New Twitter Worm Lures with Promises of a Fix

A new version of the Twitter worm that hit the microblogging service over the weekend is spreading, according to the service. The variant is the fourth wave of attacks against the service by the worm.

Twitter continues to battle a new iteration of a worm that first hit users of the service over the weekend.

The worm, dubbed "StalkDaily," exploits a cross-site scripting vulnerability. It began to spread this weekend, and so far only seems to infect users' profiles with the goal of propagating. According to its confessed creator, Mikeyy Mooney, the worm was created "out of boredom" to give developers an insight into a cross-site scripting flaw while promoting his Website.

"We are currently addressing a new manifestation of the worm attack," according to an update by Twitter Monday. "No passwords, phone numbers, or other sensitive information were compromised as part of this renewed attack."

The new worm is tweeting messages that look like this:

  • How TO remove new Mikeyy worm! RT!! (bad URL)
  • This worm is getting out of hand Twitter. - Mikeyy
  • Twitter, your community is going to be mad at you... - Mikeyy

Mikko H. Hypp??énen, chief research officer at F-Secure, called the message portending to be a fix for the worm particularly nasty.
"The [malicious] link got redirected back to Twitter. ... The good part about using a URL redirector is that now we can get exact statistics on how much traffic this link received. Turns out the URL got clicked over 18,000 times-and the figure is still growing," he wrote in a blog post.

Biz Stone, co-founder of Twitter, blogged that the worm introduced this weekend was similar to the famous Samy worm, which spread across the popular MySpace social networking site a while back.

"At about 2AM on Saturday, four accounts were created that began spreading a worm on Twitter," Stone wrote. "From 7:30AM until 11AM PST, our security team worked on eliminating the vectors that could identify this worm. At that time, about 90 accounts were compromised. We identified and secured these accounts."

The worm propagated by luring users to the site, where their profiles were infected in order to send out similar spam-type messages to their contacts. A second wave of the worm hit Saturday afternoon; another hit Twitter users Sunday.

"Again, we secured the accounts that had been compromised and removed any content that might help spread the worm," Stone wrote. "All told, we identified and deleted almost 10,000 tweets that could have continued to spread the worm."

Stone added that Twitter is conducting a full review of what happened and is constantly updating its Web coding practices to avoid vulnerabilities.