X

Teen Twitter worm writer gets job, spreads new worm

The Brooklyn, N.Y., teenager who takes credit for a series of worms on Twitter gets hired by Web app development firm, and then distributes another worm.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

Michael Mooney, aka "Mikeyy" Michael Mooney

The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a Web application development firm and on Friday released a fifth worm on the microblogging site, he said.

Twitter fought off four waves of worm attacks last weekend and into Monday in which Twitter users were infected just by clicking on the name or image of someone whose account was infected. The worms appeared to do no damage other than spread to infected users' followers and modify profile pages.

Michael Mooney, a 17-year-old living in Brooklyn, N.Y., told CNET News that he wrote the worms because he was bored and wanted to bring Twitter's attention to the security holes.

Mooney also grabbed the attention of Travis Rowland, founder of ExqSoft in Hammond, Ore., who has hired the teen.

Rowland told CNET News on Friday that he saw the worms on Twitter and was impressed with Mooney's skills so he contacted him about working for him doing security analysis. "I saw his Web site and he coded that all from hand and it was pretty impressive; it was a complete Twitter clone," Rowland said.

After landing the job, Mooney spread the latest worm, which exploits a fifth vulnerability at the site, he said. Asked why he doesn't contact Twitter directly instead of launching the attacks, the graduating high school senior said he had tried but had gotten no response.

"I just want to let (Twitters) know that my intent is not to aggravate them," Mooney said in a phone interview with CNET News. "It's probably not the best way, but it's the only way I can reach out to Twitter so they will fix the vulnerability."

The latest worm exploits a cross-site scripting vulnerability and posts messages from infected accounts that reference celebrities and references to Mooney getting hired by exqSoft, according to a blog post by Graham Cluley, a senior technology consultant with security firm Sophos.

Rowland blasted Twitter for not adequately protecting its site. "It's a complete failure on their part," he said.

Twitter executives did not respond to an e-mail seeking comment.

Mooney is not the first hacker to have parlayed online stunts into profit. A New Zealand teenager arrested in 2007 on charges of operating a huge botnet that was used to steal from bank accounts was asked to be a speaker at TelstraClear customer seminars late last year and was used in an advertising campaign for the telecom's global security unit, according to Computerworld.

"The author of the Anna Kournikova worm was told by his town's mayor that he would be welcome to work on their systems, the notorious teenager behind the Sasser and Network worms was hired by a security firm, and the creator of a Chinese worm which displayed pictures of pandas burning incense was offered a job by one of his victims," Cluley, wrote in a separate blog post.

Cluley criticized ExqSoft's hiring of Mooney, saying the teen should not be rewarded for behaving irresponsibly. The teen not only wasted the time of thousands of Twitter users and company engineers, Cluley said,but put Twitterers at risk of having their identities stolen or malware installed on their machines by financially-motivated hackers who could have used the cross-site scripting flaw that Mooney used.

"In my opinion, I don't believe it was malicious," said Rowland. "He could have been farming for personal information like e-mail addresses and phone numbers. He potentially could have exposed that information to any numerous sources."

In a tweet last weekend, Rowland implored Twitter to not prosecute Mooney, arguing that he did them a favor by alerting them to a security hole.

Asked earlier in the week about the prosecution scenario for Mooney, Jennifer Granick, an attorney with the Electronic Frontier Foundation, said in an e-mail: "If he's 17, he will not be federally prosecuted and the sentencing, should he be found or plead guilty, should be more about rehabilitation than punishment."

Rowland said he plans to help guide Mooney away from pranks and toward a promising career as a white hat hacker.

"He's got a lot of growing up to do but he's a really good guy and he has a lot of passion for what he does," Rowland said. "Hopefully, I can influence him in the right way."

(ABCNews reported on Mooney getting a job early on Friday.)