Teen Twitter worm writer gets job, spreads new worm

Michael Mooney, aka "Mikeyy"

(Credit: Michael Mooney)

The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a Web application development firm and on Friday released a fifth worm on the microblogging site, he said.

Twitter fought off four waves of worm attacks last weekend and into Monday in which Twitter users were infected just by clicking on the name or image of someone whose account was infected. The worms appeared to do no damage other than spread to infected users' followers and modify profile pages.

Michael Mooney, a 17-year-old living in Brooklyn, N.Y., told CNET News that he wrote the worms because he was bored and wanted to bring Twitter's attention to the security holes.

Mooney also grabbed the attention of Travis Rowland, founder of ExqSoft in Hammond, Ore., who has hired the teen.

Rowland told CNET News on Friday that he saw the worms on Twitter and was impressed with Mooney's skills so he contacted him about working for him doing security analysis. "I saw his Web site and he coded that all from hand and it was pretty impressive; it was a complete Twitter clone," Rowland said.

After landing the job, Mooney spread the latest worm, which exploits a fifth vulnerability at the site, he said. Asked why he doesn't contact Twitter directly instead of launching the attacks, the graduating high school senior said he had tried but had gotten no response.

"I just want to let (Twitters) know that my intent is not to aggravate them," Mooney said in a phone interview with CNET News. "It's probably not the best way, but it's the only way I can reach out to Twitter so they will fix the vulnerability."

The latest worm exploits a cross-site scripting vulnerability and posts messages from infected accounts that reference celebrities and references to Mooney getting hired by exqSoft, according to a blog post by Graham Cluley, a senior technology consultant with security firm Sophos.

Rowland blasted Twitter for not adequately protecting its site. "It's a complete failure on their part," he said.

Twitter executives did not respond to an e-mail seeking comment.

Mooney is not the first hacker to have parlayed online stunts into profit. A New Zealand teenager arrested in 2007 on charges of operating a huge botnet that was used to steal from bank accounts was asked to be a speaker at TelstraClear customer seminars late last year and was used in an advertising campaign for the telecom's global security unit, according to Computerworld.

"The author of the Anna Kournikova worm was told by his town's mayor that he would be welcome to work on their systems, the notorious teenager behind the Sasser and Network worms was hired by a security firm, and the creator of a Chinese worm which displayed pictures of pandas burning incense was offered a job by one of his victims," Cluley, wrote in a separate blog post.

Cluley criticized ExqSoft's hiring of Mooney, saying the teen should not be rewarded for behaving irresponsibly. The teen not only wasted the time of thousands of Twitter users and company engineers, Cluley said,but put Twitterers at risk of having their identities stolen or malware installed on their machines by financially-motivated hackers who could have used the cross-site scripting flaw that Mooney used.

"In my opinion, I don't believe it was malicious," said Rowland. "He could have been farming for personal information like e-mail addresses and phone numbers. He potentially could have exposed that information to any numerous sources."

In a tweet last weekend, Rowland implored Twitter to not prosecute Mooney, arguing that he did them a favor by alerting them to a security hole.

Asked earlier in the week about the prosecution scenario for Mooney, Jennifer Granick, an attorney with the Electronic Frontier Foundation, said in an e-mail: "If he's 17, he will not be federally prosecuted and the sentencing, should he be found or plead guilty, should be more about rehabilitation than punishment."

Rowland said he plans to help guide Mooney away from pranks and toward a promising career as a white hat hacker.

"He's got a lot of growing up to do but he's a really good guy and he has a lot of passion for what he does," Rowland said. "Hopefully, I can influence him in the right way."

(ABCNews reported on Mooney getting a job early on Friday.)

[jayhawk73]

"The teen not only wasted the time of thousands of Twitter users "

isn't twitter just one big waste of time?

[monkeyfun14]

+1

What time could you possibly have if your on twitter.

[Dalkorian]

"Time vampire" is the appropriate term you're looking for.

[spork27]

This was exactly my thought too when I read that line.

[joevai52]

Yes, twitter is a waste of time, just another way to dumb down people, reduce their attention spans even further, and to continue the decline of interpersonal communications/relations. Now, if only someone would create a worm that will completely eliminate twitter, or maybe it's possible to create an iphone OS or windows mobile worm that makes the phone's owner soil themselves whenever they bring up "twitter" in conversation. If people want to use Twitter, that's fine, but please just stop talking about it already.

