Yahoo Webmail Worm on the Loose

[The Highlander]

 

Yahoo Webmail Worm on the Loose

Security experts are warning of a new e-mail worm that takes advantage of a flaw in Yahoo's Web mail system to redirect users to advertising sites and to spread the worm to everyone in the victim's e-mail address book.

 

According to an advisory issued by Symantec, "JS.Yamanner" exploits an unpatched Javascript vulnerability that kicks in when the user opens an e-mail infected by the worm. Unlike most e-mail-based worms -- which launch when the recipient clicks on an infected file attachment -- this one spreads merely by getting the user to open the e-mail.

 

There may well be different versions of this bugger going around, but the one being tracked at the moment has "av@yahoo.com" in the sender field, with the subject "New Graphic site." Symantec said users of Yahoo Mail Beta do not appear to be vulnerable to the worm.

 

When I followed the redirects on a test version of Windows XP, it launched two Web sites -- one advertising various online animations and graphics, and another that asks the visitor to download "Casino Tropez," an online-gambling program apparently operated out of the Caribbean island of Antigua (its entry at SiteAdvisor indicates this company is known for advertising via spam with forged e-mail headers).

 

The site hawking the online animations is registered to an Alireza Lavaei in Ontario, Canada. The server that hosts the site also hosts about 50 other marketing sites, most of them written in Arabic. It's important not to read too much into the registration information, as it is most likely fraudulent. Still, it is interesting to note that the server also hosts a (currently inactive) site called Yahoo-Incs.com; people who work for Yahoo have e-mail addresses that end in yahoo-inc.com, so such a site could be fairly effective if leveraged in tandem with future social engineering attacks on Yahoo users.

 

 

This attack does not appear to try to foist malware on visitors, but according to Web security firm Websense, a trivial reconfiguration to the worm could direct victims to sites that do. I have a call in to the people at Yahoo, but until this vulnerability is fixed, you're probably best off taking Websense's advice and using another Web mail program like Gmail or Hotmail.

 

However, according to a writeup on this by the SANS Internet Storm Center, there may no easy way to fix this vulnerability. SANS incident handler Arrigo Triulzi wrote that turning off Javascript on your browser will prevent you from reading your Yahoo Webmail.

 

SANS also says it's aware of two versions of this worm going around, released just two hours apart: "The [quick] release of a new version ... which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out."

 

Link to artical Here