Twarfing: Malicious tweets

Transcription

Twarfing: Malicious tweets
Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
»
Fifth level
Twarfing: Malicious tweets
Morton Swimmer
Trend Micro
June 10th, 2009
Costin G
G. Raiu
Kaspersky Lab
Virus Bulletin 2009 – September
24th(title,
, Geneva
Event details
place)
Thanks to:
• Special thanks (Costin):
– Selma Ardelean: GUI+statistics
– Dan Demeter: daemon,
daemon downloader,
downloader scanning
– Alexandru Tudorica: DB design, URL fetching, expansion,
scanning
– Stefan Tanase – suggestions and web 2.0 expertise (you
can watch his presentation tomorrow morning in the Corp
stream)
• Special
p
thanks ((Morton))
– Rainer Link (architecture)
– David Sancho (URL expansion)
June 10th, 2009
Event details (title, place)
Overview
• What is Twitter?
• Malware on Twitter
– Notable incidents
• The link: Twitter and URL shortening services
• Twitter and the Google SB API
• Robots:
R b t
– Kaspersky Architecture and Statistics
– Trend Architecture and Statistics
• Conclusions
June 10th, 2009
Event details (title, place)
What is Twitter?
• Publish/Subscribe Communications system
• Founded by Jack Dorsey, Biz Stone and
a Williams
a s bac
back in 2006
006
Evan
• SMS/Website, WebService (API)
B
Browser
• Subscribers can read from this
• Push
App
pp
Phone
• SMS:
S S Phone
• Pull
• Web site: Browser
• WS API: Application
App
Browser
Phone
• RSS: Application
June 10th, 2009
Event details (title, place)
Related to:
• Instant Messaging/XMPP
• Is many
y to many,
y but best with small groups
g p or one-to-one
• Twitter similar, but publish/subscriber model more persistent
• Twitter also has Direct Messages for IM capability
• Internet Relay Chat (IRC)
• Handles large groups fairly well
• Twitter is many
y to many
y by
y default and scales p
pretty
y well
• But Twitter is proprietary
• RSS feeds
• O
One-to-many
t
medium:
di
links
li k from
f
one source w/o
/ selection
l ti
• In Twitter you follow who you like and read his selection of links
• Tumblelogs
• One-to-many medium, but not necessarily links from publisher
• Link sharing, not messaging
June 10th, 2009
Event details (title, place)
Twitter internals
• 140 chars max to be SMS compatible
• SMS has a 160 char restriction
• But Twitter needed to add the user name
• Message length has been hacked (fixed)
• might cause BoFs in applications
• Users not necessarily human!
• Devices
• From buoys to power meters
• Search for Twitter on instructables.com
instructables com
• Not surprising that malware would use it, but
• It
It'ss not the best means of C&C communications
• Easily blocked after detection
gg happy
ppy with
• … and twitter has been trigger
blocking
June 10th, 2009
Event details (title, place)
Twitter internals
• Historically
• Multiple Ruby on Rails servers
• Mongrel HTTP servers
• Central MySQL backed
• Currently: details super-secret, but this is what we think
• Front end
• Ruby-based
Ruby based front end
• Mongrel HTTP servers
• Back end
• Starling for queuing/messaging
• Scala-based
• MySQL
• denormalized data whenever possible
• Only for backup and persistance
• Lots of caching (memcached)
June 10th, 2009
Event details (title, place)
Stats (June 2009)
Probably old already, but here they are:
• 25M users
• 475K different
diff
t users posted
t d over a 1 week
k period
i d
(Whitetwarf)
• 300 tweets/sec
• MySQL handles 2400 reqs per second
• API traffic == 10x website traffic!
• Indicates that far more people are using applications
• TweetDeck,
TweetDeck Twitteriffic,
Twitteriffic Digsby,
Digsby Twhirl
• Many are Adobe Air based (!)
Twitter'ss success!
• One key to Twitter
June 10th, 2009
Event details (title, place)
But what is ON Twitter?
