Its not mine 🙂

Selling Yahoo Self Spread XSS Worm

About the worm :

The worm self spreads via instant messaging and email.
The worm steals cookies from Yahoo users and uses them to authenticate itself in order to send spam to the contacts of the victim. The spammed contacts recive an ‘interesting’ URL. If they click it, their cookies will be stolen and send to the worm for instant or later use ( depending of config ). It supports proxies ( format check, avaiability check, type check ). The emails and IMs also bypass spam checkers.

About the XSS :

After I disclosed the XSS hole in the Pipes service ( version 1 ),pipes.yahoo.com, I found another one in Pipes, but in the version 2 of it.

The advantage of this UNIQUE XSS :

Because of the Pipe service design, the XSS is fully stealthed. The requests sent to the worm cannot been seen in the headers ( because Yahoo itself sends the requests ) !!! I also provide private javascript encoding and special PHP and Apache configuration so that the worm and XSS(!)cannot(!) be found. Besides that, I also offer offshore hosting for the worm and private SOCKSv5 / Proxies ( uses by the worm or by you in the process of the pipe creation ).

THE BEST PART :

My XSS also hides the pipe module that has the javascript code in it !!! Meaning if someone opens the pipe, they cannot see the XSS, the module, the headers or the worm !

Contact :

twitter.com/paxnwo
pax [][]@[][] secure.cn.com

http://pastebin.com/c4ZzbBx7

Some clearing :

YOU WILL NOT DISPATCH IT TO YAHOO
YOU WILL NOT DISCLOSE IT OR SHARE IT
YOU ARE RESPONSABLE FOR IT ( althou I provide you strong privacy for the use of the worm )
YOU CAN HAVE THE SOURCE ONLY IF YOU PROOVE ME THAT THE SOURCE CANNOT BEEN SEEN OR STOLEN BY OTHERS
YOU WILL NOT SHARE OUR FUTURE CONVERSATIONS ( and we will not use Yahoo Messenger )
YOU CAN DO WHATEVER YOU WANT WITH IT ( but don’t break the rules above )

I WILL NOT DISCLOSE YOUR IDENTITY
I WILL NOT ASK SENSITIVE QUESTIONS ( only those which ensure me that you are ok )
I WILL OFFER YOU SUPPORT FOR 6 MONTHS AFTER THE EXCHANGE ( also a limit of 3 XSS backup if this one will get patched, but not shure if it will ever get patched )
I HELD THE RIGHT TO KEEP THE SOURCES AND THE XSS SAFE !

I ACCEPT ONLY WESTERN UNION

IF YOU ARE YAHOO, SUCK ME !

From trusted sources paxnwo isn’t the one that discovered the XSS but the worm is written by him.