i do not understand?

Re:Medireview virus attacks yahoo. (1)

42Penguins (861511) | more than 8 years ago | (#15523854)

A JavaScript ..erm...script should be treated as an executable. Sure, it's based on Yahoo's servers, but when you open it, it's run on YOUR PC and will do whatever good/evil deeds it's written to do.

I think that a bigger detriment to your system comes with running modern Symantec products! AVG, ZA, and S&D make my day.

Re:Medireview virus attacks yahoo. (0)

Anonymous Coward | more than 8 years ago | (#15524017)

A JavaScript ..erm...script should be treated as an executable. Sure, it's based on Yahoo's servers, but when you open it, it's run on YOUR PC and will do whatever good/evil deeds it's written to do.


Right. However, if it can screw up your PC, that's called a browser vulnerability, and gets its own story. This seems to be just a pest which executes stuff that a web page's javascript should be able to do (i.e. submit a form, load another page, etc.). However, what makes this concern-worthy is that it harvest e-mail addresses.

So yes, javascript is executable, but with a decent browser, this shouldn't harm a local PC.

p.s. the captcha is getting to be a bit too hard

Re:Medireview virus attacks yahoo. (0)

Anonymous Coward | more than 8 years ago | (#15524583)

p.s. the captcha is getting to be a bit too hard

no capacha on slahsdot if you are not lazy to sign in. Sign in and then they "post as ac"

Re:Medireview virus attacks yahoo. (4, Informative)

larkost (79011) | more than 8 years ago | (#15524052)

The poster's question is valid. He/she is asking if the JavaScript worm can actually do anything other that work within the browser, as in how can the worm "infect" the computer. The answer is that it can't. It only harvests the email addresses that are on your Yahoo addressbook, and emails itself to them, once again though Yahoo. So everything is done within the browser, and there is no compromise outside the browser's sandbox.

With a little creativity, this could be extended to grab a file off the HD, and send the data to any site it chose, but it does not sound like that is the case here.

JavaScript and CSS (0)

Anonymous Coward | more than 8 years ago | (#15523683)

Redesign CSS now so it does not depend on enabling JavaScript. Enabling downloadable executable content in browsers has always been bad for security.

Re:JavaScript and CSS (2, Funny)

fputs(shit, slashdot (645337) | more than 8 years ago | (#15523716)

Redesign CSS now so it does not depend on enabling JavaScript.
Try:
crack-cocaine { smoke: false; }

Re:JavaScript and CSS (0)

Anonymous Coward | more than 8 years ago | (#15523836)

Talking of crack, try:
I am not addicted to Javascript
I am not even slightly addicted to Javascript
I have never been and will never be addicted to Javascript
Ok, darn it, I admit I am hopelessly addicted to Javascript, always have been and that's the way I like it.

Re:JavaScript and CSS (1)

FuzzyBad-Mofo (184327) | more than 8 years ago | (#15524365)

As far as I'm aware, the only browser which tied JavaScript and CSS support together was the craptacular Netscape 4.x. Modern browsers let you enable/disable them independently.

Rating system (0)

Anonymous Coward | more than 8 years ago | (#15523686)

The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."

1: It is a worm
2: barely severe
3: lesser severe
4: less severe
5: most severe

The solution has been automatically distributed to all Yahoo Mail customers, and requires no additional action on the part of the user," a Yahoo representative said.... It takes advantage of a JavaScript vulnerability.

means: they fixed some javascript code and validation and such on their server.

Both Yahoo and Symantec are encouraging people to update the antivirus definitions on their PCs

soon to expect: "Yahoo! Antivirus, a symantec product".

The worm, which was spotted in the wild early this morning

Ofcourse, it was sunny out...

Although the worm is spreading quickly, and no patch has been issued

It was too hyper and running too fast in the wild to be successfully captured and patched with a yahoologo.

Infecting the computer? (1)

0123456 (636235) | more than 8 years ago | (#15523688)

As I understand it, this doesn't infect the computer it runs on, it just uses the evils of Javascript to grap addresses from your contacts list and forward a copy to everyone in there while passing them on to a spammer site. There should be nothing left behind to 'infect' the computer it runs on, and it will run on anything that supports Javascript... which is needed to use Yahoo mail in the first place.

Just another reason why Javascript is evil.

Can't we all just leave each other alone? (3, Funny)

NotQuiteReal (608241) | more than 8 years ago | (#15523707)

Ironically, those of us with no contacts in our yahoo mail make for the best of friends!

Symantec (3, Insightful)

omeomi (675045) | more than 8 years ago | (#15523691)

Symantec is rating the threat a '2.'

The lowball number is interesting, especially given the fact that Symantec is the company charged with the task of keeping an outbreak like this from happening:

Symantec to scan Yahoo Mail for viruses [infoworld.com]

Makes you wonder. (0, Troll)

AltGrendel (175092) | more than 8 years ago | (#15523834)

Exactly what did yahoo do to make Symantec angry?

