Posts Tagged ‘Worm’
Timing is everything. My Samsung NC10 netbook had a massive fail yesterday, which left me unable to access this blog (or, indeed, the internet), and some charming individuals seized this opportunity to hack into Twittercism and add some rather nasty exploits.
I couldn’t get the blog or (more worrying) the admin panel to load at all. Wherever I went, I just got an error message.
Even better, Google decided to mark the domain as a malware risk, which obviously has some impact on traffic.
Fortunately, the exploit, which attempted to load a file from the website c8t.at, was fairly easy to track down, and I removed it manually via FTP.
If you’re a WordPress user impacted by this issue, I recommend two courses of action:
- Check your default-filters.php, default-widgets.php and pluggable.php files (all are located in the wp-includes folder), as well as the main index.php file in your theme. I had a single line of code at the very bottom of all of these files (which starts with
<iframe...and linked to a file at c8t.at). Remove it (carefully), save and re-upload your file(s).
- Always make sure you upgrade to the latest version of WordPress. I was using WordPress 2.8.3, which is only a single upgrade behind the current version (2.8.4), but it was enough to allow others to have a sneaky in.
Despite Google’s concerns, the exploit never actually loaded. It simply presented an error message. So, if you happened to visit Twittercism during this period, don’t worry. Nothing bad happened. But the sites (c8t.at and c8t.ru) are known to Google and the warning was legitimate, if a little excitable.
Of course, I’m certainly not in bad company with my blog being hacked. But it’s a lesson learned. Always make sure your online security is top-notch, as the crap has a nasty habit of hitting the fan at exactly the wrong time.
The Mikeyy virus hit Twitter again today, right on the back of the real-life Michael Mooney, the creator of the original virus, being hired for a security job in what many are assuming is a publicity stunt.
So, is this a copycat? Quite possibly. The exploit is certainly different; infected Twitterers send out provactive tweets to @aplusk, @Oprah, @TheEllenShow, @SouljaBoyTellem, @NYTimes and @StephenColbert, likely assuming that guarantees the best chance of spreading if these high-profile accounts get infected, too.
It also tweets a ‘Mikey got hacked!’ message, which includes a bit.ly link. Obviously, do not click on this. (UPDATE: The link redirected to an infected account, and this has now been suspended by Twitter.)
It’s spreading incredibly fast (Twitter search) – much faster than the previous hacks. My search window is updating with 100s of new results every few seconds.
Meantime, avoid visiting profiles on Twitter.com. Do not click on any dodgy links. And don’t re-tweet infected users messages. Monitor your own profile for signs of infection (if you’re sending out the tweets above, then you’re infected. Apply the cure).
2035 GMT: Twitter is aware of the situation.
2105 GMT: Some of the worm messages now say ‘This exploit only affects Internet Explorer users’. Assume the contrary.
2113 GMT: Hearing that Mac users can’t get infected. Don’t have a Mac so cannot test, but still, assume otherwise until proven. Still spreading faster than anything I’ve seen – 5,000 tweets every 15 minutes or so.
2132 GMT: Mikeyy is now tweeting advice to Twitter about their code within infected user accounts, i.e., “Twitter, do you know about the before_save model callback?” and “Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlChars!!!”. What a helpful fellow.
2141 GMT: Another new tweet from infected Mikeyy users, at least within this variant: “Call me everyone! 718-312-8131″, which is the same number as last time. I believe this is (or was) Michael Mooney’s actual number, which leads me to conclude this is either a copycat or a publicity stunt tied in with his new employment (which would be very foolish indeed).
2320 GMT: Twitter have written that they should soon have things under control, and Mikeyy does appear to have slowed considerably, and may now be gone. If you think you’re infected, use the cure links above. Until next time…
Twitter Gets Hacked By A Worm (And His Name Was Michael Mooney)
This past week was really all about one thing: worms. Twitter got hit hard and fast last Easter weekend, and for a little while things looked pretty bleak. I did my part by helping out folk with the cure, but is this just the beginning, and what can you do to protect yourself?
