A new version of the Mikeyy cross-site scripting worm is spreading extremely rapidly across the Twitter micro-blogging network.
Messages posted by the worm include:
@oprah - sup? welcome to twitter. - mikeyy
@TheEllenShow - hey baby, love me long time? - mikeyy
@nytimes - yep, it's true. - mikeyy
@StephenColbert - you funny. - mikeyy
@aplusk - hey, homo. - mikeyy
@souljaboytellem - your music sucks dude. - mikeyy
The worm appears to be deliberately referencing Twitter users with a very large number of followers (for instance, @aplusk is Hollywood actor Ashton Kutcher who has more than a million followers), presumably with the hope of spreading the infection more quickly.
Compromised accounts appear to have their profiles altered to reference Mikeyy:
My recommendation? If you are going to click on users’ profiles on Twitter right now make sure that your browser is fully patched and that you have scripting turned off using plugins like NoScript for Firefox.
If you suspect you have been affected, clean out your Twitter profile and settings of any content that you did not add yourself, and – although it may not be the case that it has been compromised – consider using a more secure password.
Ironically, this new version of the Mikeyy worm has emerged at the same time as controversy is raging over whether a firm was right to hire the notorious Mikeyy Mooney who admitted writing the original attacks.
As I explained earlier today, one of the reasons why Mikeyy Mooney’s abuse of Twitter was so wrong was that it opened the door for other copy-cat attacks. At the moment it is not clear who is responsible for this latest outbreak.
Update: It also appears that the message
I work for exqSoft Solutions now - http://www.exqsoft.com/ - mikeyy
is spreading quickly. Other messages being posted by the worm include:
Twitter, you should be paying me now. - mikeyy
Twitter, do you know about the before_save model callback? - mikeyy
Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlChars!!! - mikeyy
This exploit only affects Internet Explorer users. Thanks. - mikeyy
Please note that we have not verified that you can only be infected if you use Internet Explorer.
Be careful out there.
You can find more information about this attack on the SophosLabs blog.