Re:Makes you wonder. (0, Redundant)

Tim C (15259) | more than 8 years ago | (#15523953)

Eh? The worm itself (at least from the description here) sounds relatively serious; the 2 would seem rather low, until you factor in that the company doing the rating is the same company that's currently failing to stop it.

Exploits a javascript bug? (2, Insightful)

NynexNinja (379583) | more than 8 years ago | (#15523697)

The article is lacking many details, like specifically which browsers seem to be vulnerable to this problem, or even if this is a browser bug that it is exploiting.... It could be a server side problem they are exploiting, or a client side browser bug. It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder, although from the article it is impossible to determine this.

Re:Exploits a javascript bug? (1)

danskal (878841) | more than 8 years ago | (#15523817)

My guess is that it's a bug in the yahoo webmail application itself, rather than a bug in javascript per se - therefore it is not limited by which browser you have, as you need javascript enabled to use yahoo mail.

The bug probably lies in the ability to access yahoo's own webmail javascripts to obtain addresses and send mails from a script within the mail itself. Presumably they have tried to block scripts from doing this, but not successfully.

Their webmail beta rocks, by the way - it kicks hotmail's equivalent beta into touch.

Re:Exploits a javascript bug? (2, Funny)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#15523824)

The article is lacking many details, like specifically which browsers seem to be vulnerable to this problem, or even if this is a browser bug that it is exploiting.... It could be a server side problem they are exploiting, or a client side browser bug.

It is a server side bug. They allow javascript to run in mail messages.

It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder

I saw it work under OS X 10.4 and Safari in my GF's account. For slightly more info check out this link [trendmicro.com] .

Re:Exploits a javascript bug? (1)

Nutria (679911) | more than 8 years ago | (#15523842)

It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder, although from the article it is impossible to determine this.

I was wondering this, too. Why aren't users of Firefox/Linux affected?

Re:Exploits a javascript bug? (1)

fatboy (6851) | more than 8 years ago | (#15523894)

From what I can see [groovin.net] , it checks window.XMLHttpRequest and if that fails, it uses ActiveXObject('Microsoft.XMLHTTP').

I checked it and it does work in Firefox.

Re:Exploits a javascript bug? (0)

Anonymous Coward | more than 8 years ago | (#15524011)

It "worked" (propagated) from my wife's account using Firefox on Fedora Core 3.

Spread? (2, Interesting)

argStyopa (232550) | more than 8 years ago | (#15523712)

I just got a wave of mails in my gmail box that are from random senders, with multiple small 1-4k attachements.

Anyone have any idea if this works on/through gmail too?

Didn't get to my wife via her hotmail . . . (1)

mmell (832646) | more than 8 years ago | (#15523821)

but this doesn't actually infect the user's computer; it harvests e-mails from the user's machine, but it uses Yahoo's server to perpetrate its evil.

I'm pretty sure gMail is safe from this particular exploit.

Re:Spread? (1)

dtsazza (956120) | more than 8 years ago | (#15523846)

If you're curious, you can presumably use Gmail's POP service to read your messages in a client that doesn't support JavaScript (most, if not all, standalone email clients). That way you can inspect the headers, read the email and even assess the attachment without having to worry about any embedded JS.

While I have a Gmail account, I haven't checked it via the web interface for months now - checking it in Evolution gives me more power over sorting, filtering, etc. And while being able to access your mail from anywhere is handy, I find it just doesn't matter for personal mail - I can't really be expected to read and respond to it during the day anyway (no matter how horny those lesbo vixens get)...

Re:Spread? (1)

mgblst (80109) | more than 8 years ago | (#15523879)

I just got a wave of mails in my gmail box that are from random senders, with multiple small 1-4k attachements.

Anyone have any idea if this works on/through gmail too?

 
Nah, that was just me, fooling with ya...sorry.

Re:Spread? (1)

Khyber (864651) | more than 8 years ago | (#15524310)

This would not surprise me since many parts of Gmail require Javascript.

Heh (-1, Flamebait)

Khammurabi (962376) | more than 8 years ago | (#15523715)

"Antivirus definitions have been released for it, and Yahoo is working on a patch, so we don't want to cry wolf."
Translation: "We were hoping the NSA would be more discreet about their activities, but at least we're helping national security."


So that'll be a -1 Offtopic, -2 Not Funny, and I'll take a side of -1 Flamebait please. (Sorry, couldn't resist.)

Behavior (2, Informative)

kevin_conaway (585204) | more than 8 years ago | (#15523730)

The article doesn't really mention the behavior of the worm and is actually slightly misleading. It doesn't "infect" your computer per se, it harvests your address book contacts and then spams them. From a different article: [theregister.co.uk]

Once executed, the worm forwards itself to an infected users' contacts on Yahoo! Mail. It also harvests these address and sends them to a remote internet server. Only contacts with an email address of either @yahoo.com or @yahoogroups.com are hit by this behaviour.

