The Ashes

Technology, Science and other news
April 25, 2009

Twitter: StalkDaily/Mikeyy worm

Posted by : admin
Filed under : General

twitterMike Mooney, a 17-year-old teenager started the ball rolling. After finding a cross-site scripting (XSS) vulnerability in the Twitter application, he altered the code on four Twitter accounts to leverage the new-found vulnerability.

Once set up, it was just a matter of waiting, kind of like fishing. Finally someone viewed the profile web page belonging to one of his Twitter accounts and through the magic of a drive-by dropper proudly became the first victim. Finding more victims got a lot easier after that as the worm started propagating using the following steps:

|> Each newly-infected Twitter application starts sending unauthorised Twitter messages (tweets) with malicious links to all available contacts found in the compromised Twitter account.
|> The flagged Twitter users start receiving tweets from a supposedly trusted contact (social engineering part).
|> The tweet asks them to check out a micro-blogging service called (hence the worm’s name).
|> As soon as the link is clicked, the Twitter application on that computer becomes infected with the worm.

It’s easy to see how the number of victims grows rapidly. Especially if some of the initially infected Twitter accounts have large contact lists.

To make matters worse, users who haven’t received a malicious tweet can also become infected just by looking at a compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at how the worm works.

Several strains

The explanation I gave above is the generic overview as there are at least four versions that have surfaced, each exhibiting slightly different social engineering techniques. To Twitter’s credit, they have been able to remove the problem each time, but the underlying Twitter application still appears to be vulnerable to XSS attacks.

How to remove

Even though the developers at Twitter have somewhat rectified the problem, there are still the infected profiles. So, I’ve looked around and found removal instructions for both the StalkDaily and Mikeyy variants of the worm on the Twittercism website:

|> In your browser, clear your cache and empty all of your cookies. (This can be found in your settings.)
|> Log out of TweetDeck or any external applications you are using.
|> Check the URL and location areas of your profile (in Settings/Account on for evidence of any malicious scripts. It’ll be obvious — something you haven’t added to these areas yourself. If you find anything, remove it.
|> On, change your password.
|> Log back in.
|> Go back and delete any tweets sent by you recommending StalkDaily. This is important.
|> Report @stalkdaily in a tweet to Twitter’s @spam account as follows: @spam @stalkdaily.

How to prevent this

Twittercism also has an excellent blog post that talks about how to prevent worms like StalkDaily and Mikeyy from infecting your Twitter profile. I thought I’d share a few of the more important points:

|> Use a Twitter client. It appears that the infection takes place while visiting the profile page, which is easy to do when using the Twitter web interface. To avoid accidentally opening profiles use a Twitter client like TweetDeck.
|> Avoid visiting user profiles on This refers to active links that are advertised in Tweets or email alerts about new followers.
|> Be wary about clicking on shortened URLs. I’ve referred to this before in my article “URL shortening: Yet another security risk” and it’s becoming even more of a problem.

Another big help in fighting this worm as well as other malware is to turn JavaScript off. That may not be possible for many though. If not, I’d recommend using Firefox with the NoScript add on.

Next step

Since XSS vulnerabilities are a big part of this problem, I wanted to point out a recent article by Brian Krebs of the Washington Post, “Creating a Public Nuisance with Insecure Web Sites“, where he discusses issues surrounding XSS and hints at what the nasty types are trying to capitalise on:

“XSS bugs can even be used to power web-based worms. This past week, a series of worms took advantage of XSS flaws on micro-blogging site to annoy and frighten thousands of Twitterers. While the worms were otherwise harmless, rogue antivirus vendors have begun seizing on public interest in the outbreaks by gaming search engine results to send curious searchers to booby-trapped sites that try to foist worthless and invasive software.”

Google search promotes malware

TrendLabs verified what Krebs was trying to point out in one of their email alerts. The message is simply this:

“Cyber criminals are taking advantage of the public’s interest and high media coverage of the incident to spread malicious links. Among the top 10 search results in Google for ‘Twitter worm’ and ‘Mikeyy’, the name of 17-year-old author of the said worm, is a link that connects the user to a malicious URL that download malware into his/her system. The link in the result connects to a URL detected as HTML_DLOADR.NIC. The said URL is inaccessible as of this writing, but analysis reveals that it loads a JavaScript which is detected as JS_DLOADR.NIB.”

Final thoughts

It seems that the Twitter worms themselves were relatively benign. What’s obviously not benign is using websites touting the cure to hide real malware. Sadly it’s an effective propagation method that takes advantage of users who are already having computer problems.

Tags :

No Comments

(will not be published) (required)
(opitional) EN ES IT DE PT CZ FR RU
October 2021




There are many online poker site where you can play but at you can play the poker games with all the knowledge you need related to the game with the poker school available in both the English and Chinese language.

Super Casino

Now you can bet on any sports and any sporting events from all the comfort from your home. Bet770 allows you to bet on any events and match with in just 3 clicks. They also offers great odds on football betting for every premier and champions league match. Get £50 free in bets when you register.

Bingo770, offering best online bingo games with £7.70 free no deposit Bonus!