Twitter 'antibodies' help kill worm, says researcher

Users are Twitter's best defense against hardcore hackers, but not spammers

Social-networking services like Facebook and Twitter have a natural defense against hardcore hackers, a security researcher said Tuesday.

The remarkable speed with which several worms spread on Twitter on Tuesday may have sent opportunistic spammers scurrying to exploit a quickly patched vulnerability, but cybercriminals looking for ways to hijack PCs essentially steered clear.

Why?

"Social networks have built-in antibodies...their users," said Sean Sullivan of the Finnish security company F-Secure. "Compare the Twitter attack to a malicious attack of yesteryear that took weeks or even months to develop. This peaked and ebbed in two and a half hours," Sullivan said.

That pace was the worms' undoing. Although they spread voraciously for several hours -- the spike of worm-spreading traffic started around 5:30 a.m. Pacific time, according to data from Trendistic.com -- Twitter quashed the bug by 7 a.m.

With users tweeting around the clock somewhere in the world, it's not surprising that the original worm and the inevitable copycats came to the attention of Twitter's security team. "They make a very dynamic feedback loop for Twitter," Sullivan said.

What's not as intuitive is that the fast up-up-up and then the just-as-rapid down-down-down of the infection pulse is something hackers don't want.

"Hard-core hackers won't go after something like Twitter," Sullivan contended, "because it causes too much damage."

Too much, as in too much publicity, and more infections than can be handled.

If the goal is to hijack a PC -- the usual for hackers out to pillage machines of passwords and usernames, or other information that can lead to money -- then the last thing cybercriminals want is for the victims to know they've been nailed. Nor is it efficient to compromise more machines than can be controlled, or launch attacks that attract the instant attention of authorities, security researchers and users.

"This spread to too many people, too fast," Sullivan said. "That's like scorched earth for them." In other words, a barren wasteland.

Instead, the flaws in services like Twitter or Facebook -- the latter was hit with attacks that exploited a pair of vulnerabilities earlier this month -- are tailor-made for scammers, who run short-lived campaigns as a matter of course, hoping to dupe people while the getting's good.

"Spammers leap on something and grab it quick," said Sullivan. "They usually jump on hobbyist hackers' research, like Magnus Holm's."

Holm, a Norwegian developer, used Japanese programmer Masato Kinugawa's earlier work to craft the worm that kicked off Tuesday's attacks.

Sullivan pegged Holm with the "hobbyist" label because he didn't have a plan, or malicious intent. "He's the kind of guy would might have created an Internet worm back in 2001 or 2002, just for the fame and glory," said Sullivan, contrasting Holm with professionals who think first of profit, not prominence.

Holm acknowledged his hobbyist status on, of all places, Twitter, where his account remained active as of early Wednesday. "Waiting for my 15 minutes of fame to fade away," Holm said.

Others used Kinugawa's work and Holm's worm to build their own variants that automatically shunted users to pornographic Web sites, displayed irritating pop-up ads or sent people to a potentially malicious Russian site.

Sullivan said there was also evidence that some of the Twitter worms were deployed by the same spamming gangs that ran attacks against Facebook two weeks ago. These gangs specialize in marketing survey spam and abuse advertising-baked survey affiliate networks like CPAlead.com to earn $1 for each person they dupe into completing a poll.

Last month, Sullivan tallied what CPAlead.com claimed its top earners had made, and came up with a staggering $485,000 over a 10-week period. Early Wednesday, CPAlead.com's Twitter account announced that one top earner, identified only as "Curtis," took home $21,959.

In fact, spammers are Twitter's most dangerous enemy, not hackers, Sullivan maintained, when they filch vulnerabilities others have uncovered. "It's going to be really interesting to see how the new Twitter handles spam," Sullivan said.

Sullivan even had a solution: Money.

"Twitter should think about a bounty program," he said. "These people with hobbyist mentalities want to be promoted, and recognition from Twitter might be one way to go."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@ix.netcom.com.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies