An Italian security researcher this week has developed the first Web-based e-mail worm capable of taking advantage of cross site scripting(XSS) vulnerabilities in multiple Web-mail services.

Rosario Valotta described the new form of worm on his blog. The proof of concept, called Nduja
Connection, could spread faster than one targeting only a single Web-mail provider, he said.

E-mail worms propagate by extracting contact information from the
address book of each infected user, and then sending out an e-mail with
the worm payload to each contact — a user needs only to open an
infected e-mail message to spread the worm.

Prior
concept e-mail worms have been restricted to affecting only one e-mail
client, however, the Nduja Connection worm has the potential to spread
faster due to it’s ability to infect users of four different Web
e-mail clients.

The four Web-mail services affected by the worm are Italian providers
Libero.it, Tiscali.it, Lycos.it and Excite.com. “The choice of the providers of this [Proof of Concept] has been bound to the presence of an exploitable [vulnerability] (with the above features) within the Web-mail domain. Also other popular providers (for example Gmail, Yahoo, Hotmail) suffer from XSS [vulnerabilities] in their Web-mails, but their severity is not so high to let worms like Nduja Connection to propagate.” Valotta wrote.

Web-mail worms have existed in the wild since 2006, when the Yamanner
worm, targeted the Yahoo e-mail system, and spread quickly throughout
users of the system. It is difficult to quickly stop or slow the
spread of this kind of worm once it has begun to spread due to its use of JavaScript. Turning off JavaScript in the browser
renders the Web-mail system unusable.