Botnet and the Rise of Social Malware Kurt Thomas kthomascsberkeleyedu David M Nicol dmnciolillinoisedu Motivation Online social networks becoming attractive target for scams Unprotected population ID: 571856
Download Presentation The PPT/PDF document "The Koobface" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
The Koobface Botnet and the Rise of Social Malware
Kurt Thomas
kthomas@cs.berkeley.edu
David M.
Nicol
dmnciol@illinois.eduSlide2
Motivation
Online social networks becoming attractive target for scams
Unprotected populationExploit user trust in ‘friends’Scams propagated via stolen accounts 86% of Twitter spam accounts compromised [Grier et al. CCS2010]
97% of
Facebook
spam accounts compromised
[
Gao
et al. IMC2010]
Koobface
botnet
is a prime example
Steals social network credentials
Spreads to friends
Creates fake accounts to help seed infectionsSlide3
Contributions
Develop emulator to infiltrate KoobfaceReplays packets to C&C for work
Allows safe interact with botnet C&CInfrastructure:1,800 compromised domains
4,100 zombies
Fraudulent/Infected accounts:
30,000
fraudulent
Gmail accounts
942
fraudulent
Facebook
accounts
247
compromised
Twitter accounts
Blacklist catch only 26% of spammed URLs
Only 13% of detections occur within the window of users clicking URLSlide4
Outline
Infection chainDeveloping emulatorSpam characteristics
Blacklist limitationsSlide5
Infection Chain: Facebook
Inbox message contains bit.ly URL to
Blogspot
accountSlide6
Infection Chain: Blogspot
<script>
location.href
= ‘http://peakgrouptravel.com/986/’ </script>Slide7
Infection Chain: Compromised Domain
<script>
location.href
= ‘80.121.41.281’</script>Slide8
Infection Chain: Zombie
User prompted to install Flash Player upgradeSlide9
Goal of Infiltration
c
Identify spam accounts
c
Identify abused services
Identify compromised domains, availability
c
c
Identify compromised machines, availabilitySlide10
Developing Emulator
Capture sample in wildRun sample in Windows XP VM
Vary browser typeSeed with Facebook, Twitter, or no accountRecord outgoing packetsManually reverse engineer protocol
Includes binary analysis for encryption functionSlide11
Extracting Protocol Messages
Query for account to spam with:
Query for URL to spam:
Query for executables, actions:Slide12
Resulting Data
Replayed C&C queries over one month, recovering:
1,800 compromised domains4,100 zombie IPsSearched public tweets, recovering:247 Twitter compromised accounts
2,847 malicious tweets
Queried C&C for credentials, recovering:
30,000
fraudulent
Gmail accounts
942
fraudulent
Facebook
accounts
506 malicious messagesSlide13
Spam Accounts
Facebook
:Log into provided credentials (first confirm fraudulent)Recover inbox, friend listTwitter:Publicly search for spam strings; “OMFG!! You must see…”
Save all tweets, friend list; filter benign messages
Profile Statistic
Facebook
Twitter
Accounts
942
259
Messages
506
2847
Templates
476
13
Friends
200,515
13,001Slide14
Spam Volume
Twitter
FacebookSlide15
Infection Length
Measure length from first to last tweetMedian lifetime: 6 days
Attribute drop in spam volume to deinfectionSlide16
Clickthrough
How many users visit spammed URLs?Majority of URLs shortened with
bit.lyRecover statistics from APIDistinct links clicked 137,698 timesOn average, 80% of visits within first 2 daysSlide17
Circumventing Detection
Facebook
, Twitter only check visible URL for blacklist statusObfuscate with IP, shortener, public webhostingPreviously blacklisted URLs can be re-used
Template
Sample
http://<compromised.tld><path>
http://gi.funpic.de/amaizingfilms/
http://bit.ly/<id>
http://bit.ly/4vL8tY
http://<int,hex,octet>/<id>
http://0x0a88fae1d/akarBP
http://google.<tld>/reader/shared/<id>
http://google.dk/reader/shared/05928..
http://<user>.blogspot.com/
http://schaalmashelagh.blogspot.comSlide18
Blacklist Detection
Begin with ground truth of 500 spammed URLs
How many are detected by blacklists?What is delay between appearing in C&C traffic vs. appearing on blacklist?
Blacklist
Fraction of URLs Detected
Google
Safebrowsing
26.7%
SURBL
5.7%
Joewein
0%Slide19
Blacklist Delay: Google Safebrowsing
Detected URLs (26.7%):
50% of detections occur within 2 days of appearing on C&CUndetected URLs (73.3%):At least 4 days old, up to 25 days old
Summary: only 13% of detections occur within click windowSlide20
Conclusion
Koobface botnet
shows social networks viable target for exploitUsers trust their ‘friends’Limited protections availableBlacklists too slow, miss too many URLsServices such as bit.ly,
blogspot
abused to evade detection
Infiltration provides a route for detection
Recover spam templates, URLs
Identify accounts propagating spam