1 / 23

Date: 2011/04/28 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang

The Koobface Botnet and the Rise of Social Malware Kurt Thomas and David M. Nicol 2010 5th International Conference on Malicious and Unwanted Software. Date: 2011/04/28 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw. Outline. Introduction

mckenzie-may
Download Presentation

Date: 2011/04/28 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Koobface Botnet and the Rise of Social MalwareKurt Thomas and David M. Nicol2010 5th International Conference on Malicious and Unwanted Software Date: 2011/04/28 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw

  2. Outline • Introduction • The Koobface Botnet • Methodology • Analysis • Evading Detection • Conclusion

  3. Introduction • Social networks are popular • Facebook, Twitter => 500 million • Attacks • Phishing, malware attacks • Koobface botnet • Create accounts, befriend users, spam URLs • In this paper • Explore Koobface • Zombie emulator

  4. The Koobface Botnet • First appeared in late 2008 • Fraudulent account => befriend victims • Koobface’s infrastructure and zombie duties

  5. Koobface Hierarchy • Zombie act as C&C master server • A hundred of compromised host • Disseminate spam instructions • Koobface maintains a fixed domain • Contact to report uptime statistics • request links • All communication transpires over HTTP on port 80

  6. Spamming Infrastructure • Rely on a complex system • Prevent domain blacklist • externally accessible zombies • Download a malicious executable • Webserver williterate through zombie IPs • Seach an operational zombie and redirect • Redirect trigger: flash and JavaScript • Koobface circumvents domain blacklisting services by obfuscating URLs

  7. Zombie Duties • Success of the koobface propagation • Obtain fresh user accounts and malicious URLs • Poll the C&C • Automated account creation • URL spamming • URL obfuscation • Captcha solving

  8. Zombie Duties (cont.) • Account Generation • Query the C&C for login credentials to Facebook • Command REG => register a new account • Provide some personal data, join social groups • Command ADD => login to an existing account • Acquiring new friends • Send friend requests • Report to C&C with the account’s statistics

  9. Zombie Duties (cont.) • URL Obfuscation • Create Blogger and Google Reader account • Redirectors • Blog • Fetch the latest news headlines • Generate a post => JavaScript • Google Reader • Create a page => RSS feed • Obfuscate by bit.ly

  10. Zombie Duties (cont.) • Spamming Friends • Send malicious URLs to friends • Determine if the links is blacklisted • Captcha Solving • Send a request to C&C with image • Other zombie poll C&C • Deceive user to solve and report

  11. Methodology • Manually construct script • Emulates zombie behavior • Join the Koobface • Poll the C&C • Social networking websites • Monitor spamming and acquiring friends • Identify update cycles and uptime statistics • Poll the C&C, compromised redirectors, zombie webhosts

  12. Botnet Infiltration • Zombie behavior is reproduced by an emulator • Replicate communication • A number of malware executables • Run in a live virtual enviroment and • cookie = {facebook, twitter, none} • browser = {ie, firefox} • user activity = {actively browsing, dormant} • Repeat each infection multiple times and store the resulting packet traces.

  13. Social Monitoring • On Twitter • Search for spam strings and URLs • Koobface account is identified • The rate spam is send • The average length of infection • On facebook • The history of sent spam massage for each account • Number of friends

  14. Redirector Monitoring & Data • The spam URLs • Poll the uptime of compromised webservers and zombie host malware • Measure the growth and decay • Identify the frequency that C&C are shut down • Data • Monitor over a month • 300 C&C servers, 4000 zombies, 1300 compromised domain • Accounts: 942(Facebook), 247(Twitter)

  15. Analysis • Rely on C&C servers and spam redirectors • Discover and monitor C&C • Emulated zombie requests => software update • C&C is a full-connected graph => load balancing • 323 compromised host => lifetime is 11 days • An average of 97 operational servers

  16. Analysis (cont.) • frequency that new domain are compromised • 1802 redirector URLs v.s. 1390 distinct domain • 20 new redirectors each day • Fewer than 50% of redirectors => 11 day

  17. Analysis (cont.) • Extract the list of zombie IPs • 4151 IPs from 80 countries • Download malicious executable => zombie online!? • Average 365 zombie will respond each day • 60000 zombie by TrendMicro => severe reduction

  18. Analysis (cont.) • Spam histories (11~2) • Facebook, Twitter • Account is fraudulent • Facebook • Links clickthrough => 73% • Koobfacae spam links => click 137698 times • Average 474 clicks

  19. Analysis (cont.) • Twitter

  20. Evading Detection • Domain blacklisting services • Prevent malicious URLs • Twitter: Google’s safebrowsing API • Facebook: its own proprietary blacklist • Evade blacklist detection • Blogs, RSS feeds, shortened URLs • 500 URLs blacklisted by Twitter and Facebook

  21. Evading Detection (cont.) • Measure blacklist delay • three blacklist services: Google Safebrowsing, SURBL, and Joewein • 544 compromised redirectors • Failure: SURBL, and Joewein => email

  22. Evading Detection (cont.) • Delay in detection for Google Safebrowsing • 50% of links => 2 days • How quickly blacklist respond • Clickthrough (75 URLs) • 55% of Clicks => 1 day, 81% of clicks =>2 days

  23. Conclusion • Flock to online social networks • Koobface botnet • generate accounts, befriend victims, send spam • Domain blacklisting not ineffective at quickly identifying malicious URLs • on average 4 days to respond to threats • 81% of users visit Koobface URLs within 2 days • To stem the threat of Koobface • Advance their defenses

More Related