The Koobface Botnet and the Rise of Social Malware

Kurt Thomas and David M. Nicol2010 5th International Conference on Malicious and Unwanted

Software

Date: 2011/04/28Reporter: Shu-Ping, YuAdvisor: Chun-Ying, HuangE-mail: b94570036@mail.ntou.edu.tw

1

Outline

• Introduction• The Koobface Botnet• Methodology• Analysis• Evading Detection• Conclusion

2

Introduction• Social networks are popular

– Facebook, Twitter => 500 million• Attacks

– Phishing, malware attacks• Koobface botnet

– Create accounts, befriend users, spam URLs• In this paper

– Explore Koobface– Zombie emulator

3

The Koobface Botnet

• First appeared in late 2008• Fraudulent account => befriend victims• Koobface’s infrastructure and zombie duties

4

Koobface Hierarchy

• Zombie act as C&C master server– A hundred of compromised host– Disseminate spam instructions

• Koobface maintains a fixed domain– Contact to report uptime statistics– request links

• All communication transpires over HTTP on port 80

5

Spamming Infrastructure

• Rely on a complex system– Prevent domain blacklist

• externally accessible zombies– Download a malicious executable

• Webserver will iterate through zombie IPs– Seach an operational zombie and redirect– Redirect trigger: flash and JavaScript

• Koobface circumvents domain blacklisting services by obfuscating URLs

6

Zombie Duties

• Success of the koobface propagation– Obtain fresh user accounts and malicious URLs

• Poll the C&C– Automated account creation– URL spamming– URL obfuscation– Captcha solving

7

Zombie Duties (cont.)

• Account Generation– Query the C&C for login credentials to Facebook– Command REG => register a new account

• Provide some personal data, join social groups– Command ADD => login to an existing account

• Acquiring new friends• Send friend requests• Report to C&C with the account’s statistics

8

Zombie Duties (cont.)

• URL Obfuscation– Create Blogger and Google Reader account

• Redirectors– Blog

• Fetch the latest news headlines• Generate a post => JavaScript

– Google Reader• Create a page => RSS feed

– Obfuscate by bit.ly

9

Zombie Duties (cont.)

• Spamming Friends– Send malicious URLs to friends– Determine if the links is blacklisted

• Captcha Solving– Send a request to C&C with image– Other zombie poll C&C

• Deceive user to solve and report

10

Methodology• Manually construct script

– Emulates zombie behavior– Join the Koobface– Poll the C&C

• Social networking websites– Monitor spamming and acquiring friends

• Identify update cycles and uptime statistics– Poll the C&C, compromised redirectors, zombie

webhosts11

Botnet Infiltration

• Zombie behavior is reproduced by an emulator– Replicate communication

• A number of malware executables– Run in a live virtual enviroment and

• cookie = {facebook, twitter, none}• browser = {ie, firefox}• user activity = {actively browsing, dormant}

• Repeat each infection multiple times and store the resulting packet traces.

12

Social Monitoring

• On Twitter– Search for spam strings and URLs– Koobface account is identified

• The rate spam is send• The average length of infection

• On facebook– The history of sent spam massage for each account– Number of friends

13

Redirector Monitoring & Data• The spam URLs

– Poll the uptime of compromised webservers and zombie host malware

– Measure the growth and decay– Identify the frequency that C&C are shut down

• Data– Monitor over a month– 300 C&C servers, 4000 zombies, 1300 compromised

domain– Accounts: 942(Facebook), 247(Twitter)

14

Analysis• Rely on C&C servers and spam redirectors• Discover and monitor C&C

– Emulated zombie requests => software update– C&C is a full-connected graph => load balancing– 323 compromised host => lifetime is 11 days– An average of 97 operational servers

15

Analysis (cont.)

• frequency that new domain are compromised– 1802 redirector URLs v.s. 1390 distinct domain– 20 new redirectors each day– Fewer than 50% of redirectors => 11 day

16

Analysis (cont.)

• Extract the list of zombie IPs– 4151 IPs from 80 countries– Download malicious executable => zombie online!?– Average 365 zombie will respond each day– 60000 zombie by TrendMicro => severe reduction

17

Analysis (cont.)• Spam histories (11~2)

– Facebook, Twitter– Account is fraudulent

• Facebook– Links clickthrough => 73%– Koobfacae spam links => click 137698 times– Average 474 clicks

18

Analysis (cont.)

• Twitter

19

Evading Detection• Domain blacklisting services• Prevent malicious URLs

– Twitter: Google’s safebrowsing API– Facebook: its own proprietary blacklist

• Evade blacklist detection– Blogs, RSS feeds, shortened URLs

• 500 URLs blacklisted by Twitter and Facebook

20

Evading Detection (cont.)

• Measure blacklist delay– three blacklist services: Google Safebrowsing,

SURBL, and Joewein– 544 compromised redirectors– Failure: SURBL, and Joewein => email

21

Evading Detection (cont.)

• Delay in detection for Google Safebrowsing– 50% of links => 2 days– How quickly blacklist respond

• Clickthrough (75 URLs)• 55% of Clicks => 1 day, 81% of clicks =>2 days

22

Conclusion• Flock to online social networks• Koobface botnet

– generate accounts, befriend victims, send spam• Domain blacklisting not ineffective at quickly

identifying malicious URLs– on average 4 days to respond to threats– 81% of users visit Koobface URLs within 2 days

• To stem the threat of Koobface– Advance their defenses

23