Analysts Warn: Yamanner Malware Attack on Yahoo Mail Is Just the Beginning of a New Generation of Ajax-Based Malware
Although Yamanner was quickly stopped, the world now realizes the significant risks that arise without strict control measures for web application development.
A Deadly Vulnerability
 |
| Source: Infotech |
To upload images from email to the mail server, Yahoo Mail relies on several JavaScript functions. The Ajax tool is used moderately by this service to enhance user interaction with the server system.
However, Yamanner exploited a vulnerability in JavaScript, replacing the legitimate JavaScript command (used to upload images) with its own code. As a result, the computer becomes infected as soon as the email is read, without requiring any further user intervention (such as clicking a link or opening an attachment).
JavaScript is a key part of Ajax, a tool increasingly used within web applications. Yahoo itself uses Ajax in Yahoo Calendar, Yahoo Sports, Yahoo Photos, Flickr, and Yahoo Mail.
“The emergence of Yamanner is not surprising as long as websites and businesses continue to deploy Ajax applications without fully understanding their vulnerabilities“, said David Wagner, associate professor of Computer Science at the University of California.
If there are no integrated, stringent security features, web applications using Ajax will open up numerous doors for hackers. In the case of Yamanner, the worm can send requests from the victim’s computer to the Yahoo Mail server, gathering all the names in the email contacts. It then composes an email sent to all of these addresses as a new form of self-replication.
This is its most dangerous aspect, as users, upon seeing the sender’s address, will not suspect anything and will click on it. “No need for attachments, no links or icons, voila, they are ‘caught’. And then the names in their contact list…. it multiplies rapidly“, Wagner stated.
The Hidden Killer
Yahoo Mail appears in the Internet Explorer browser, which is designed to run any JavaScript code it finds within an HTML page or email. When the recipient opens the email, there are no signs notifying them that they have been infected.
Everything happens silently behind the scenes. The browser executes quietly without checking the function it is running, and Yamanner certainly does not make any notifications of its actions on the computer screen. The only sign is a sudden slowdown of the computer.
 |
| Source: SecurityLabs |
Additionally, Yamanner diligently sends all collected contact information to an unidentified website. In this way, hackers can compile a list of emails containing tens of thousands of names to sell to spammers.
Why would one of the largest email service providers in the world, such as Yahoo, allow such a vulnerability to exist in its system?
“It’s not that Yahoo is negligent, but filtering JavaScript and ensuring its absolute safety is very, very difficult“, Wagner commented.
Difficult to Defend Against?
Defending against malicious JavaScript usage becomes exponentially harder as hackers can easily find “entry points” for this new form of attack.
“You don’t have to be exceptionally smart. Finding vulnerabilities in JavaScript is easy; just try running a few sample worms like Yamanner“, noted Gary McGraw, Chief Technology Officer of Cigital.
Once hackers discover such vulnerabilities, they are willing to share them, along with their “scouting” methods, with their community. In Yahoo’s case, the vulnerability was fortunately patched before hackers exploited it. But in the future, who can guarantee that such luck will repeat?
Keep in mind that many current services use Ajax, such as Google Maps.
Tian Yi
