Twitter came of age during the weekend of 11 April 2009. Like any new IT technology, it was just was a matter of time before someone decided to look under the hood and see how the application could be debased. The compromise is a story with a different twist though, kind of like Twitter itself.
Mike Mooney, a 17 year old teenager started the ball rolling. After finding a Cross-Site Scripting (XSS) vulnerability in the Twitter application, he altered the code on four Twitter accounts to leverage the new found vulnerability.
Once set up, it was just a matter of waiting, kind of like fishing. Finally someone viewed the profile Web page belonging to one of his Twitter accounts and through the magic of a drive-by dropper proudly became the first victim. Finding more victims got lot easier after that as the worm started propagating using the following steps:
- Each newly-infected Twitter application starts sending unauthorized Twitter messages (tweets) with malicious links to all available contacts found in the compromised Twitter account.
- The flagged Twitter users start receiving tweets from a supposedly trusted contact (social engineering part).
- The tweet asks them to check out a micro-blogging service called StalkDaily.com (hence the worm’s name).
- As soon as the link is clicked, the Twitter application on that computer becomes infected with the worm.
It’s easy to see how the number of victims grows rapidly. Especially if some of the initially infected Twitter accounts have large contact lists.
To make matters worse, users who haven’t received a malicious tweet can also become infected just by looking at a compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at how the worm works.
The explanation I gave above is the generic overview as there are at least four versions that have surfaced, each exhibiting slightly different social engineering techniques. To Twitter’s credit, they have been able to remove the problem each time, but the underlying Twitter application still appears to be vulnerable to XSS attacks.
How to remove
Even though the developers at Twitter have somewhat rectified the problem, there are still the infected profiles. So, I’ve looked around and found removal instructions for both the StalkDaily and Mikeyy variants of the worm on the Twittercism Web site:
- In your browser, clear your cache and empty all of your cookies. (This can be found in your settings.)
- Log out of TweetDeck or any external applications you are using.
- Check the URL and location areas of your profile (in Settings/Account on Twitter.com) for evidence of any malicious scripts. It’ll be obvious – something you haven’t added to these areas yourself. If you find anything, remove it.
- On Twitter.com, change your password.
- Log back in.
- Go back and delete any tweets sent by you recommending StalkDaily. This is important.
- Report @stalkdaily in a tweet to Twitter’s @spam account as follows: @spam @stalkdaily.
How to prevent this
Twittercism also has an excellent blog post that talks about how to prevent worms like StalkDaily and Mikeyy from infecting your Twitter profile. I’d thought I’d share a few of the more important points:
- Use A Twitter Client. It appears that the infection takes place while visiting the profile page, which is easy to do when using the Twitter Web interface. To avoid accidentally opening profiles use a Twitter client like TweetDeck.
- Avoid Visiting User Profiles On Twitter.com. This refers to active links that are advertised in Tweets or e-mail alerts about new followers.
- Be Wary About Clicking On Shortened URLs. I’ve referred to this before in my article “URL Shortening: Yet another security risk” and it’s becoming even more of a problem.
Since XSS vulnerabilities are a big part of this problem, I wanted to point out a recent article by Brian Krebs of the Washington Post, “Creating a Public Nuisance with Insecure Web Sites,” where he discusses issues surrounding XSS and hints at what the nasty types are trying to capitalize on:
“XSS bugs can even be used to power Web-based worms. This past week, a series of worms took advantage of XSS flaws on micro-blogging site Twitter.com to annoy and frighten thousands of Twitterers. While the worms were otherwise harmless, rogue anti-virus vendors have begun seizing on public interest in the outbreaks by gaming search engine results to send curious searchers to booby-trapped sites that try to foist worthless and invasive software.”
Google search promotes malware
TrendLabs verified what Brian was trying to point out in one of their e-mail alerts. The message is simply this:
It seems that the Twitter worms themselves were relatively benign. What’s obviously not benign is using Web sites touting the cure to hide real malware. Sadly it’s an effective propagation method that takes advantage of users who are already having computer problems. My article, “Minimize risk when downloading from the Internet” triggered a lot of discussion about this subject, with members presenting many good ideas for avoiding this type of scam.
TechRepublic’s IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.