• S
San Antonio-based
A t i b
d market
k t research
h fifirm P
Pear A
Analytics
l ti
analyzed 2,000 tweets (originating from the US and in
English)
g ) over a 2-week p
period from 11:00a to 5:00p
p ((CST))
and separated them into six categories:
–
–
–
–
–
–
News
Spam
Self-promotion
Pointless babble
Conversational
Pass-along value
• 40.55% of Tweets were determined to be “pointless babble”
* Paper available at http://is.gd/3xmPz
June 10th, 2009
Event details (title, place)
And what is inside a Tweet?
• RT passes the note along
• L tells friends where I am
• #
– show associations
– show group
g p associations
– just for tagging
SifuMoraga:
g p
presenting
g together
g
with
@craiu at #vb2009 L: Geneva
schouw: RT @SifuMoraga: presenting
together with @craiu at #vb2009 L:
Geneva
• @
– for public discussion
– also 'follow
follow friday'
friday
• links
– URLs automatically identified
June 10th, 2009
Event details (title, place)
Long URLs, short URLs
• URLs can be long and ugly
• URL shortening
h t i services
i
h
have grown up
around Twitter
– longurl.org
l
l
counts
t 208 diff
differentt ones
• Malicious URLs are one potential threat
• URL Shorteners
– obscure the true URL
– May become malicious
– RickRolling,
g but maliciouslyy
• Benefits:
– ‘bit.ly’
bt y b
blocks
oc s malicious
a c ous U
URLs
s
June 10th, 2009
Event details (title, place)
Most popular URL shortening services
% 80
Default
f
URL
shortener on Twitter
since May 2009
70
60
50
40
30
20
10
June 10th, 2009
tin
y.
cc
.im
tr
m
ig
re
.m
e
.n
l
tw
ur
l
gs
cl
i.
is
.g
d
.ly
ow
bi
t.
ly
tin
yu
rl.
co
m
m
yl
oc
.m
e
0
Event details (title, place)
Malware on Twitter
August 2008
June 10th, 2009
Event details (title, place)
Notable incidents
• April 2009 – Twitter gets hit by XSS worm
• Multiple
M lti l variants
i t off the
th worm (JS.Twettir.a-h)
(JS T tti
h) were identified
id tifi d
• Thousands of spam messages containing the word "Mikeyy“ filled the
timeline
• Proof of concept – no malicious intent
• Later, the author (Mikey Mooney) got a job at exqSoft Solutions, a web
security company
June 10th, 2009
Event details (title, place)
Notable incidents
• June 2009 – Trending topics start being exploited
June 10th, 2009
Event details (title, place)
Notable incidents
• June 2009 – Koobface spreading through Twitter
• Originally
Originally, Koobface was only targeting Facebook and MySpace users
• Constantly “improved”, now spreading through more social networks:
Facebook, MySpace, Hi5, Bebo, Tagged, Netlog and most recently… Twitter
June 10th, 2009
Event details (title, place)
Notable incidents
• August 6, 2009 – massive DDoS attack against Twitter (and others)
• Twitter knocked offline for several hours, API problems lasted for
days
• Reason: to silence a relatively unimportant blogger in Georgia
(really?)
June 10th, 2009
Event details (title, place)
Twitter and Google SB API
• Google Safe Browsing API –
malicious websites blacklist
• Used (at least) in Firefox and
Chrome
• Basically: two lists of MD5’s
• A hash is computed on various parts of the URL and
checked against the lists
• http://a.b.c.d/1.htm -> a.b.c.d -> b.c.d -> c.d -> a.b.c.d/1.htm?p=1
June 10th, 2009
Event details (title, place)
Google SB API
• In August
g
2009,, Twitter
began filtering
malicious URLs
– Mikko Hypponen:
• Initial testing seemed to
indicate Google SB
API!
• But after a bit more
testing we
testing,
e disco
discovered
ered
it is SB API but with
some additional filtering
June 10th, 2009
Event details (title, place)
A bit about ‘bit.ly’ / ‘j.mp’
• Originally, Twitter used ‘tinyurl.com’ to shorten URLs. Around
M 2009 it however
May
h
decided
d id d to
t silenty
il t replace
l
it with
ith ‘bit
‘bit.ly’,
l ’ a
service from ‘Betaworks’, a startup accelerator
Q: How can I be sure a bit.ly link is safe to click on?
A: Bit.ly filters all links through several independent services to check for
spam,
p , suspected
p
p
phishing
g scams,, malware,, and other objectionable
j
content. We currently include Google Safe Browsing, SURBL,
and SpamCop in our operations. For Firefox browser users, we also have
a Preview Plugin that allows you to view more information about a link
before clicking. If you are a Twitter user, similar preview features are
offered by Tweetdeck (we’ve got a writeup of how it works here).
Source: http://bit.ly/pages/faq/
June 10th, 2009
Event details (title, place)
Our Robot(s) – Krab Krawler
June 10th, 2009
Event details (title, place)
Kaspersky Robot
• Codenamed: Krab Krawler
• Specs: Linux + PHP + MySQL
• Operation: It continuously fetches the Twitter public
timeline on multiple threads, extracts URLs and
injects
j
them into a DB
• Target: URLs are analysed and expanded if
necessary
• Execution: Modules check the URLs for malware
• Design: Costin G. Raiu, Stefan Tanase
• Assembly: Selma Ardelean, Dan Demeter, Alexandru
Tudorica
June 10th, 2009
Event details (title, place)
Krab Krawler: Architecture
June 10th, 2009
Event details (title, place)
New unique URLs per day
500,000
450 000
450,000
400,000
350,000
300,000
250,000
200,000
150,000
100,000
50,000
9/
12
/2
00
9
9/
13
/2
00
9
9/
14
/2
00
9
9/
15
/2
00
9
9/
16
/2
00
9
9/
17
/2
00
9
9/
18
/2
00
9
9/
19
/2
00
9
9/
20
/2
00
9
9/
21
/2
00
9
0
June 10th, 2009
Event details (title, place)
Malware we found so far
0
5
10
15
20
25
30 %
Trojan-Clicker.HTML.IFrame.ob
Trojan-Clicker.JS.Agent.gr
Trojan-Downloader.JS.Gumblar.a
Trojan-Downloader.VBS.Psyme.gf
Trojan-Downloader.JS.Iframe.atl
Hoax.HTML.BadJoke.Agent.c
Trojan-Clicker.JS.Agent.hz
Trojan-Clicker.HTML.IFrame.aem
Trojan-Downloader.HTML.FraudLoad.a
Trojan.JS.Agent.wh
Others
June 10th, 2009
Event details (title, place)
General stats
• URL duplication: 1 URL is posted in average
1.59 times
• Twitter posts with URLs: ~26%
• Downloaded
D
l d d objects:
bj t ~60GB
60GB per month
th
• The most popular single URL posted to
Twitter:
– http://tinyurl.com/nxsavh
http://tinyurl com/nxsavh
– http://getiton.com/go/g1108066-pct
June 10th, 2009
Event details (title, place)
Our Robot(s) – Red Twarf
June 10th, 2009
Event details (title, place)
Whitetwarf
•
•
•
•
An earlyy p
prototype
yp system
y
Receives a subset of the tweets via twitter search
Stores external metadata from twitter
Processes text part for internal metadata
– User references, hashtags, Informal tags
• Creates canonical text representations
p
• Export to an RDF store for analysis
• Hard coded detection of attacks
June 10th, 2009
Event details (title, place)
WhiteTwarf – the exploratorium
Twitter
URL processing
HTTP
request
q
Shortener
API
URLs
Tweet
processing
Text
Sigs
Tweets
June 10th, 2009
WT-Redirector
Analysis
RDF
Converter
RDF
Store
Domain
reputations
Attacks,
M li i
Malicious
users, etc
Redirectors
and
Shorteners
SPARQL
Queries
Event details (title, place)
WhiteTwarf in detail
