Twitter XSS Worms

Trancer — Mon, 13 Apr 2009 19:35:26 +0000

For the past few days two web worms are spreading through Twitter, the popular social micro-blogging utility. The first worm, called the “StalkDaily” worm, start spreading on Saturday, infect user profile pages, steal users browser cookies and post unwanted tweets. A second variation called the “Mikeyy” worm, start spreading on Sunday and does pretty much the same.
The worms use a Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities to spread, which the Twitter guys already closed.
Both worms were created by Michael “Mikeyy” Mooney, a 17 year old teenager. You can read an interview with Mooney on CNET News.

Here’s both “StalkDaily” worm and “Mikeyy” worm JavaScript code, for educational purposes.

Further reading:
Twitter Blog: Wily Weekend Worms.
F-Secure – Twitter worm outbreak over Easter.
Twitter Worm Analysis by Ryan Barnett.

Conficker

Trancer — Sun, 01 Mar 2009 15:17:46 +0000

Right after an exploit code was published for the MS08-067 vulnerability it was only a matter of time until virus coders will write a virus that use this vulnerability to spread.
Well, exploiting this vulnerability is one of the techniques the Conficker (aka Downadup and Kido) virus use to spread itself, and that’s what makes it so dangerous.
With more then 20 millions infected computers out there, security firms say it is the severest computer virus since the SQL Slammer, and Microsoft is going nuts over it, offering a $250,000 bounty for information leading to the catch of the guys who created and/or distribute the virus.
In my opinion, 20 million is a really rough estimate of the infected computers out there. I believe the numbers are greater, due to the fact that the virus also spread itself through portable storage devices (USB drives and other removable media) and by that slipping in to organizations internal networks. Here’s where the numbers are getting blurry, we don’t know what’s the virus infection scale inside these internal networks, where it can spread much more easily using network shares, computers with weak passwords and exploiting the MS08-067 vulnerability.
It’s a known fact that the software and operating systems inside these organizations internal networks aren’t always up-to-date, and sometimes it takes months, if not years, for these organizations to update their computers.
It happens mostly when vendors release major service packs or… after a virus infects their networks :-)
Conficker is that example, a lesson for all these organizations that doesn’t patch their systems. I guess they need these kind of lesson every once and a while.
Even the IDF internal networks got infected by Conficker (Hebrew).

Conficker comes in three variants – Win32/Conficker.A, Win32/Conficker.B and Win32/Conficker.B++.
SRI International Malware Threat Center wrote a great analysis for the virus and all the variants here – An Analysis of Conficker’s Logic and Rendezvous Points.
See also:
Downadup – Advanced Crypto Protection by Elia Florio of Symantec.
Microsoft help protecting yourself against the Conficker worm.

Update:
Win32/Conficker.C is on the loose, armed with more self protection mechanisms and a larger domain pool.
On April 1st, Conficker.C will attempt to dial home to 500 random domains out of 50000 generated domains. A great change from the previous variants that would dial home to 32 out of 250 domains.
This time the worm is also much more violent and will attempt to disable Windows Automatic Updates and stop access to the Windows Security Center, also killing anti-virus processes, preventing access to anti-virus websites, delete system restore points, disable various protection services such as Windows Defender and the Windows Error Reporting Service and much more.

For a detailed analysis of Conficker.C, check the CA Win32/Conficker.C Virus Analysis and the SRI International Malware Threat Center analysis of Conficker C.
Also see this Detecting Conficker in your Network paper.

See you on Conficker.D ?!

Recognize-Security » Malware

Twitter XSS Worms

Conficker