[ccmike72]

+1

[vdubya_1]

This moron didn't "write" anything. But script kiddies need to be tossed in jail just like the real hackers. Byye Byye Mikeyy

[timber2005]

+1
It's like not repremanding a kid when they are young. You give them the wrong idea.

Time to put him where he should be for a day or week.

[SergeM256]

That's bizarre. He admitted releasing virus and he is not in jail.

[ddhboy]

maybe if twitter had profits to eat out of because of such disruptions people would be more concerned.

[SergeM256]

OK, Tweeter decided not to prosecute him. What about affected users? I guess any user may file criminal complain and get him prosecuted. Users are victims in this case.

[monkeyfun14]

Twitter has no money to prosecute anyone.

[shootfirst]

Computer security is a big money maker and a scam. Why do these security researchers hire known computer deviants that do deeds that they should get prosecuted for and don't. Instead our courts waste time going after people pirating music files, which is totally stupid. However with Twitter I think he should be given a life sentence for not taking it down all the way.

I don't think the kid wrote his site by hand. You can easily pull off information from a site using standard tools that have been around for forever to clone a website. I'd be impressed if he was able to copy all the databases from Twitter. How does this guy know if his website is a direct copy if he doesn't have the Twitter source... Sounds like he was just looking for a kid playtoy.

[mnl1121]

Security researchers hire known hackers because of the obvious benefit. The best hackers out there (of which i doubt this 17 year old is one of them) really know what they are doing so why not hire them? You pay them, they give you all the info you want. Pretty simple and straight forward, especailly when most hackers are just bored computer gurus.

[chrisx1]

He is a minor who did a prank out of boredom, so he isn't in jail.
Many teens get bored and can't find enough that holds their attention these days.
Typical bored kid.

[Marcos989]

let him be bored in jail

[crue24]

Did you guys read the article? The kid alerted twitter to the vulnerabilities and they ignored him. He didn't steal info or anything else to compromise my the users other than annoyment, why should he be prosecuted? Basically he just let all the twitter users know that the vulnerability was there hopefully creating an issue for the company to force them to fix the problem BEFORE a true villain exploited the issue for profit.

Consider it; who's the real bad guy, this kid or Twitter? Kid notifies twitter, "you have an issue". They ignore him. Everyone is at risk. Kid writes a program exploiting the issue in a non menacing way, making it publicity and now they have to respond and fix the issue securing everyone's info. kid deserves a job and better. Twitter should pay him personally. Why should users go after him. Ultimately he probably helped them because now Twitter will have to fix the issue.

If the kid hadn't contacted twitter first, his behavior would be questionable. But if he notified them first and did something non-malicious after they ignored him, then I would consider that more public service than criminal. Security holes are always going to be around in software, unfortunately, but if companies knowingly ignore them, shouldn't the company be at fault? If he had used the vulnerability in a way to rip off users than sure, go after him, regardless of whether or not he notified them of it, but he didn't.

To put it in another context; consider this. Your bank doesn't lock the doors at night. I tell the bank, "hey, lock the door, its open" and they ignore me. So I walk in take all the money and now everyone knows, but the money isn't really gone, I just hid it to prove a point to the bank.

[_makio_]

hmm... don't know about the last point, but overall. yes. He didn't really "hide the money" per se. He only pointed out that it would be possible to steal the money.

Like you said, if he didn't contact twitter then did something malicious then he should certainly be punished. He didn't do that and therefore has done the online community a favour. The way i see it is the same as the sponsered hacking tournements, if they point out flaws in software without doing anything malicious, they haven't really done anything wrong. there is a right and a wrong way to do everything...

[SergeM256]

Obviously, if you rob a bank you would go to jail, even if you only wanted to expose weakness of bank's security.

[ZetaZeta_]

But in this case nothing of value was lost.

[ikramerica--2008]

It's more like what investigative reporters do than it is robbing a bank. But at least in this kid's case, he told Twitter beforehand and offered to save them embarrassment, but they ignored him. Most IRs simply infiltrate, continue the illegal practices, then publish an expose after the fact. Which is more criminal? I'd say the latter, but we routinely reward those people with Pulitzer prizes...

[n3td3v]

"The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a Web application development firm and on Friday released a fifth worm on the microblogging site, he said."

I hope the FBI nip him in the bud, this cannot continue, this needs to be made an example of.

I want Law enforcement / Intelligence agency's to take control of the situation, now.

[michael_mikeyy_mooney]

From what I understand he isnt from NY, thats just a VOIP# he uses to hide
Research here: http://sqworl.com/?i=a11951

I'm sure if he continues his games, it will catch up to him soon enough.

