Italian develops first multi-site Web-mail worm

An Italian security researcher this week has developed the first Web-based e-mail worm capable of taking advantage of cross site scripting(XSS) vulnerabilities in multiple Web-mail services.

Rosario Valotta described the new form of worm on his blog. The proof of concept, called Nduja Connection, could spread faster than one targeting only a single Web-mail provider, he said.

E-mail worms propagate by extracting contact information from the address book of each infected user, and then sending out an e-mail with the worm payload to each contact -- a user needs only to open an infected e-mail message to spread the worm.

Prior concept e-mail worms have been restricted to affecting only one e-mail client, however, the Nduja Connection worm has the potential to spread faster due to it's ability to infect users of four different Web e-mail clients.

The four Web-mail services affected by the worm are Italian providers Libero.it, Tiscali.it, Lycos.it and Excite.com. "The choice of the providers of this [Proof of Concept] has been bound to the presence of an exploitable [vulnerability] (with the above features) within the Web-mail domain. Also other popular providers (for example Gmail, Yahoo, Hotmail) suffer from XSS [vulnerabilities] in their Web-mails, but their severity is not so high to let worms like Nduja Connection to propagate." Valotta wrote.

Web-mail worms have existed in the wild since 2006, when the Yamanner worm, targeted the Yahoo e-mail system, and spread quickly throughout users of the system. It is difficult to quickly stop or slow the spread of this kind of worm once it has begun to spread due to its use of JavaScript. Turning off JavaScript in the browser renders the Web-mail system unusable.