Twitter Goes Pay-Per-Tweet, And Big Business Is Buying
How Fast Can You Tweet?
Not sure? Check out Fast140.com and find out. (Note: some people are clearly cheating.)
Every Time You Tweet, A Kitten Is Killed
The Daily Mail did its usual bit for humanitarianism by claming that Twitter can make you immoral, after scientists at the University of Southern California (USC) made vague suggestions that the rapid updates on Twitter could lead to some folk never fully experiencing “emotions about other people’s psychological states and that would have implications for your morality.”
Over the Easter Weekend, Twitter got hit hard, and repeatedly, by self-replicating computer programs known as worms. These hacks, which were allegedly the work of 17-year old ‘Mickeyy Mooney’, began on Saturday, initially promoting the website StalkDaily.com, of which Mr Mooney is the creator.
Twitter users became infected by the StalkDaily worm by visiting the infected profile page of another user. After infection, these users began to auto-tweet recommendations to visit StalkDaily.com on a fairly frequent basis. It rapidly spread – Twitter themselves estimated some 100 accounts were initially compromised, and 10,000 worm-powered tweets were delivered. (My guess is was actually a lot more.)
This article is made up of two parts. In the first, I will provide some detail on the events of the Easter weekend as they transpired from my perspective, and share information on how I reacted to the worms as they broke and delivered a lot of traffic to this blog.
I first noticed the StalkDaily worm when a couple of users I followed began to tweet about the site repeatedly. I thought it strange practice; very out of character. Another user then replied to me directly to ask if I knew why her account was delivering these auto-tweets, and so I investigated the matter further.
Pretty soon, two things happened. One, I realised it was an exploit of some kind, and two, by visiting a few profiles to see what was going on, I was now infected myself. I looked at my own profile, and sure enough I’d sent out four StalkDaily.com auto-tweet recommendations without my knowledge or consent.
Mikeyy is a similar Twitter exploit to yesterday’s StalkDaily. It can be removed pretty easily if you are infected.
(To see if you are infected, check your profile timeline for Mikeyy-approving tweets you didn’t submit yourself. They should be pretty easy to spot.)
How To Remove Mikeyy
- Close down any exernal Twitter clients (i.e., TweetDeck or Tweetie).
- In your Twitter settings page, delete anything suspicious that you did not add yourself. Check everywhere carefully, but it’s usually in the URL or location fields.
- Consider resetting your password on Twitter. There is no evidence that these hacks are malicious enough to break into your Twitter account, but why take the risk? You may also like to clear your cookies and cache (which can be found in your browser’s settings).
- Once done, log back out of your account and then back in. If Twitter has locked your account, or does so in the future, you will have to ask for a password reset.
Mikeyy is not being hidden in shortened URLs, but you may wish to avoid clicking on these from sources you do not absolutely trust in case the URL takes you to an infected profile or other varient of the exploit. Likewise, avoiding visiting user profiles on Twitter or within TweetDeck until Twitter has said with absolute certainty that the threat has passed. Monitor Twitter’s status page for updates.
UPDATE: There have been some reports that infected profiles are visible by rolling your mouse over their username on Twitter.com. If infected, code is sometimes visible after their username in the URL bar. This can help you to avoid infected profiles.
These tips will likely work for any similar exploits on Twitter. You should also take all necessary precautions to protect yourself in the future.
(Lynne Pope has more detail and additional steps you can take at her blog.)
APRIL 12 UPDATE: Twitter has commented on the steps they took and are taking to handle these exploits on their official blog. As of 2130 GMT, and judging by instances on Twitter search, Mikeyy seems to have been defused. Panic and hyperbole remains – help out Twitter by forwarding concerned users to this blog. Thank you.
APRIL 13 UPDATE: (1000 GMT) Mikeyy seems to have returned en masse (Twitter search), likely with a new strain. Twitter is once again addressing the situation. Meantime, you can take the steps above to remove Mikeyy if you are infected. Please share this post with all your friends on Twitter. Thank you.
APRIL 17 UPDATE: A new strain of Mikeyy returned to Twitter. The cure remains the same.