Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol

Published byConstance Jenkins Modified over 8 years ago

Similar presentations

Presentation on theme: "The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol"— Presentation transcript:

1 The Koobface Botnet and the Rise of Social Malware Kurt Thomas kthomas@cs.berkeley.edu David M. Nicol dmnciol@illinois.edu

2 Motivation Online social networks becoming attractive target for scams – Unprotected population – Exploit user trust in ‘friends’ Scams propagated via stolen accounts – 86% of Twitter spam accounts compromised [Grier et al. CCS2010] – 97% of Facebook spam accounts compromised [Gao et al. IMC2010] Koobface botnet is a prime example – Steals social network credentials – Spreads to friends – Creates fake accounts to help seed infections

3 Contributions Develop emulator to infiltrate Koobface – Replays packets to C&C for work – Allows safe interact with botnet C&C Infrastructure: – 1,800 compromised domains – 4,100 zombies Fraudulent/Infected accounts: – 30,000 fraudulent Gmail accounts – 942 fraudulent Facebook accounts – 247 compromised Twitter accounts Blacklist catch only 26% of spammed URLs – Only 13% of detections occur within the window of users clicking URL

4 Outline Infection chain Developing emulator Spam characteristics Blacklist limitations

5 Infection Chain: Facebook Inbox message contains bit.ly URL to Blogspot account

6 Infection Chain: Blogspot location.href = ‘http://peakgrouptravel.com/986/’

7 Infection Chain: Compromised Domain location.href = ‘80.121.41.281’

8 Infection Chain: Zombie User prompted to install Flash Player upgrade

9 Goal of Infiltration c Identify spam accounts c Identify abused services Identify compromised domains, availability cc Identify compromised machines, availability

10 Developing Emulator Capture sample in wild Run sample in Windows XP VM – Vary browser type – Seed with Facebook, Twitter, or no account Record outgoing packets Manually reverse engineer protocol – Includes binary analysis for encryption function

11 Extracting Protocol Messages Query for account to spam with: Query for URL to spam: Query for executables, actions:

12 Resulting Data Replayed C&C queries over one month, recovering: – 1,800 compromised domains – 4,100 zombie IPs Searched public tweets, recovering: – 247 Twitter compromised accounts – 2,847 malicious tweets Queried C&C for credentials, recovering: – 30,000 fraudulent Gmail accounts – 942 fraudulent Facebook accounts – 506 malicious messages

13 Spam Accounts Facebook: – Log into provided credentials (first confirm fraudulent) – Recover inbox, friend list Twitter: – Publicly search for spam strings; “OMFG!! You must see…” – Save all tweets, friend list; filter benign messages Profile StatisticFacebookTwitter Accounts942259 Messages5062847 Templates47613 Friends200,51513,001

14 Spam Volume Twitter Facebook

15 Infection Length Measure length from first to last tweet – Median lifetime: 6 days – Attribute drop in spam volume to deinfection

16 Clickthrough How many users visit spammed URLs? – Majority of URLs shortened with bit.ly – Recover statistics from API Distinct links clicked 137,698 times On average, 80% of visits within first 2 days

17 Circumventing Detection Facebook, Twitter only check visible URL for blacklist status – Obfuscate with IP, shortener, public webhosting Previously blacklisted URLs can be re-used TemplateSample http:// http://gi.funpic.de/amaizingfilms/ http://bit.ly/ http://bit.ly/4vL8tY http:// / http://0x0a88fae1d/akarBP http://google. /reader/shared/ http://google.dk/reader/shared/05928.. http://.blogspot.com/http://schaalmashelagh.blogspot.com

18 Blacklist Detection Begin with ground truth of 500 spammed URLs – How many are detected by blacklists? – What is delay between appearing in C&C traffic vs. appearing on blacklist? BlacklistFraction of URLs Detected Google Safebrowsing26.7% SURBL5.7% Joewein0%

19 Blacklist Delay: Google Safebrowsing Detected URLs (26.7%): – 50% of detections occur within 2 days of appearing on C&C Undetected URLs (73.3%): – At least 4 days old, up to 25 days old Summary: only 13% of detections occur within click window

20 Conclusion Koobface botnet shows social networks viable target for exploit – Users trust their ‘friends’ – Limited protections available Blacklists too slow, miss too many URLs – Services such as bit.ly, blogspot abused to evade detection Infiltration provides a route for detection – Recover spam templates, URLs – Identify accounts propagating spam

Download ppt "The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol"

Similar presentations

Managing the Security and Privacy Risks of Social Media Don Knox, CPP, CITRMS Global Security and Risk Analysis Manager Caterpillar (309) 494 1523

Managing the Security and Privacy Risks of Social Media Don Knox, CPP, CITRMS Global Security and Risk Analysis Manager Caterpillar (309)
@ SPAM : T HE U NDERGROUND ON 140 C HARACTERS OR L ESS Chris Grier, Vern Paxson, Michael Zhang University of California, Berkeley Kurt Thomas University.

@ SPAM : T HE U NDERGROUND ON 140 C HARACTERS OR L ESS Chris Grier, Vern Paxson, Michael Zhang University of California, Berkeley Kurt Thomas University.
RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.

RB-Seeker: Auto-detection of Redirection Botnet Presenter: Yi-Ren Yeh Authors: Xin Hu, Matthew Knysz, Kang G. Shin NDSS 2009 The slides is modified from.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Design and Evaluation of a Real-Time URL Spam Filtering Service

Design and Evaluation of a Real-Time URL Spam Filtering Service
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,
Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.

Cloak and Dagger. In a nutshell… Cloaking Cloaking in search engines Search engines’ response to cloaking Lifetime of cloaked search results Cloaked pages.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Teach a man (person) to Phish Recognizing email scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.

Teach a man (person) to Phish Recognizing scams, spams and other personal security attacks July 17 th, 2013 High Tea at IT, Summer, 2013.
Towards Online Spam Filtering in Social Networks Hongyu Gao, Yan Chen, Kathy Lee, Diana Palsetia and Alok Choudhary Lab for Internet and Security Technology.

Towards Online Spam Filtering in Social Networks Hongyu Gao, Yan Chen, Kathy Lee, Diana Palsetia and Alok Choudhary Lab for Internet and Security Technology.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
TwitterSearch : A Comparison of Microblog Search and Web Search

TwitterSearch : A Comparison of Microblog Search and Web Search

Similar presentations

Ads by Google