An Italian security researcher this week has developed the first Web-based e-mail worm capable of taking advantage of cross site scripting(XSS) vulnerabilities in multiple Web-mail services.
Rosario Valotta described the new form of worm on his blog. The proof of concept, called Nduja
Connection, could spread faster than one targeting only a single Web-mail provider, he said.
E-mail worms propagate by extracting contact information from the
address book of each infected user, and then sending out an e-mail with
the worm payload to each contact — a user needs only to open an
infected e-mail message to spread the worm.
concept e-mail worms have been restricted to affecting only one e-mail
client, however, the Nduja Connection worm has the potential to spread
faster due to it’s ability to infect users of four different Web
The four Web-mail services affected by the worm are Italian providers
Libero.it, Tiscali.it, Lycos.it and Excite.com. “The choice of the providers of this [Proof of Concept] has been bound to the presence of an exploitable [vulnerability] (with the above features) within the Web-mail domain. Also other popular providers (for example Gmail, Yahoo, Hotmail) suffer from XSS [vulnerabilities] in their Web-mails, but their severity is not so high to let worms like Nduja Connection to propagate.” Valotta wrote.
Web-mail worms have existed in the wild since 2006, when the Yamanner
worm, targeted the Yahoo e-mail system, and spread quickly throughout
users of the system. It is difficult to quickly stop or slow the
renders the Web-mail system unusable.