Monday, April 04, 2011

Anatomy of a Twitter worm ("Profile Spy")

I woke up this morning and among the tweets I saw this:
(Name has been pixelated to protect the guilty)

This looks like a worm/scam (some news here, so I thought I'd write up a technical explanation.

Like most cybersecurity researchers, I like worms. So, I switched to another browser ("Iron" version of Chrome from SRware) and my honeypot account "@ErrataVictim". I logged in, and then followed that link.

Clicking on the link pops up this page from Twitter:



Worms usually ask for passwords, but people become suspicious giving out passwords. This worm uses a different strategy. It pretends to be a legitimate Twitter application, and uses the same method to ask for permissions as any other application. This is the same sort of authorization you would need to give to your Twitter application on the iPhone. This is the sort of authorization you would need to give to any third party Twitter application -- like one that told you how many people checked out your profile (which actually isn't possible -- Twitter doesn't give that info to app developers, and probably doesn't track it ).

It's hard to give people advice what to do in this situation. You can't simply say "Never allow applications to connect to your account", because that would prevent legitimate twitter applications from having access to your account.

The best advice I could give you is that whenever you see something of the form "this is cool check it out" -- and it asks you to install something, give a password, or grant authorization, then it's probably malware. You should always verify it with the sender (or with Google) before continuing.

When I allow access, I get this:


Going back to my victim account, I saw that it had indeed gotten "hacked". This is why the hacker created this worm/scam: he will profit from all the advertising you'll see following those links.

There might be further malware in those links designed to compromise your machine or accounts, like clickjacking exploits. I followed the first one, and it's a typical scam that asks you to fill out endless surveys and promises you'll win a prize at the end -- but there is no end to the popups you have to go through. At least, I've never reached the end when trying to see how deep they go.
Following this link leads to the next form. Obviously, you wouldn't want to fill this out.

I continued following this for a while, and it continue to provide endless "surveys" on care insurance, medical, long distance phone, and so on. I didn't follow them too deep -- I assume there is no end to them.

I confirmed that my account was "hacked" because immediately after this, I saw these two tweets magically appear as if I'd tweeted them:



It is easy to recover your account if this happens to you. Go to your "Profile", then "Edit your profile", then select "Connections",  then revoke it's access, as shown below:


Then, in order to make sure that nobody else falls victim to this (or hide your guilt), remove the tweets the worm put there. Select  "Profile" again. This shows a timeline with just your tweets. Hover over the tweet with your mouse, and you'll see a "Delete" option. Click that, and the tweet goes away:


This won't completely get rid of the tweet. The default browser application, and many other applications, download and cache the tweets as they are tweeted. Thus, if somebody opens their browser and logs onto twitter, they won't see your deleted tweet. But, if somebody sees a "75 new tweets" and clicks on it, they will still see your tweet, because it's already been downloaded and cached in your browser. Therefore, even when you delete it, most of your active followers will still see it.


How does the scam work?

The first step is to set up an account with advertisers that you will forward people to.

The second step is to get a "burner" host. First, grab an anonymous credit card (aka. "gift card") from a store, then use it to create an account at a hosting site. In this case, the hacker chose liquidweb, which allow you to set up a cloud server in minutes.

Then write a Twitter script that will use Twitter's OAuth feature to do two things. The first is to log onto their account and send the spam message via a tweet. The second is to forward the user to the advertiser.

Third is to launch the worm by spamming the tweet. This involves creating accounts, "following" people, then sending them tweets with the link. Eventually, a popular person with a lot of followers will fall for it, and the worm will take on a life of it's own.

The ow.ly link points to "www.twitterprofilespy.info". I did a traceroute to that address and got this info:

1     1 ms     2 ms     1 ms  23.23.23.1
  2    23 ms    28 ms     9 ms  c-71-204-8-1.hsd1.ga.comcast.net [71.204.8.1]
  3    10 ms    10 ms     9 ms  xe-10-1-0-0-sur01.n4atlanta.ga.atlanta.comcast.net [68.85.68.57]
  4    15 ms    16 ms    18 ms  xe-6-1-3-0-ar01.D1stonemtn.ga.atlanta.comcast.net [68.85.108.250]
  5    67 ms   136 ms    95 ms  ae-2-0-ar01.b0atlanta.ga.atlanta.comcast.net [68.85.109.241]
  6    19 ms    15 ms    15 ms  pos-3-7-0-0-cr01.atlanta.ga.ibone.comcast.net [68.86.93.205]
  7    17 ms    16 ms    16 ms  TenGigabitethernet4-1.ar1.ATL2.gblx.net [146.82.35.121]
  8    48 ms    67 ms    47 ms  64.209.88.186
  9    50 ms    54 ms    50 ms  lw-dc2-core3-te9-1.rtr.liquidweb.com [209.59.157.224]
 10    52 ms    52 ms    67 ms  lw-core6.rtr.liquidweb.com [209.59.157.109]
 11    54 ms    55 ms    56 ms  lw-dc3-dist10-po6.rtr.liquidweb.com [69.167.128.167]
 12    53 ms    54 ms    52 ms  host.fookyea.com [67.227.204.5]


The whois information for "twitterprofilespy.info" and got this back:
Domain Name:TWITTERPROFILESPY.INFO
Created On:02-Apr-2011 04:34:09 UTC
Last Updated On:03-Apr-2011 15:56:34 UTC
Expiration Date:02-Apr-2012 04:34:09 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:CLIENT TRANSFER PROHIBITED
Status:TRANSFER PROHIBITED
Registrant ID:551ff52cd302f3e3
Registrant Name:WhoisGuard  Protected
Registrant Organization:WhoisGuard
Registrant Street1:8939 S. Sepulveda Blvd. #110 - 732
Registrant Street2:
Registrant Street3:
Registrant City:Westchester
Registrant State/Province:CA
Registrant Postal Code:90045
Registrant Country:US
Registrant Phone:+1.6613102107
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:683c9af5c7fe45bda8510a5327cc212a.protect@whoisguard.com


I suspect "fookyea.com" might also identify the hacker. The whois info from GoDaddy shows this:
Registrant:
Unknown Unknown
123 Lay Ave
New York, New York 10001
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FOOKYEA.COM
Created on: 13-Feb-09
Expires on: 13-Feb-12
Last Updated on: 14-Feb-11

Administrative Contact:
Unknown, Unknown gamingcheats@gmail.com
123 Lay Ave
New York, New York 10001
United States
+1.2121234567
...

It would take more effort than I'm willing to spend, and maybe warrants, to track this down any further.



Update: Graham Cluley from Sophos also has a post almost identical to mine: http://nakedsecurity.sophos.com/2011/04/04/profile-spy-rogue-application-spreads-virally-on-twitter/

2 comments:

Robert said...

Should be able to use this to show employees why twitter is blocked. Good example of why using a different password for twitter than work related stuff is so important.

Chico Escuela said...

It is difficult these days to leave a short and quick sentence of thanks without sounding like a spammer. I was going to say "Good info as always" but then I get these on my blogs all the time...

I will say you threw me for a small loop when you said you looked up the whois for ""torrentprofilespy.info" when you meant to say twitterprofilespy.

Still, good stuff. :)