The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol
Motivation Online social networks becoming attractive target for scams – Unprotected population – Exploit user trust in ‘friends’ Scams propagated via stolen accounts – 86% of Twitter spam accounts compromised [Grier et al. CCS2010] – 97% of Facebook spam accounts compromised [Gao et al. IMC2010] Koobface botnet is a prime example – Steals social network credentials – Spreads to friends – Creates fake accounts to help seed infections
Contributions Develop emulator to infiltrate Koobface – Replays packets to C&C for work – Allows safe interact with botnet C&C Infrastructure: – 1,800 compromised domains – 4,100 zombies Fraudulent/Infected accounts: – 30,000 fraudulent Gmail accounts – 942 fraudulent Facebook accounts – 247 compromised Twitter accounts Blacklist catch only 26% of spammed URLs – Only 13% of detections occur within the window of users clicking URL
Outline Infection chain Developing emulator Spam characteristics Blacklist limitations
Infection Chain: Facebook Inbox message contains bit.ly URL to Blogspot account
Infection Chain: Blogspot location.href = ‘
Infection Chain: Compromised Domain location.href = ‘ ’
Infection Chain: Zombie User prompted to install Flash Player upgrade
Goal of Infiltration c Identify spam accounts c Identify abused services Identify compromised domains, availability cc Identify compromised machines, availability
Developing Emulator Capture sample in wild Run sample in Windows XP VM – Vary browser type – Seed with Facebook, Twitter, or no account Record outgoing packets Manually reverse engineer protocol – Includes binary analysis for encryption function
Extracting Protocol Messages Query for account to spam with: Query for URL to spam: Query for executables, actions:
Resulting Data Replayed C&C queries over one month, recovering: – 1,800 compromised domains – 4,100 zombie IPs Searched public tweets, recovering: – 247 Twitter compromised accounts – 2,847 malicious tweets Queried C&C for credentials, recovering: – 30,000 fraudulent Gmail accounts – 942 fraudulent Facebook accounts – 506 malicious messages
Spam Accounts Facebook: – Log into provided credentials (first confirm fraudulent) – Recover inbox, friend list Twitter: – Publicly search for spam strings; “OMFG!! You must see…” – Save all tweets, friend list; filter benign messages Profile StatisticFacebookTwitter Accounts Messages Templates47613 Friends200,51513,001
Spam Volume Twitter Facebook
Infection Length Measure length from first to last tweet – Median lifetime: 6 days – Attribute drop in spam volume to deinfection
Clickthrough How many users visit spammed URLs? – Majority of URLs shortened with bit.ly – Recover statistics from API Distinct links clicked 137,698 times On average, 80% of visits within first 2 days
Circumventing Detection Facebook, Twitter only check visible URL for blacklist status – Obfuscate with IP, shortener, public webhosting Previously blacklisted URLs can be re-used TemplateSample / /reader/shared/
Blacklist Detection Begin with ground truth of 500 spammed URLs – How many are detected by blacklists? – What is delay between appearing in C&C traffic vs. appearing on blacklist? BlacklistFraction of URLs Detected Google Safebrowsing26.7% SURBL5.7% Joewein0%
Blacklist Delay: Google Safebrowsing Detected URLs (26.7%): – 50% of detections occur within 2 days of appearing on C&C Undetected URLs (73.3%): – At least 4 days old, up to 25 days old Summary: only 13% of detections occur within click window
Conclusion Koobface botnet shows social networks viable target for exploit – Users trust their ‘friends’ – Limited protections available Blacklists too slow, miss too many URLs – Services such as bit.ly, blogspot abused to evade detection Infiltration provides a route for detection – Recover spam templates, URLs – Identify accounts propagating spam