[Thought Nozzle]

Elinor -- It's "TelstraClear", not "TelestraClear". Parent company: the Australian communications giant Telstra. Just thought I'd point that out. No comment on the script kiddie.

[elinormills]

Fixed. thanks!

[AlexanderNY]

Connecting talented and gifted people with proper job opportunity is a tough task. There are literally millions of unemployed people now: just check the latest unemployment statistics on Jobrica
(http://www.jobrica.com/_RESOURCES/UnemploymentStat.aspx)

Finding the right job for right people is the key for our economic revival. There must be more opportunity for our teenager to find a job, which would allow them to apply their talent in a positive way.

[ZetaZeta_]

What did I say. Of course he'd get hired.

[ANTSCNET]

Anyone else thinks this smacks heavily of a cross between the Biopic 'Catch me if you Can' and the plot of 'Live Free or Die Hard' ?

[erade]

Sounds like if you rob a bank and get away with it you will be rewarded with a good job at the same bank you just robbed. A cigar is a cigar.

[jaycustom]

Bottom line...software developers need people like this kid. Twitter is big ( I personally think it's a joke) and is getting bigger every day. This needed to be pointed out before something really bad happened. And believe me...if I was this kid and I was offered a high paying job doing what I loved to do, I would definetely use my powers only for good! If only this happened in other parts of life. Catch a kid spray painting a building, send him to jail for a few days, but when he gets out, offer him an enrollment in an art class to put his skill to good use. Teens just need a push in the right direction..everyone knows that.

[Marcos989]

Yes, I should thank this young man but first I will thank the thief that robbed me for exposing my home security is lacking as soon as I thank the mugger for only shooting me in the leg after I thank my employer for terminating me exposing my lack of sufficient funds saved.
Great logic.

[ccmike72]

As a twitter user i thank him for pointing out a security flaw that could effect me. He did no real damage and took nothing of value. Attention should be on twitter for poor security practices. Its not like a thief, or mugger , or an employer who might lay you off Marcos. Unlike your scenarios he caused no damage. Without damages he in a civil sense did no harm. Prison is for those who endanger society and need reform. This kids is a danger to no one and due to the fact that he tried to tell twitter about their security flaw his ethics seem clean. Prison is not for vengeance wished upon someone by someone else who is feeling self-righteous

[psmithp2]

Excuse me, but isn't this a bit like hiring John Dillinger as a security consultant for banks? Sure he knows his stuff about bank robbery, because he DID it!

Maybe Homeland Security could use the talents of Osama bin Laden! Somewhere, there must be a grip to be had!

[gofalcons]

lock this punk up, this is such bull that this kid can "hack" a site and say " i did it to show them the vulnerabilities in the sites security"....lock this kid up just to show him the vulnerabilities of breaking the law.

[DevSensible]

From the view of one who owns and runs a web application design firm for enterprise level systems:

This year's "Most Stupid Business Move of the Year" award needs to go to good ol' Travis. Just because a kid (spell script kiddie) can pop worms into Twitter does not a security expert make. You did not hire a security expert. On the other hand, what you have done is:

1. Associate your firm with a hacker who, after being given a legitimate job, released another worm into the same system and then admitted to it. (This one I would watch Travis my boy. If I were Twitter I'd be coming after you. I mean, you do employ the kid and he did release the worm under your watch.)

2. Hire a kid who has no security background. Sure, he knows how to write a worm, but can he stand up against the criminal functions out there who are hell-bent on busting your web app?

3. Given yourself a huge problem if the kid doesn't pan out. Hey Travis, he infested Twitter 5 times now, what do you think he's going to do with your code if you decide things aren't going the way you want them to? Things that make you go hmmmm....

For all those saying this kid is right in doing what he did because he "notified" Twitter and got no response, note that there was no indication of how much time expired between said "notification" and the attack. I do believe his original statement was "I was bored," not "I was trying to point out flaws to Twitter and they never responded." I can understand if the notification was done 6-months prior, but then isn't it customary to release a proof of concept to a site like SecurityFocus? That is professional, that is the right thing to do. If the notification was 2 weeks ago, then, well...you do the math.

This kid needs to be prosecuted as any other hacker who attempts to spread a worm of such magnititude. And ol' Travis needs to be locked up for sheer stupidity. Hmmm, wait, maybe not. Maybe he should just keep on working so its just one less competitor I have to worry about when a prime customer who pisses ol Mikeyy off finds his site spreading worms and suffering DoS cause Mikeyy was bored.