Michael Mooney, aka "Mikeyy"
(Credit: Michael Mooney)The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a Web application development firm and on Friday released a fifth worm on the microblogging site, he said.
Twitter fought off four waves of worm attacks last weekend and into Monday in which Twitter users were infected just by clicking on the name or image of someone whose account was infected. The worms appeared to do no damage other than spread to infected users' followers and modify profile pages.
Michael Mooney, a 17-year-old living in Brooklyn, N.Y., told CNET News that he wrote the worms because he was bored and wanted to bring Twitter's attention to the security holes.
Mooney also grabbed the attention of Travis Rowland, founder of ExqSoft in Hammond, Ore., who has hired the teen.
Rowland told CNET News on Friday that he saw the worms on Twitter and was impressed with Mooney's skills so he contacted him about working for him doing security analysis. "I saw his Web site and he coded that all from hand and it was pretty impressive; it was a complete Twitter clone," Rowland said.
After landing the job, Mooney spread the latest worm, which exploits a fifth vulnerability at the site, he said. Asked why he doesn't contact Twitter directly instead of launching the attacks, the graduating high school senior said he had tried but had gotten no response.
"I just want to let (Twitters) know that my intent is not to aggravate them," Mooney said in a phone interview with CNET News. "It's probably not the best way, but it's the only way I can reach out to Twitter so they will fix the vulnerability."
The latest worm exploits a cross-site scripting vulnerability and posts messages from infected accounts that reference celebrities and references to Mooney getting hired by exqSoft, according to a blog post by Graham Cluley, a senior technology consultant with security firm Sophos.
Rowland blasted Twitter for not adequately protecting its site. "It's a complete failure on their part," he said.
Twitter executives did not respond to an e-mail seeking comment.
Mooney is not the first hacker to have parlayed online stunts into profit. A New Zealand teenager arrested in 2007 on charges of operating a huge botnet that was used to steal from bank accounts was asked to be a speaker at TelstraClear customer seminars late last year and was used in an advertising campaign for the telecom's global security unit, according to Computerworld.
"The author of the Anna Kournikova worm was told by his town's mayor that he would be welcome to work on their systems, the notorious teenager behind the Sasser and Network worms was hired by a security firm, and the creator of a Chinese worm which displayed pictures of pandas burning incense was offered a job by one of his victims," Cluley, wrote in a separate blog post.
Cluley criticized ExqSoft's hiring of Mooney, saying the teen should not be rewarded for behaving irresponsibly. The teen not only wasted the time of thousands of Twitter users and company engineers, Cluley said,but put Twitterers at risk of having their identities stolen or malware installed on their machines by financially-motivated hackers who could have used the cross-site scripting flaw that Mooney used.
"In my opinion, I don't believe it was malicious," said Rowland. "He could have been farming for personal information like e-mail addresses and phone numbers. He potentially could have exposed that information to any numerous sources."
In a tweet last weekend, Rowland implored Twitter to not prosecute Mooney, arguing that he did them a favor by alerting them to a security hole.
Asked earlier in the week about the prosecution scenario for Mooney, Jennifer Granick, an attorney with the Electronic Frontier Foundation, said in an e-mail: "If he's 17, he will not be federally prosecuted and the sentencing, should he be found or plead guilty, should be more about rehabilitation than punishment."
Rowland said he plans to help guide Mooney away from pranks and toward a promising career as a white hat hacker.
"He's got a lot of growing up to do but he's a really good guy and he has a lot of passion for what he does," Rowland said. "Hopefully, I can influence him in the right way."
(ABCNews reported on Mooney getting a job early on Friday.)
Updated at 7:40 p.m. PDT with more information from the worm's creator.
As a second Twitter exploit began circulating on the micro-blogging site Sunday, a teen-ager from Brooklyn told CNET News he created both worms because he was bored and wanted to draw attention to the Twitter flaw.
Much like Saturday's StalkDaily worm, the "Mikeyy" worm posts unwanted messages to users' pages. The "Mikeyy" worm began spreading on the micro-blogging site early Sunday, posting messages such as "Mikeyy I am done...," "MikeyyMikeyy is done.," and "Twitter please fix this, regards Mikeyy."
Brooklyn resident Michael "Mikeyy" Mooney, 17, told CNET News in an interview that he created the worm "out of boredom."
"I thought about it later and basically did it because I was bored," he said. "And I didn't think Twitter would fix (the flaw) very soon. But I didn't think it would spread as far or as fast as it did."
Mooney, a high school senior who said one day he hopes to get a job as a security analyst, said he has been creating worms for about three years. He added that the worms he creates aren't designed to do much damage but that this will likely be his last worm.
"I'm done with Twitter," he said, adding that he was feeling a bit overwhelmed. "I've been getting too much attention lately."
Mooney said his site has has been live to the public for about two weeks and has 905 members, but that it "is growing quickly because of the worm."
The messages circulating Saturday promoted StalkDaily.com, a short-messaging site similar to Twitter. While initially denying any responsibility for the worm, StalkDaily.com posted a message saying, "I have came clean and have accepted the responsibility for the worm..."
Twitter said it has closed the hole that allowed the worm to spread.
"We've taken steps to remove the offending updates, and to close the holes that allowed this 'worm' to spread," Twitter said in a statement Saturday. "No passwords, phone numbers, or other sensitive information were compromised as part of this attack."
However, Mooney said he released the second worm exploiting the original flaw Sunday morning, after Twitter claimed to have closed the holes. He also said that he had not yet been contacted by Twitter representatives.
- prev
- 1
- next
