Twitter worm "StalkDaily" launched, spread, defeated

Yesterday, Twitter was hit by another worm, currently being referred to as the "StalkDaily" worm. Unlike the last worm we saw, this one didn't require a user to click anything. Merely hitting an infected profile page was enough to infect you as well. It appears "all" the worm did is to commandeer your Twitter account and use it spam Tweets promoting StalkDaily.com, with no lingering maliciousness. If you were infected, your Twitter account sent out Tweets saying something like Join StalkDaily.com everyone or Woooo, StalkDaily.com :), but infection apparently came not from that site, but by visiting an infected profile page. Using a 3rd party client protected you from the whole mess.

For a technical explanation of what was going on, I refer you to Damon Cortesi's Twitter StalkDaily Worm Postmortem. An easy way to check to see if you've been infected is to search twitter for "{your username} stalkdaily.com" and see if you get any hits. If you do, and you don't recognize the Tweets that come up, you're probably infected. Twittercism (who also provided the info on how to detect infection) has details on removing the worm.

According to TechCrunch, the StalkDaily at first claimed no responsibility for the worm:

For everyone wondering, I did NOT promote and/or was involved with the spamming ON Twitter. All bad things you are hearing about this site is not true. Please reconsider as I am not the person who did this…StalkDaily is a website that follows the same functions as Twitter, except more advanced How? Well, instead of just adding an “update status”, people can add pictures and videos. Then you can stalk them, so when they upload a video or picture, or comment someone, you’ll know!

However this morning StalkDaily (which I advise you to not visit) says: "I have came [sic] clean and have accepted the responsibility for the worm, read the interview here, http://www.bnonews.com/news/242.html."

Deciding which statement is the truth and which is the lie, I leave as an exercise for the reader. However, BNO News is not a site I've ever come across before today, and in fact it has a "Coming soon" message and a request for donations on its front page. A curious outlet to choose in order to 'come clean' at. Could this all have been an elaborate ruse to drive traffic and secure donations for BNO News?

UPDATE: BNO News has replied to this suggestion with a statement:

The author suggests that BNO News is connected with "StalkDaily", only because he does not know BNO News. In fact, BNO News runs a popular news service on Twitter (http://www.twitter.com/BreakingNews) with more than 170,000 members and the service is run by journalists from several countries. BNO News is a fairly new company which will soon provide news wire services for media organizations.

In any event, Twitter has plugged the security hole that allowed the problem in the first place, so the world of Twitter is once again safe from the forces of evil. At least until the next exploit is discovered.

UPDATE: It seems another, similar worm, tagged "mikeyy" is now making the rounds. This might be the same attack that 'anonymous' referred to in the comments. Basically best practice right now is to avoid going to profile pages in a web browser, until the Twitter devs get this hole patched for good. If you really must hit a profile page, disable javascript first.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies