230 likes | 364 Views
The Koobface Botnet and the Rise of Social Malware Kurt Thomas and David M. Nicol 2010 5th International Conference on Malicious and Unwanted Software. Date: 2011/04/28 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw. Outline. Introduction
E N D
The Koobface Botnet and the Rise of Social MalwareKurt Thomas and David M. Nicol2010 5th International Conference on Malicious and Unwanted Software Date: 2011/04/28 Reporter: Shu-Ping, Yu Advisor: Chun-Ying, Huang E-mail: b94570036@mail.ntou.edu.tw
Outline • Introduction • The Koobface Botnet • Methodology • Analysis • Evading Detection • Conclusion
Introduction • Social networks are popular • Facebook, Twitter => 500 million • Attacks • Phishing, malware attacks • Koobface botnet • Create accounts, befriend users, spam URLs • In this paper • Explore Koobface • Zombie emulator
The Koobface Botnet • First appeared in late 2008 • Fraudulent account => befriend victims • Koobface’s infrastructure and zombie duties
Koobface Hierarchy • Zombie act as C&C master server • A hundred of compromised host • Disseminate spam instructions • Koobface maintains a fixed domain • Contact to report uptime statistics • request links • All communication transpires over HTTP on port 80
Spamming Infrastructure • Rely on a complex system • Prevent domain blacklist • externally accessible zombies • Download a malicious executable • Webserver williterate through zombie IPs • Seach an operational zombie and redirect • Redirect trigger: flash and JavaScript • Koobface circumvents domain blacklisting services by obfuscating URLs
Zombie Duties • Success of the koobface propagation • Obtain fresh user accounts and malicious URLs • Poll the C&C • Automated account creation • URL spamming • URL obfuscation • Captcha solving
Zombie Duties (cont.) • Account Generation • Query the C&C for login credentials to Facebook • Command REG => register a new account • Provide some personal data, join social groups • Command ADD => login to an existing account • Acquiring new friends • Send friend requests • Report to C&C with the account’s statistics
Zombie Duties (cont.) • URL Obfuscation • Create Blogger and Google Reader account • Redirectors • Blog • Fetch the latest news headlines • Generate a post => JavaScript • Google Reader • Create a page => RSS feed • Obfuscate by bit.ly
Zombie Duties (cont.) • Spamming Friends • Send malicious URLs to friends • Determine if the links is blacklisted • Captcha Solving • Send a request to C&C with image • Other zombie poll C&C • Deceive user to solve and report
Methodology • Manually construct script • Emulates zombie behavior • Join the Koobface • Poll the C&C • Social networking websites • Monitor spamming and acquiring friends • Identify update cycles and uptime statistics • Poll the C&C, compromised redirectors, zombie webhosts
Botnet Infiltration • Zombie behavior is reproduced by an emulator • Replicate communication • A number of malware executables • Run in a live virtual enviroment and • cookie = {facebook, twitter, none} • browser = {ie, firefox} • user activity = {actively browsing, dormant} • Repeat each infection multiple times and store the resulting packet traces.
Social Monitoring • On Twitter • Search for spam strings and URLs • Koobface account is identified • The rate spam is send • The average length of infection • On facebook • The history of sent spam massage for each account • Number of friends
Redirector Monitoring & Data • The spam URLs • Poll the uptime of compromised webservers and zombie host malware • Measure the growth and decay • Identify the frequency that C&C are shut down • Data • Monitor over a month • 300 C&C servers, 4000 zombies, 1300 compromised domain • Accounts: 942(Facebook), 247(Twitter)
Analysis • Rely on C&C servers and spam redirectors • Discover and monitor C&C • Emulated zombie requests => software update • C&C is a full-connected graph => load balancing • 323 compromised host => lifetime is 11 days • An average of 97 operational servers
Analysis (cont.) • frequency that new domain are compromised • 1802 redirector URLs v.s. 1390 distinct domain • 20 new redirectors each day • Fewer than 50% of redirectors => 11 day
Analysis (cont.) • Extract the list of zombie IPs • 4151 IPs from 80 countries • Download malicious executable => zombie online!? • Average 365 zombie will respond each day • 60000 zombie by TrendMicro => severe reduction
Analysis (cont.) • Spam histories (11~2) • Facebook, Twitter • Account is fraudulent • Facebook • Links clickthrough => 73% • Koobfacae spam links => click 137698 times • Average 474 clicks
Analysis (cont.) • Twitter
Evading Detection • Domain blacklisting services • Prevent malicious URLs • Twitter: Google’s safebrowsing API • Facebook: its own proprietary blacklist • Evade blacklist detection • Blogs, RSS feeds, shortened URLs • 500 URLs blacklisted by Twitter and Facebook
Evading Detection (cont.) • Measure blacklist delay • three blacklist services: Google Safebrowsing, SURBL, and Joewein • 544 compromised redirectors • Failure: SURBL, and Joewein => email
Evading Detection (cont.) • Delay in detection for Google Safebrowsing • 50% of links => 2 days • How quickly blacklist respond • Clickthrough (75 URLs) • 55% of Clicks => 1 day, 81% of clicks =>2 days
Conclusion • Flock to online social networks • Koobface botnet • generate accounts, befriend victims, send spam • Domain blacklisting not ineffective at quickly identifying malicious URLs • on average 4 days to respond to threats • 81% of users visit Koobface URLs within 2 days • To stem the threat of Koobface • Advance their defenses