Embed Size (px)
Citation preview
The Koobface Botnet and the Rise of Social Malware
Kurt [email protected]
David M. [email protected]
Motivation
• Online social networks becoming attractive target for scams– Unprotected population– Exploit user trust in ‘friends’
• Scams propagated via stolen accounts – 86% of Twitter spam accounts compromised [Grier et al. CCS2010]
– 97% of Facebook spam accounts compromised [Gao et al. IMC2010]
• Koobface botnet is a prime example– Steals social network credentials– Spreads to friends– Creates fake accounts to help seed infections
Contributions• Develop emulator to infiltrate Koobface
– Replays packets to C&C for work– Allows safe interact with botnet C&C
• Infrastructure:– 1,800 compromised domains– 4,100 zombies
• Fraudulent/Infected accounts:– 30,000 fraudulent Gmail accounts– 942 fraudulent Facebook accounts– 247 compromised Twitter accounts
• Blacklist catch only 26% of spammed URLs– Only 13% of detections occur within the window of users clicking URL
Outline
• Infection chain• Developing emulator• Spam characteristics• Blacklist limitations
Infection Chain: Facebook
Inbox message contains bit.ly URL to Blogspot account
Infection Chain: Blogspot
<script>location.href = ‘http://peakgrouptravel.com/986/’ </script>
Infection Chain: Compromised Domain
<script>location.href = ‘80.121.41.281’</script>
Infection Chain: Zombie
User prompted to install Flash Player upgrade
Goal of Infiltration
c
Identify spam accounts
c
Identify abused services
Identify compromised domains, availability
c c
Identify compromised machines, availability
Developing Emulator
• Capture sample in wild• Run sample in Windows XP VM– Vary browser type– Seed with Facebook, Twitter, or no account
• Record outgoing packets
• Manually reverse engineer protocol– Includes binary analysis for encryption function
Extracting Protocol Messages
Query for account to spam with:
Query for URL to spam:
Query for executables, actions:
Resulting Data
• Replayed C&C queries over one month, recovering:– 1,800 compromised domains– 4,100 zombie IPs
• Searched public tweets, recovering:– 247 Twitter compromised accounts– 2,847 malicious tweets
• Queried C&C for credentials, recovering:– 30,000 fraudulent Gmail accounts– 942 fraudulent Facebook accounts– 506 malicious messages
Spam Accounts• Facebook:
– Log into provided credentials (first confirm fraudulent)– Recover inbox, friend list
• Twitter:– Publicly search for spam strings; “OMFG!! You must see…”– Save all tweets, friend list; filter benign messages
Profile Statistic Facebook Twitter
Accounts 942 259
Messages 506 2847
Templates 476 13
Friends 200,515 13,001
Spam Volume
Infection Length
• Measure length from first to last tweet– Median lifetime: 6 days– Attribute drop in spam volume to deinfection
Clickthrough
• How many users visit spammed URLs?– Majority of URLs shortened with bit.ly– Recover statistics from API
• Distinct links clicked 137,698 times
• On average, 80% of visits within first 2 days
Circumventing Detection
• Facebook, Twitter only check visible URL for blacklist status– Obfuscate with IP, shortener, public webhosting
• Previously blacklisted URLs can be re-used
Template Sample
http://<compromised.tld><path> http://gi.funpic.de/amaizingfilms/
http://bit.ly/<id> http://bit.ly/4vL8tY
http://<int,hex,octet>/<id> http://0x0a88fae1d/akarBP
http://google.<tld>/reader/shared/<id> http://google.dk/reader/shared/05928..
http://<user>.blogspot.com/ http://schaalmashelagh.blogspot.com
Blacklist Detection
• Begin with ground truth of 500 spammed URLs– How many are detected by blacklists?– What is delay between appearing in C&C traffic vs.
appearing on blacklist?
Blacklist Fraction of URLs Detected
Google Safebrowsing 26.7%
SURBL 5.7%
Joewein 0%
Blacklist Delay: Google Safebrowsing
• Detected URLs (26.7%):– 50% of detections occur within 2 days of
appearing on C&C
• Undetected URLs (73.3%):– At least 4 days old, up to 25 days old
• Summary: only 13% of detections occur within click window
Conclusion
• Koobface botnet shows social networks viable target for exploit– Users trust their ‘friends’– Limited protections available
• Blacklists too slow, miss too many URLs– Services such as bit.ly, blogspot abused to evade detection
• Infiltration provides a route for detection– Recover spam templates, URLs– Identify accounts propagating spam
