Over the Easter Weekend, Twitter got hit hard, and repeatedly, by self-replicating computer programs known as worms. These hacks, which were allegedly the work of 17-year old ‘Mickeyy Mooney’, began on Saturday, initially promoting the website StalkDaily.com, of which Mr Mooney is the creator.
Twitter users became infected by the StalkDaily worm by visiting the infected profile page of another user. After infection, these users began to auto-tweet recommendations to visit StalkDaily.com on a fairly frequent basis. It rapidly spread – Twitter themselves estimated some 100 accounts were initially compromised, and 10,000 worm-powered tweets were delivered. (My guess is was actually a lot more.)
This article is made up of two parts. In the first, I will provide some detail on the events of the Easter weekend as they transpired from my perspective, and share information on how I reacted to the worms as they broke and delivered a lot of traffic to this blog.
I first noticed the StalkDaily worm when a couple of users I followed began to tweet about the site repeatedly. I thought it strange practice; very out of character. Another user then replied to me directly to ask if I knew why her account was delivering these auto-tweets, and so I investigated the matter further.
Pretty soon, two things happened. One, I realised it was an exploit of some kind, and two, by visiting a few profiles to see what was going on, I was now infected myself. I looked at my own profile, and sure enough I’d sent out four StalkDaily.com auto-tweet recommendations without my knowledge or consent.
I didn’t panic. I took a moment to think about what was happening. I figured out that unless this hack started out fairly innocuous and then morphed into something nasty – which isn’t that common – I had at least a few minutes to think about a possible fix.
I had a look on Google and nobody was talking about StalkDaily. I went through various combinations of queries in Twitter search and aside from the StalkDaily.com auto-tweeted recommendations, nobody was discussing it. Indeed, most people didn’t even seem aware they were infected.
I opened my profile settings and had a look around to see if there was anything alien in there. I didn’t notice anything strange. No changes to my input fields of any kind. So, I rationalised that the smart play was to do some simple things one step at a time and see if anything changed. I closed down TweetDeck, and then cleaned out my cache and cookies on my browser. I also felt it couldn’t hurt to change my password. At this stage nobody had any idea what kind of exploit this was and ‘better safe than sorry’ is always the smart play on the internet.
Finally, I went back and deleted the auto-tweets the worm had made me send. Seemed like the decent thing to do.
For a little while, I just monitored my profile on Twitter.com, refreshing over and over, looking for evidence that I was still infected by the worm. I had re-opened TweetDeck and was monitoring other users who were infected, and they continued to deliver the StalkDaily tweets at a fairly frequent pace. After twenty minutes I realised I was almost certainly clean.
I did some more searches on Twitter and Google and again nobody was talking about this stuff. People were starting to get concerned, though, and so I figured it made sense to share my ‘cure’, and the easiest way to do this was via a post on this blog.
I wrote that in about ten minutes, and then announced it in a tweet. Very quickly, it started getting re-tweets, first from my loyal inner circle and then it grew. And grew. And grew. And grew.