date: 2011/04/28 reporter: shu-ping, yu advisor: chun-ying, huang
DESCRIPTION
The Koobface Botnet and the Rise of Social Malware Kurt Thomas and David M. Nicol 2010 5th International Conference on Malicious and Unwanted Software. Date: 2011/04/28 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: [email protected]. Outline. Introduction - PowerPoint PPT PresentationTRANSCRIPT
The Koobface Botnet and the Rise of Social Malware
Kurt Thomas and David M. Nicol2010 5th International Conference on Malicious and Unwanted
Software
Date: 2011/04/28Reporter: Shu-Ping, YuAdvisor: Chun-Ying, HuangE-mail: [email protected]
1
Outline
• Introduction• The Koobface Botnet• Methodology• Analysis• Evading Detection• Conclusion
2
Introduction• Social networks are popular
– Facebook, Twitter => 500 million• Attacks
– Phishing, malware attacks• Koobface botnet
– Create accounts, befriend users, spam URLs• In this paper
– Explore Koobface– Zombie emulator
3
The Koobface Botnet
• First appeared in late 2008• Fraudulent account => befriend victims• Koobface’s infrastructure and zombie duties
4
Koobface Hierarchy
• Zombie act as C&C master server– A hundred of compromised host– Disseminate spam instructions
• Koobface maintains a fixed domain– Contact to report uptime statistics– request links
• All communication transpires over HTTP on port 80
5
Spamming Infrastructure
• Rely on a complex system– Prevent domain blacklist
• externally accessible zombies– Download a malicious executable
• Webserver will iterate through zombie IPs– Seach an operational zombie and redirect– Redirect trigger: flash and JavaScript
• Koobface circumvents domain blacklisting services by obfuscating URLs
6
Zombie Duties
• Success of the koobface propagation– Obtain fresh user accounts and malicious URLs
• Poll the C&C– Automated account creation– URL spamming– URL obfuscation– Captcha solving
7
Zombie Duties (cont.)
• Account Generation– Query the C&C for login credentials to Facebook– Command REG => register a new account
• Provide some personal data, join social groups– Command ADD => login to an existing account
• Acquiring new friends• Send friend requests• Report to C&C with the account’s statistics
8
Zombie Duties (cont.)
• URL Obfuscation– Create Blogger and Google Reader account
• Redirectors– Blog
• Fetch the latest news headlines• Generate a post => JavaScript
– Google Reader• Create a page => RSS feed
– Obfuscate by bit.ly
9
Zombie Duties (cont.)
• Spamming Friends– Send malicious URLs to friends– Determine if the links is blacklisted
• Captcha Solving– Send a request to C&C with image– Other zombie poll C&C
• Deceive user to solve and report
10
Methodology• Manually construct script
– Emulates zombie behavior– Join the Koobface– Poll the C&C
• Social networking websites– Monitor spamming and acquiring friends
• Identify update cycles and uptime statistics– Poll the C&C, compromised redirectors, zombie
webhosts11
Botnet Infiltration
• Zombie behavior is reproduced by an emulator– Replicate communication
• A number of malware executables– Run in a live virtual enviroment and
• cookie = {facebook, twitter, none}• browser = {ie, firefox}• user activity = {actively browsing, dormant}
• Repeat each infection multiple times and store the resulting packet traces.
12
Social Monitoring
• On Twitter– Search for spam strings and URLs– Koobface account is identified
• The rate spam is send• The average length of infection
• On facebook– The history of sent spam massage for each account– Number of friends
13
Redirector Monitoring & Data• The spam URLs
– Poll the uptime of compromised webservers and zombie host malware
– Measure the growth and decay– Identify the frequency that C&C are shut down
• Data– Monitor over a month– 300 C&C servers, 4000 zombies, 1300 compromised
domain– Accounts: 942(Facebook), 247(Twitter)
14
Analysis• Rely on C&C servers and spam redirectors• Discover and monitor C&C
– Emulated zombie requests => software update– C&C is a full-connected graph => load balancing– 323 compromised host => lifetime is 11 days– An average of 97 operational servers
15
Analysis (cont.)
• frequency that new domain are compromised– 1802 redirector URLs v.s. 1390 distinct domain– 20 new redirectors each day– Fewer than 50% of redirectors => 11 day
16
Analysis (cont.)
• Extract the list of zombie IPs– 4151 IPs from 80 countries– Download malicious executable => zombie online!?– Average 365 zombie will respond each day– 60000 zombie by TrendMicro => severe reduction
17
Analysis (cont.)• Spam histories (11~2)
– Facebook, Twitter– Account is fraudulent
• Facebook– Links clickthrough => 73%– Koobfacae spam links => click 137698 times– Average 474 clicks
18
Analysis (cont.)
19
Evading Detection• Domain blacklisting services• Prevent malicious URLs
– Twitter: Google’s safebrowsing API– Facebook: its own proprietary blacklist
• Evade blacklist detection– Blogs, RSS feeds, shortened URLs
• 500 URLs blacklisted by Twitter and Facebook
20
Evading Detection (cont.)
• Measure blacklist delay– three blacklist services: Google Safebrowsing,
SURBL, and Joewein– 544 compromised redirectors– Failure: SURBL, and Joewein => email
21
Evading Detection (cont.)
• Delay in detection for Google Safebrowsing– 50% of links => 2 days– How quickly blacklist respond
• Clickthrough (75 URLs)• 55% of Clicks => 1 day, 81% of clicks =>2 days
22
Conclusion• Flock to online social networks• Koobface botnet
– generate accounts, befriend victims, send spam• Domain blacklisting not ineffective at quickly
identifying malicious URLs– on average 4 days to respond to threats– 81% of users visit Koobface URLs within 2 days
• To stem the threat of Koobface– Advance their defenses
23