Weekend worms strike Twitter, teen admits responsibility
Twitter was hit with at least three different worm attacks that started Saturday and continued into Sunday, the micro-blogging service acknowledged as it promised users it would review its coding practices.
Michael "Mikeyy" Mooney, the 17-year-old creator of the StalkDaily Twitter-copycat site, has admitted creating the worms.
"At about 2 a.m. on Saturday, four accounts were created that began spreading a worm on Twitter," company co-founder Biz Stone announced in a blog entry Sunday. "From 7:30 a.m. until 11 a.m. PST, our security team worked on eliminating the vectors that could identify this worm. At that time, about 90 accounts were compromised. We identified and secured these accounts."
That worm, which was widely reported on Saturday and dubbed "StalkDaily," exploited a cross-site scripting vulnerability in the Twitter service to infect user profiles. The original attack relied on tweets that referred to several malicious accounts allegedly created by Mooney; when users viewed those accounts' profiles, their own profiles became infected, and their accounts then sent more spam-style messages to entice friends to the just-infected profiles.
Those messages promoted the StalkDaily site with tweets such as "I love www.StalkDaily.com" and "Dude, www.StalkDaily.com is awesome. What's the fuss?"
The second attack, which Twitter said affected about 100 different accounts, occurred later Saturday, and the third began Sunday. All three were exploiting cross-site scripting bugs in the service.
"All told, we identified and deleted almost 10,000 tweets that could have continued to spread the worm," Stones said in his blog post.
Sunday's worm, which was pegged as "Mikeyy" because the tweets it forced infected accounts to send included "Mikeyy I am done..." and "Man, Twitter can't fix sh*t. Mikeyy owns," was also set loose by Mooney, according to an interview conducted with him earlier today by Net News Daily.
When asked why he created the StalkDaily worm, Mooney said, "Out of boredom. It was the middle of the night and I had nothing else better to do."
Also in the interview, Mooney both dismissed his actions and said he knew the attacks could land him in trouble. "I feel pretty bad about it, but it's not me that left the vulnerability out in the open," he said, then later added, "I'm not worried, though. I know that it could land me in jail."
On the StalkDaily Web site, Mooney posted a short message that read: "I have came clean and have accepted the responsibility for the worm."
Twitter was not available for comment Sunday to answer questions about whether it had, or would contact law enforcement officials.
One security company warned that the attacks may not be over. "There's going to be quite a few modified Twitter worms for a day or two," predicted Mikko Hypponen, chief research officer at F-Secure Corp., on his company's Web site. "Be careful in Twitter, don't view profiles, don't follow links."
Hypponen also noted that the attacks rely on JavaScript, and that users can protect themselves further by disabling JavaScript in their browsers.
Computerworld
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
Antispyware solution from Search-and-destroy.
I have tried so many different types of scans to help keep my PC running at its best and one thing that I discovered is that they all tend to find the same types of bugs. The main difference between them all is the price that you pay. Recently I discovered Search-and-destroy Antispyware at http://www.Search-and-destroy.com and I really like it a lot. Antispyware solution from Search-and-destroy is one of the best scans I have ever used and I’m sure that you will be very happy with it as well. Go ahead and give it a try, you will be glad you did!