Newest Twitter w0rm details and how to protect yourself

Well, as you may have seen recently, Twitter has been hit again by a w0rm and this time it uses a Java-based exploit to run commands on a victims machine. Although this attack appears to target bank customers/employees and installs a key logger (an application to record all keystrokes made on the computer), it could-have/might-have-been-already changed to really run anything. You should know what to look for and how to protect yourself and/or your organization against such attacks.

What to look out for

The w0rm propagates by sending Tweets to Twitter users and they (currently) look like this caption from the  F-Secure folks.

Tweets to look out for

Tweets to look out for

If you get tweets from users unknown to you personally, even if re-tweeted by your friends, you should ignore these posts and certainly not click on any links within them. Remember, the wording of the tweets could be changed at any time, so be aware of your clicks and you should be good-to-go.

How this attack works

This particular attack involves a web site running a Java applet. This applet will attempt to run some commands on the victims machine and in this case will install a key logger which runs on the background on the victims machine and quietly logs all key strokes made by the user on his/her keyboard. These logs will later be analyzed by attackers to capture credentials for banking websites.

You can protect yourself against this type of attack in two ways…

  1. Disable the Java plugin from your browser. I have heard this option popping up from time to time, but unlike the Adobe Reader/Acrobat plugin, you will need the Java plugin to actually use websites you visit. This option should only be used if you understand that you will probably affect your overall web experience. It is not always possible to download all of the applets you will encounter online and then run them in a more protective environment (i.e. VM).
  2. Ensure you do not click OK/RUN when prompted by the Java plugin to execute applets unless you know that it can be trusted. This is the much better option, but it takes a little forethought before hand. You need to understand that Java applets will not execute unless you allow them to do so. So, if you do not trust the applet/application, simply click NO/CANCEL instead.

Although I am all about keeping the plugins as light as possible in number for the browsers to avoid security issues overall, there are a couple of plugins that you will most undoubtedly need including Java and Flash. (and NoScript and AdBlock 🙂 Also, please keep your Java installation up-to-date by ensuring that you keep up with the patches. Currently, we are at 1.6.0_20 of the Oracle/Sun plugin, which can be downloaded from java.sun.com.