Mike Mooney, a 17-year-old teenager started the ball rolling. After finding a cross-site scripting (XSS) vulnerability in the Twitter application, he altered the code on four Twitter accounts to leverage the new-found vulnerability.
Once set up, it was just a matter of waiting, kind of like fishing. Finally someone viewed the profile web page belonging to one of his Twitter accounts and through the magic of a drive-by dropper proudly became the first victim. Finding more victims got a lot easier after that as the worm started propagating using the following steps:
|> Each newly-infected Twitter application starts sending unauthorised Twitter messages (tweets) with malicious links to all available contacts found in the compromised Twitter account.
|> The flagged Twitter users start receiving tweets from a supposedly trusted contact (social engineering part).
|> The tweet asks them to check out a micro-blogging service called StalkDaily.com (hence the worm’s name).
|> As soon as the link is clicked, the Twitter application on that computer becomes infected with the worm.
It’s easy to see how the number of victims grows rapidly. Especially if some of the initially infected Twitter accounts have large contact lists.
To make matters worse, users who haven’t received a malicious tweet can also become infected just by looking at a compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at how the worm works.
The explanation I gave above is the generic overview as there are at least four versions that have surfaced, each exhibiting slightly different social engineering techniques. To Twitter’s credit, they have been able to remove the problem each time, but the underlying Twitter application still appears to be vulnerable to XSS attacks.
How to remove
Even though the developers at Twitter have somewhat rectified the problem, there are still the infected profiles. So, I’ve looked around and found removal instructions for both the StalkDaily and Mikeyy variants of the worm on the Twittercism website:
|> In your browser, clear your cache and empty all of your cookies. (This can be found in your settings.)
|> Log out of TweetDeck or any external applications you are using.
|> Check the URL and location areas of your profile (in Settings/Account on Twitter.com) for evidence of any malicious scripts. It’ll be obvious — something you haven’t added to these areas yourself. If you find anything, remove it.
|> On Twitter.com, change your password.
|> Log back in.
|> Go back and delete any tweets sent by you recommending StalkDaily. This is important.
|> Report @stalkdaily in a tweet to Twitter’s @spam account as follows: @spam @stalkdaily.
How to prevent this
Twittercism also has an excellent blog post that talks about how to prevent worms like StalkDaily and Mikeyy from infecting your Twitter profile. I thought I’d share a few of the more important points:
|> Use a Twitter client. It appears that the infection takes place while visiting the profile page, which is easy to do when using the Twitter web interface. To avoid accidentally opening profiles use a Twitter client like TweetDeck.
|> Avoid visiting user profiles on Twitter.com. This refers to active links that are advertised in Tweets or email alerts about new followers.
|> Be wary about clicking on shortened URLs. I’ve referred to this before in my article “URL shortening: Yet another security risk” and it’s becoming even more of a problem.
Since XSS vulnerabilities are a big part of this problem, I wanted to point out a recent article by Brian Krebs of the Washington Post, “Creating a Public Nuisance with Insecure Web Sites“, where he discusses issues surrounding XSS and hints at what the nasty types are trying to capitalise on:
“XSS bugs can even be used to power web-based worms. This past week, a series of worms took advantage of XSS flaws on micro-blogging site Twitter.com to annoy and frighten thousands of Twitterers. While the worms were otherwise harmless, rogue antivirus vendors have begun seizing on public interest in the outbreaks by gaming search engine results to send curious searchers to booby-trapped sites that try to foist worthless and invasive software.”
Google search promotes malware
TrendLabs verified what Krebs was trying to point out in one of their email alerts. The message is simply this:
It seems that the Twitter worms themselves were relatively benign. What’s obviously not benign is using websites touting the cure to hide real malware. Sadly it’s an effective propagation method that takes advantage of users who are already having computer problems.