An Information Security Place

As most of you know, Twitter was hit with a series of worms this past weekend.  They were created by 17 year old, Mikey Mooney, creator of the website StalkDaily.com (don’t visit the site).  The original worm seemed fairly innocuous, with messages that were created to drive traffic to the StalkDaily website.

I wrote a Computerworld blog post, where I detailed the original attack as well as provided a list of security recommendations.  In that post, I commented that Twitter users should be on the lookout for modified worms, especially as additional details of the original attack come to light.

After Twitter patched the original cross site scripting (XSS) flaw, which exploited the “link” field in a user profile, another variant of the worm appeared.  This time, the worm exploited the “color” setting of the user profile.   Modifying the worm highlighted that the XSS vulnerability was not limited to a single field and that Twitter would have to institute a comprehensive patch, not a band-aid solution.

The variant of the worm automatically generated tweets with the term “mikeyy”. These were sarcasitic in nature and seemed to be tounge-in-cheek.  Examples include:

• Mikeyy I am done…
• Mikeyy is done…
• Twitter please fix this, regards Mikeyy

The general consensus today is that the “StalkDaily” and “Mikeyy” worms have been adequately addressed.   However, I am not fully convinced. Four days after the original worm, I am still seeing suspicious behavior.  A colleague of mine has a Twitter account that automatically started generating tweets saying “I am not here right now.”

Using a third party iPhone application, TweetStack, I am conducting periodic searches on the string “I am not here right now.”  I found that this is not nearly as wide spread as the “StalkDaily” Twitter worm, but has affected at least a couple dozen accounts.

While this could be yet another variant of worm created by Mikey Mooney, my suspicion is that this is a copycat worm created by another party (most likely a Scriptkiddie).

Are YOU still seeing anomalous behavior on Twitter?  I would love to hear about it!  Please comment below as well as notify the Internet Storm Center if you see anything noteworthy.

- WiFiJedi

Douglas J. Haider is a Principal Technologist with Xirrus.  He hosts a personal blog at WiFiJedi.com, and micro-blogs on Twitter @wifijedi (which was not infected by the Twitter worm at the time of this writing…)

A client called me at 8:30am yesterday in a panic because they have the Rinbot worm running around in their network. The client is actually a former employer of mine, and they still have much of the same hardware and software when I was there 6 years ago, which means Dell Pentium 3 400Mhz servers and NT 4.0. They kept cleaning up their servers and getting re-infected, so something was getting missed. They have servers spread out between their corporate site and their colocation facility, and the link between the two is a fiber link that has no firewall or any real segmentation at all. So, getting all the servers clean has proven problematic.

The recommended patch for NT to stop Rinbot didn’t work, so I had them temporarily disable the IPC$ share on their important servers, and today we are going to try Determina’s HIPS product to see if we can stop it and identify where it is coming from. We’ll see what happens.

It’s been a while since I have had to fight one of these buggers. It was actually quite refeshing. Something different, and it brought back memories.

Here’s a pretty cool blog post about Rinbot.

Vet

Link

This is the trojan I mentioned in my last post.

Vet

Go check out this article at Dark Reading.  Looks like this group is creating a botnet with a trojan that has a cracked version of Kaspersky AV to clean machines (except for itself, of course) to make sure it gets all the bandwidth it can to send out spam.  It is called the SpamThru trojan. 

This is crazy.

Vet

Thanks to the SecurityCurve blog for posting this about Apple.  The Mac users are going to get hard one day, and they are not going to be prepared.  Yes, many of them use AV software, but my suspicion is that many do not run it because they don’t see a reason for it.  Take a look at this post to see if you think I am wrong.  Though the author admits that it may happen one day, he is just so smug (to use SecurityCurve’s analogy) that his Mac is just wonderfully immune right now.

What I see is this: Malware is more and more specific now days.  It is written for monetary gain, not for kicks (it is possible someone may write something just to prove Apple wrong, but who knows).  Apple will get more and more of the market.  Their servers, because more people are using Macs in business, will start to get more popular (just like with Windows).  Then more and more valuable data will be stored on Apple servers, and the possibility of monetary gain will increase.  So the possibilty of malware will increase.

Vet