Twitter Worm Evolves Over Four Attacks

The originator of a worm that struck Twitter four times is backing off after threats of legal action, according to reports. .

Four versions of the evolving worm hit the microblogging site over the weekend, exploiting a cross-scripting vulnerablity. The originator, Michael “Mikeyy” Mooney has finished the attack, which he says was only designed to alert Twitter to the flaws, following a threat of legal action from Twitter founder Biz Stone, according to reports in The Telegraph.

The worm, dubbed “StalkDaily,” began to spread last weekend, and so only seems to infect users’ profiles with the goal of propagating. According to its confessed creator, Mikeyy Mooney, the worm was created “out of boredom” to give developers an insight into a cross-site scripting flaw while promoting his Website, acording to reports at BNOnews.

“We are currently addressing a new manifestation of the worm attack,” according to an update by Twitter Monday. “No passwords, phone numbers, or other sensitive information were compromised as part of this renewed attack.”
The new worm is tweeting messages that look like this:

How TO remove new Mikeyy worm! RT!! (bad URL)

This worm is getting out of hand Twitter. – Mikeyy

Twitter, your community is going to be mad at you… – Mikeyy

Mikko H. Hyppönen, chief research officer at F-Secure, called the message pretending to be a fix for the worm particularly nasty.

“The [malicious] bit.ly link got redirected back to Twitter. … The good part about using a URL redirector is that now we can get exact statistics on how much traffic this link received. Turns out the URL got clicked over 18,000 times—and the figure is still growing,” he wrote in a blog post.

Biz Stone, co-founder of Twitter, blogged that the worm introduced this weekend was similar to the famous Samy worm, which spread across the popular MySpace social networking site a while back.

“At about 2AM on Saturday, four accounts were created that began spreading a worm on Twitter,” Stone wrote. “From 7:30AM until 11AM PST, our security team worked on eliminating the vectors that could identify this worm. At that time, about 90 accounts were compromised. We identified and secured these accounts.”

The worm propagated by luring users to the StalkDaily.com site, where their profiles were infected in order to send out similar spam-type messages to their contacts. A second wave of the worm hit Saturday afternoon; another hit Twitter users Sunday.

“Again, we secured the accounts that had been compromised and removed any content that might help spread the worm,” Stone wrote. “All told, we identified and deleted almost 10,000 tweets that could have continued to spread the worm.”

Stone added that Twitter is conducting a full review of what happened and is constantly updating its Web coding practices to avoid vulnerabilities.