Over the Easter Weekend, Twitter got hit hard, and repeatedly, by self-replicating computer programs known as worms. These hacks, which were allegedly the work of 17-year old ‘Mickeyy Mooney’, began on Saturday, initially promoting the website StalkDaily.com, of which Mr Mooney is the creator.
Twitter users became infected by the StalkDaily worm by visiting the infected profile page of another user. After infection, these users began to auto-tweet recommendations to visit StalkDaily.com on a fairly frequent basis. It rapidly spread – Twitter themselves estimated some 100 accounts were initially compromised, and 10,000 worm-powered tweets were delivered. (My guess is was actually a lot more.)
This article is made up of two parts. In the first, I will provide some detail on the events of the Easter weekend as they transpired from my perspective, and share information on how I reacted to the worms as they broke and delivered a lot of traffic to this blog.
I first noticed the StalkDaily worm when a couple of users I followed began to tweet about the site repeatedly. I thought it strange practice; very out of character. Another user then replied to me directly to ask if I knew why her account was delivering these auto-tweets, and so I investigated the matter further.
Pretty soon, two things happened. One, I realised it was an exploit of some kind, and two, by visiting a few profiles to see what was going on, I was now infected myself. I looked at my own profile, and sure enough I’d sent out four StalkDaily.com auto-tweet recommendations without my knowledge or consent.
I didn’t panic. I took a moment to think about what was happening. I figured out that unless this hack started out fairly innocuous and then morphed into something nasty – which isn’t that common – I had at least a few minutes to think about a possible fix.
I had a look on Google and nobody was talking about StalkDaily. I went through various combinations of queries in Twitter search and aside from the StalkDaily.com auto-tweeted recommendations, nobody was discussing it. Indeed, most people didn’t even seem aware they were infected.
I opened my profile settings and had a look around to see if there was anything alien in there. I didn’t notice anything strange. No changes to my input fields of any kind. So, I rationalised that the smart play was to do some simple things one step at a time and see if anything changed. I closed down TweetDeck, and then cleaned out my cache and cookies on my browser. I also felt it couldn’t hurt to change my password. At this stage nobody had any idea what kind of exploit this was and ‘better safe than sorry’ is always the smart play on the internet.
Finally, I went back and deleted the auto-tweets the worm had made me send. Seemed like the decent thing to do.
For a little while, I just monitored my profile on Twitter.com, refreshing over and over, looking for evidence that I was still infected by the worm. I had re-opened TweetDeck and was monitoring other users who were infected, and they continued to deliver the StalkDaily tweets at a fairly frequent pace. After twenty minutes I realised I was almost certainly clean.
I did some more searches on Twitter and Google and again nobody was talking about this stuff. People were starting to get concerned, though, and so I figured it made sense to share my ‘cure’, and the easiest way to do this was via a post on this blog.
I wrote that in about ten minutes, and then announced it in a tweet. Very quickly, it started getting re-tweets, first from my loyal inner circle and then it grew. And grew. And grew. And grew.
Eventually, it would receive almost 800 re-tweets, and over 10,000 unique visits, including 5,000 from Digg.com alone, where it made the front page. Subsequently, it made the front page of PopUrls.com, too. Ultimately, it would be picked up by many large blogs and news sources, including Mashable, ZDNet Asia, Cnet and ReadWriteWeb, and somebody was kind enough to Stumble it, too.
I continued to update and modify the blog post as more information became available. Some users suggested that the worm was actively adding code to some of the input fields in infected profiles but as I stated above this was never the case with my own profile, and others would go on to say the same thing. It was later suggested that simply opening your profile settings and having a poke around was enough to scare off the worm, but it’s all still a little hazy. Either way, what I did seemed to work, and it worked for others, too. Ultimately, auto-tweets about StalkDaily began to tail off. Twitter would go on to announce that they’d closed a loophole and the situation was resolved.
Things calmed down. My site continued to get lots of hits, but as far as I could tell the infection rate had dropped to at or near zero, and I tweeted as much. I went out for most of the rest of the day.
