Normally, cybercriminals tend to be an anonymous lot. However, over the weekend we encountered a malware attack on Twitter which, if the named author is to be believed, was conceived out of boredom. There are many ways to relieve boredom, and writing malware shouldn’t really be one of them.
Multiple users having exactly the same tweets was a pretty suspicious sign–especially as some reports indicated that some of these tweets came from users who had previously never posted in English.
As it turned out, the tweets were caused by a malicious script that had been planted onto Twitter profiles. Due to a security vulnerability in Twitter, malicious code ran on systems when users visited the affected profiles, which all had the link to their user’s home page modified to promote Stalkdaily, a Twitter clone/competitor. The profiles also ran a script which is now detected as JS_TWETTIR.A. Any user who visited an affected Twitter profile would become victims themselves.
The said script would then steal the user’s Twitter credentials, and use those to post tweets, all promoting Stalkdaily, a Twitter clone/competitor. (Later on, a second variant appeared with similar behavior, except that the tweets largely promoted the script’s author, along with pleas for Twitter to fix the security hole.)
It’s worth noting that while the attack itself caused limited damage, it would have been very easy for the script’s creator to accomplish something far more damaging. In addition, while attacks that use Twitter to communicate are not unusual, a security hole like this that compromised Twitter itself is not nearly as common. If anything, it’s fortunate that the attack was nothing more than a nuisance–at least for now.
And who was responsible for this attack? The author was identified as Michael Mooney of Winnfield, Louisiana. Coincidentally, Mooney was also behind Stalkdaily. What drove him to write the worm? In his own words:
Out of boredom. It was the middle of the night and I had nothing else better to do.
Mooney also says he’s not worried about going to jail. Whether or not that’ll happen right now is unclear–both Twitter and law enforcement agencies have remained quiet. All we can say is… writing malware is not an acceptable way to eliminate boredom.
Users are spared from being bothered by this attack, as they are protected by the Trend Micro Smart Protection Network which has blocked all malicious URLs and detected related scripts.