Twitter came of age during the weekend of 11 April 2009. Like any new IT technology, it was just was a matter of time before someone decided to look under the hood and see how the application could be debased. The compromise is a story with a different twist though, kind of like Twitter itself.

StalkDaily/Mikeyy worm

Mike Mooney, a 17 year old teenager started the ball rolling. After finding a Cross-Site Scripting (XSS) vulnerability in the Twitter application, he altered the code on four Twitter accounts to leverage the new found vulnerability.

Once set up, it was just a matter of waiting, kind of like fishing. Finally someone viewed the profile Web page belonging to one of his Twitter accounts and through the magic of a drive-by dropper proudly became the first victim. Finding more victims got lot easier after that as the worm started propagating using the following steps:

  1. Each newly-infected Twitter application starts sending unauthorized Twitter messages (tweets) with malicious links to all available contacts found in the compromised Twitter account.
  2. The flagged Twitter users start receiving tweets from a supposedly trusted contact (social engineering part).
  3. The tweet asks them to check out a micro-blogging service called (hence the worm’s name).
  4. As soon as the link is clicked, the Twitter application on that computer becomes infected with the worm.

It’s easy to see how the number of victims grows rapidly. Especially if some of the initially infected Twitter accounts have large contact lists.

To make matters worse, users who haven’t received a malicious tweet can also become infected just by looking at a compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at how the worm works.

Several strains

The explanation I gave above is the generic overview as there are at least four versions that have surfaced, each exhibiting slightly different social engineering techniques. To Twitter’s credit, they have been able to remove the problem each time, but the underlying Twitter application still appears to be vulnerable to XSS attacks.

How to remove

Even though the developers at Twitter have somewhat rectified the problem, there are still the infected profiles. So, I’ve looked around and found removal instructions for both the StalkDaily and Mikeyy variants of the worm on the Twittercism Web site:

  1. In your browser, clear your cache and empty all of your cookies. (This can be found in your settings.)
  2. Log out of TweetDeck or any external applications you are using.
  3. Check the URL and location areas of your profile (in Settings/Account on for evidence of any malicious scripts. It’ll be obvious – something you haven’t added to these areas yourself. If you find anything, remove it.
  4. On, change your password.
  5. Log back in.
  6. Go back and delete any tweets sent by you recommending StalkDaily. This is important.
  7. Report @stalkdaily in a tweet to Twitter’s @spam account as follows: @spam @stalkdaily.

How to prevent this

Twittercism also has an excellent blog post that talks about how to prevent worms like StalkDaily and Mikeyy from infecting your Twitter profile. I’d thought I’d share a few of the more important points:

  • Use A Twitter Client. It appears that the infection takes place while visiting the profile page, which is easy to do when using the Twitter Web interface. To avoid accidentally opening profiles use a Twitter client like TweetDeck.
  • Avoid Visiting User Profiles On This refers to active links that are advertised in Tweets or e-mail alerts about new followers.
  • Be Wary About Clicking On Shortened URLs. I’ve referred to this before in my article “URL Shortening: Yet another security risk” and it’s becoming even more of a problem.

Another big help in fighting this worm as well as other malware is to turn JavaScript off. That may not be possible for many though. If not, I’d recommend using FireFox with the NoScript add on.

Next step

Since XSS vulnerabilities are a big part of this problem, I wanted to point out a recent article by Brian Krebs of the Washington Post, “Creating a Public Nuisance with Insecure Web Sites,” where he discusses issues surrounding XSS and hints at what the nasty types are trying to capitalize on:

“XSS bugs can even be used to power Web-based worms. This past week, a series of worms took advantage of XSS flaws on micro-blogging site to annoy and frighten thousands of Twitterers. While the worms were otherwise harmless, rogue anti-virus vendors have begun seizing on public interest in the outbreaks by gaming search engine results to send curious searchers to booby-trapped sites that try to foist worthless and invasive software.”

Google search promotes malware

TrendLabs verified what Brian was trying to point out in one of their e-mail alerts. The message is simply this:

“Cyber criminals are taking advantage of the public’s interest and high media coverage of the incident to spread malicious links. Among the top ten search results in Google for “Twitter worm” and “Mikeyy,” the name of 17-year-old author of the said worm, is a link that connects the user to a malicious URL that download malware into his/her system. The link in the result connects to a URL detected as HTML_DLOADR.NIC. The said URL is inaccessible as of this writing, but analysis reveals that it loads a JavaScript which is detected as JS_DLOADR.NIB

Final thoughts

It seems that the Twitter worms themselves were relatively benign. What’s obviously not benign is using Web sites touting the cure to hide real malware. Sadly it’s an effective propagation method that takes advantage of users who are already having computer problems. My article, “Minimize risk when downloading from the Internet” triggered a lot of  discussion about this subject, with members presenting many good ideas for avoiding this type of scam.

TechRepublic’s IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.