Wily Weekend Worms

By
Sunday, 12 April 2009

On a weekend normally reserved for bunnies, a worm took center stage. A computer worm is a self-replicating computer program sometimes introduced by folks with malicious intent to do some harm to a network. Please note that no passwords, phone numbers, or other sensitive information was compromised as part of these attacks.

The worm introduced to Twitter this weekend was similar to the famous Samy worm which spread across the popular MySpace social-networking site a while back. At that time, MySpace filed a lawsuit against the virus creator which resulted in a felony charge and sentencing. Twitter takes security very seriously and we will be following up on all fronts.

What Went Down?

At about 2AM on Saturday, four accounts were created that began spreading a worm on Twitter. From 7:30AM until 11AM PST, our security team worked on eliminating the vectors that could identify this worm. At that time, about 90 accounts were compromised. We identified and secured these accounts.

Later in the afternoon, a second wave of the worm hit Twitter and this time it was much more intense. We got back to work and the situation was contained. About 100 accounts were compromised. Again, we identified and secured the accounts. We also identified and deleted malicious content that could work to further spread the worm.

On Sunday morning, we had another bout of attacks. Our team quickly pulled together and started fighting the attackers in real time. Again, we secured the accounts that had been compromised and removed any content that might help spread the worm. All told, we identified and deleted almost 10,000 tweets that could have continued to spread the worm.

[Update] Late Sunday night and into the wee hours of Monday we fought off a fourth attack. Once again, we secured the compromised accounts and deleted any material that would further propagate the worm.

Now What?

We are still reviewing all the details, cleaning up, and we remain on alert. Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future. We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered.

In addition to making Twitter stronger and more secure, we will share the information we have learned with our friends at other popular web based services so they can make sure they have the right systems in place for dealing with the same kind of malicious activity. Our support team will have lots of email to go through on Monday so please bear with us and thanks for your patience.