When I got home, I couldn’t access my Twitter account – in fact, I had been locked out by Twitter. Initially I feared that the StalkDaily worm was more serious than assumed and that my password had been phished, and I blogged as much, again sharing this information with my followers. Ultimately, it transpired that this measure had been taken by Twitter with all infected accounts, and it was simply a case of re-setting your password to regain access.
Midday Sunday, and once again Twitter was infected. This was a lot bigger, however, with thousands more accounts infected. This new worm – Mikeyy – was different: it acted in a similar way to StalkDaily, but instead tweeted stuff about Mikeyy Mooney himself (i.e., ‘Twitter should hiire Mikeyy’). It was also harder to remove.
I had already written a new blog article advising folk on how best to protect themselves on Twitter, and that received decent traffic. But this Mikeyy thing was a new challenge.
Again I searched Twitter for some possible cures but there was nothing out there. Worse, people were really beginning to panic, a situation not helped by several big Twitter names with large followers WRITING TWEETS ABOUT THE ‘VIRUS’ IN CAPITAL LETTERS AND A REALLY PANICKY TONE. All sorts of crazy stuff was being put out there as ‘gospel’.
I sniffed around Google and found a few bits and pieces, and began to piece them together. Mikeyy compromised Twitter profiles in different ways to StalkDaily, embedding itself more efficiently into user accounts, including the design part of the profile.
One problem was I wasn’t actually infected myself, so for any hope of finding a cure, I had to actively visit a few infected profiles. Soon enough, Mikeyy was upon me. This gave me what I needed to figure out the fix, which as said I did from looking at what some other folks were saying and Googling for similar exploits in the past. I wrote a new article about removing Mikeyy from your profile, and again tweeted it to my followers.
This one went semi-viral too, picking up two hundred re-tweets and almost three thousand unique visitors. Again, the cure worked, and this helped the article get traffic.
One problem I noticed with getting the solution across Twitter was the level of panic and bad information I mentioned above. There was lots of talk about the worm being ‘hidden’ in shortened URLs, which was not the case. What did happen thanks to a few of Mikeyy’s tweets was that a bit.ly address was being used to route users through to an infected profile, but that’s a very different thing. However, what this meant was that the majority of Twitter users stopped using not only shortened URLs, but any URL altogether, and refused to click on such, too. Hence, this led to a kind of old-fashioned version of Twitter, with folk sharing all information through normal words and any links were delivered in an a kind of anti-spam, twittercism dot com kind of way.
Come Monday morning, some folks were still having problems and I started to receive a lot of replies and direct messages asking me what I knew and whether my site was legitimate, and so on, which of course it was. A few people began to openly ask how they would know if they were infected, which inspired this post.
Eventually, things calmed down. Twitter assured us it was all over, although I don’t think we really believed it until possibly more trusted organizations like the BBC got involved.
Throughout the incident I had continued to provide updates about the worms and sent several tweets saying things like, “It’s been X minutes/hours since any tweets were sent by the worm,” which I gauged by checking for various queries on Twitter search. This stuff received a lot of re-tweets also and slowly but surely things drifted back to normal (even if one or two high-profile Twitterers were still tweeting ‘THE END OF THE WORLD IS NIGH!’ updates.)
I certainly don’t for a second take credit for solving this situation, which in hindsight was actually fairly low-key, certainly when compared to other more infamous historical web exploits. But I hope that I played my part. I certainly think I helped a few folk come to a better understanding of what was going on and remove the worms from their infected profiles.
It all had a tremendous impact on my blog. All-told I had well over 15,000 unique visits, my subscriber rates increased by two hundred per cent and I’m pretty sure my sponsors were very happy. For the very large blogs this is probably a typical day; for Twittercism, it’s pretty huge.
I received an enormous amount of replies and direct messages over the long weekend and to be honest at times it was hard to keep up. When it was all done and dusted, all the heartfelt thanks from folks who approached me and said I had helped them made it all very worthwhile.
The lessons I have learned from this experience about how you can use Twitter to both leverage traffic to your own blog and provide a useful, meaningful service to those visitors is something I will be sharing in part two of this article, which will be posted tomorrow.