As The Worm Turns... (1)

creimer (824291) | more than 8 years ago | (#15523740)

I just tried to compose an email in my Yahoo! email account and was informed that my contact list failed to load. So did the worm eat my contact list?

BETA version not effected (1)

Like2Byte (542992) | more than 8 years ago | (#15523742)

I've seen lots of complaints about people using javascript and Yahoo!'s use of it. Yahoo!'s beta version is not effected by this worm.



FTFA, "The Yamanner worm targets all versions of Yahoo Web-based mail except the latest beta version, Symantec said in an advisory released Monday." (Emphisis mine)

Here is the Source, Luke. (3, Informative)

fatboy (6851) | more than 8 years ago | (#15523769)

Lameness filter got me. Here is a link [groovin.net] .

This is Cross Site Scripting (0)

Anonymous Coward | more than 8 years ago | (#15523771)


The Cross Site Scripting FAQ [cgisecurity.com]

Crime and punishment (3, Interesting)

erroneus (253617) | more than 8 years ago | (#15523919)

In short, I believe there should be some very stiff penalties to pay if it is proven that someone has written and deployed malware of this sort. There should be prison time and forfeiture of any money and assets acquired as a result of gains from this activity.

People often complain that punishment is too severe for this otherwise 'harmless' activity (and often compared to more heinous crimes such as assault, robbery, murder sex/child related crimes) and that damages are quite often exaggerated beyond reason. I can't say much about exaggerated damages, but I can say that in addition to other classifications of crimes, I also consider the following:

Planned/premeditated or not. Many aspects of the more heinous crimes where punishment is often less than these "white collar" crimes are not planned or premeditated. They are driven by little more than emotional or other motives. There is something more cold, more dark and indeed more arrogant when it comes to crimes such as the act of creating and deploying an internet worm. There is no question that what they are doing is immoral and illegal. They perform the act believing they will not be caught, that they will profit from the act and seemingly that it is somehow their right to take advantages of weaknesses in security simply because they are 'superior' in some way.

I see a noticable decline in the amount of spam in my inboxes of late. People claimed that the current federal legislation regarding spam wasn't enough and yet I see stories of people being prosecuted under these law successfully and when these people are put out of business, most all see a difference -- an improvement. It's working.

We don't need more legislation, but we do need to up the level of aggression in persuing these people and up the amount of punishment they are given when they are caught. While they are thinking about their planned attacks, they need to have cause to consider the potential cost to their lives as well.

Firefox (0)

Anonymous Coward | more than 8 years ago | (#15523948)

I opened this email yesterday with Firefox, but didn't get the Javascript popup that people have reported. My anti-virus also didn't complain (I use AntiVir), but then if it didn't install anything and just harvested addresses it wouldn't have set off any anti virus. I'll have to check my computer when I get home, but I'm wondering if Firefox saved me from this one.

I thought... (0, Offtopic)

Salk (17203) | more than 8 years ago | (#15523974)

... 2 was hand on bosom outside shirt

Re:I thought... (1)

devjoe (88696) | more than 8 years ago | (#15524211)

That's second base. [everything2.com]

"a flaw in JavaScript"? (2, Insightful)

bcmm (768152) | more than 8 years ago | (#15523982)

A flaw in whose JS implementation then?

The warm may not be as "innocent" (4, Informative)

trifish (826353) | more than 8 years ago | (#15523989)

Some people tend to think that this worm is harmless (just "spreading itself"). But the worm actually sends the harvested email adresses to an external site - www.av3.net [which I wouldn't dare to browse to].

Here are the technical details of the worm:

1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:

From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.

2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.

3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.

4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.

5) Contacts the following URL:

[http://]www.av3.net/index.htm

6) Sends a list of email addresses gathered to the above URL.

Lacks information (1)

darkheavy (78519) | more than 8 years ago | (#15524075)

It would be nice to know if the worm affects any Web Browser or only the usual suspect (it seems so, for the platforms affected are only Windows 95-2003)

Why isn't Yahoo saying anything about this? (2, Insightful)

shotgunefx (239460) | more than 8 years ago | (#15524156)

Don't see anything on the home page, my.yahoo, or even the login page of yahoo mail.

That's pretty shitty. How hard would it be to add a warning and some helpful directions to the template of the login page?

the creators website is still up (1, Insightful)

Anonymous Coward | more than 8 years ago | (#15524308)


and still collecting all those addresses

http://www.av3.net/ [av3.net]

and the whois is of course using that American whois "privacy" service, perhaps the FBI would like to sift through their computers, iam sure a lot of online crime could be cleared up quite quickly

Mac users aren't directly affected by this (-1, Troll)

macslut (724441) | more than 8 years ago | (#15524487)

Mac users aren't directly affected by this. Likewise if you turn off HTML email. Of course we still have to deal with infected waste from idiots with PCs who don't take any precautions. And of course our headlines today will be filled with this story.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?