Weekend worms strike Twitter, teen admits responsibility

1 comment | 5I like it!
April 13, 2009, 08:36 AM —  Computerworld — 

Twitter was hit with at least three different worm attacks that started Saturday and continued into Sunday, the micro-blogging service acknowledged as it promised users it would review its coding practices.

Michael "Mikeyy" Mooney, the 17-year-old creator of the StalkDaily Twitter-copycat site, has admitted creating the worms.

"At about 2 a.m. on Saturday, four accounts were created that began spreading a worm on Twitter," company co-founder Biz Stone announced in a blog entry Sunday. "From 7:30 a.m. until 11 a.m. PST, our security team worked on eliminating the vectors that could identify this worm. At that time, about 90 accounts were compromised. We identified and secured these accounts."

That worm, which was widely reported on Saturday and dubbed "StalkDaily," exploited a cross-site scripting vulnerability in the Twitter service to infect user profiles. The original attack relied on tweets that referred to several malicious accounts allegedly created by Mooney; when users viewed those accounts' profiles, their own profiles became infected, and their accounts then sent more spam-style messages to entice friends to the just-infected profiles.

Those messages promoted the StalkDaily site with tweets such as "I love www.StalkDaily.com" and "Dude, www.StalkDaily.com is awesome. What's the fuss?"

The second attack, which Twitter said affected about 100 different accounts, occurred later Saturday, and the third began Sunday. All three were exploiting cross-site scripting bugs in the service.

"All told, we identified and deleted almost 10,000 tweets that could have continued to spread the worm," Stones said in his blog post.

Sunday's worm, which was pegged as "Mikeyy" because the tweets it forced infected accounts to send included "Mikeyy I am done..." and "Man, Twitter can't fix sh*t. Mikeyy owns," was also set loose by Mooney, according to an interview conducted with him earlier today by Net News Daily.
When asked why he created the StalkDaily worm, Mooney said, "Out of boredom. It was the middle of the night and I had nothing else better to do."

Also in the interview, Mooney both dismissed his actions and said he knew the attacks could land him in trouble. "I feel pretty bad about it, but it's not me that left the vulnerability out in the open," he said, then later added, "I'm not worried, though. I know that it could land me in jail."

On the StalkDaily Web site, Mooney posted a short message that read: "I have came clean and have accepted the responsibility for the worm."

Twitter was not available for comment Sunday to answer questions about whether it had, or would contact law enforcement officials.

One security company warned that the attacks may not be over. "There's going to be quite a few modified Twitter worms for a day or two," predicted Mikko Hypponen, chief research officer at F-Secure Corp., on his company's Web site. "Be careful in Twitter, don't view profiles, don't follow links."
Hypponen also noted that the attacks rely on JavaScript, and that users can protect themselves further by disabling JavaScript in their browsers.

Computerworld

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

I like it!
Close

On Twitter now

twitter

Powered by Twitter
You are logged in | Sign out
Sign in and post to Twitter

What are you thinking?

Cancel Tweet sent

On Twitter now

Comments

Antispyware solution from Search-and-destroy.

I have tried so many different types of scans to help keep my PC running at its best and one thing that I discovered is that they all tend to find the same types of bugs. The main difference between them all is the price that you pay. Recently I discovered Search-and-destroy Antispyware at http://www.Search-and-destroy.com and I really like it a lot. Antispyware solution from Search-and-destroy is one of the best scans I have ever used and I’m sure that you will be very happy with it as well. Go ahead and give it a try, you will be glad you did!
| reply
peer-to-peer

Esther Schindler
If the comments are ugly, the code is ugly

claird
SVG a graphics format for 21st century

pasmith
Take Chrome OS for a test spin

Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?

sjvn
64-bits of protection?

jfruh
Android fragments vs. the iPhone monolith

mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive

 

Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann

Join the conversation here

The Daily Tip

The Daily TipQuick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

I would like to receive offers via email from ITworld partners.
By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.
Featured Sponsor

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Marketplace