Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Yahoo! mass-mailer InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Yahoo! mass-mailer

Published: 2006-06-12
Last Updated: 2006-06-12 21:19:00 UTC
by Arrigo Triulzi (Version: 5)
0 comment(s)
A Yahoo! mass-mailer is currently making the rounds with a subject of "[random word] New Graphic site".

It was first reported to the ISC at 12:32 UTC and now appears to be circulating in two slightly different variants.  Analysis by Lorna and myself shows that both variants are flawed therefore they spread very effectively but do not actually perform the intended action.  The mass-mailer attempts to open a browser window to but a spelling mistake prevents this from working.  The website appears to be dormant and rejecting accesses.

The mass-mailer also submits data to a page on but basic timing analysis on the response time seems to indicate that there is no difference between an access to the page without parameters or with the slew of parameters which are generated by the mass-mailer.  This does not necessarily mean that the data is not being pharmed there and it is being investigated further.

The release of a new version barely two hours after we started our analysis which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out.

To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it.  It searches for both and e-mail addresses. 
Note that this is not a binary attachment but a set of nested forwarded messages which are sent as an attachment in RFC2822 format.

There is currently no trivial fix for Yahoo! mail as turning off Javascript on the browser will prevent you from reading your e-mail.  For Yahoo! groups it is recommended that moderators/adminstrators turn off attachments for the time being to prevent this spreading further.  A long-term fix is apparently to migrate your Yahoo! e-mail to the Yahoo! Mail beta service although those who have already migrated mention that it is not a painless task.

And, last but not least, thanks to watchful Jeff and Marcus who submitted version 1 and version 2 respectively!

Update: Yahoo! is aware of the issue and is working on a fix, in their words "Yahoo! Mail is blocking most of these messages, and is working on a fix."

If you still receive mass-mailing messages, in particular with a different subject than the one above, then please let us know!
0 comment(s)
Diary Archives