Italian develops first multi-site web-mail worm
An Italian security researcher this week has developed the first web-based email worm capable of taking advantage of cross site scripting (XSS) vulnerabilities in multiple web-mail services.
Rosario Valotta described the new form of worm on his blog. The proof of concept, called Nduja Connection, could spread faster than a worm targeting only a single web-mail provider, he said.
Email worms propagate by extracting contact information from the address book of each infected user, and then sending out an email with the worm payload to each contact â a user needs only to open an infected email message to spread the worm.
Prior-concept email worms have been restricted to affecting only one email client; however, the Nduja Connection worm has the potential to spread faster due to its ability to infect users of four different web email clients.
The four web-mail services affected by the worm are Italian providers Libero.it, Tiscali.it, Lycos.it and Excite.com. “The choice of the providers of this [proof of concept] has been bound to the presence of an exploitable [vulnerability] (with the above features) within the web-mail domain. Also other popular providers (for example Gmail, Yahoo, Hotmail) suffer from XSS [vulnerabilities] in their web-mails, but their severity is not so high to let worms like Nduja Connection to propagate,” Valotta wrote.
Web-mail worms have existed in the wild since 2006, when the Yamanner worm targeted the Yahoo email system and spread quickly throughout users of the system. It is difficult to quickly stop or slow the spread of this kind of worm once it has begun, due to its use of JavaScript. Turning off JavaScript in the browser renders the web-mail system unusable.