• Tweet Processing phase
– loop
l
fforever
• Fetch a limited number of tweets
– These come back as JSON code
• Extract metadata
• Enter this into the database
• then we wait adaptively before doing this again
– from the tweets, we extract
• Tags, URLS, user references
• Text signatures
–
–
–
–
Meant to remove small differences in text
Normalization and whitespace removal
UTF-8 tricks expansion/removal
Keyword extraction (future)
• other metadata
June
10th,
2009
Event details (title, place)
URL redirector processing
•
•
•
•
•
For every URL entered
F
t d iinto
t th
the DB we ffollow
ll
th
the lilink
k
With a HEAD request
I mostt cases we gett a 30x
In
30 response
These get entered into the DB for further processing
T i showed
Testing
h
d that
h iit iis usually
ll ffaster to use
shortener APIs
• So we are testing code that will ID shorteners and
use API instead of HEAD
• We also capture other HTTP metadata
• Basically we are looking for possible file downloads
June 10th, 2009
Event details (title, place)
The next stage: RedTwarf
• Will capture
p
the entire Twitter
feed
• Goal: looking for new attack
patterns
• Based on same data as in
WhiteTwarf
• Using Text-mining techniques
t detect
to
d t t rules
l
June 10th, 2009
Event details (title, place)
Detection malicious activity
• Data exported to an RDF Store
– This is a graph database
– Allows for complex queries
– Does have some performance issues and is not real time
• Simple
Si l A
Attack
k scenario
i
– User is observed to post to a malicious domain
– We want to see what else he has posted
mall
htt // l
http://mal.com/evil.exe
/ il
posts
tw:hasURL
posts
drs:hasFQDN
drs:rating
malicous
mal.com
tweet/1234
tweet/5678
June 10th, 2009
tw:hasURL
http://unk.com/what.exe
Event details (title, place)
Matching graphs
mal
http://mal.com/evil.exe
posts
drs:hasFQDN
tw:hasURL
posts
drs:rating
malicous
mal.com
tweet/1234
tweet/5678
tw:hasURL
?
?m
http://unk.com/what.exe
? 1
?u1
posts
tw:hasURL
drs:hasFQDN
posts
t
drs:rating
malicous
?f
?t1
?t2
June 10th, 2009
tw:hasURL
?u2
Event details (title, place)
More complex attack
@iceman: This link is cool
http://cool com/ice html
http://cool.com/ice.html
Observed: User modified
URL on retweet to be
@notniceman: RT: @iceman: This link
is cool http://c00l.com/ice.exe
malicious
hasURL
posts
iceman
http://cool.com/ice.html
tweet/1001
textSig
thislinkiscool
textSig
notniceman
posts
tweet/1005
hasURL
http://c00l.com/ice.exe
June 10th, 2009
Event details (title, place)
Matching Graphs
hasURL
posts
iceman
http://cool.com/ice.html
tweet/1001
textSig
textSig
thislinkiscool
posts
notniceman
tweet/1005
hasURL
posts
?u1
hasURL
http://c00l.com/ice.exe
p
?u1
?t1
textSig
textSig
?s
posts
?mu
?t2
? 2
?u2
June 10th, 2009
Event details (title, place)
Conclusions
•
•
•
•
•
Twitter
T
itt is
i becoming
b
i a popular
l attack
tt k vector
t
Two approaches to detecting threats broadcast via Twitter
There are serious security dependencies due to the URL
Shorteners
Common goal: protecting you, our customers
Identifying the future development directions of Twitter
threats
We would like to thank VB and the
g audience for y
your support
pp
with
charming
140 characters and guess what, we just
did it! #vb2009
June 10th, 2009
Event details (title, place)
Click to edit Master title style
• Click to edit Master text styles
– Second level
• Third level
– Fourth level
»
Fifth level
Thank you!
morton@swimmer.org
morton@swimmer
org
twitter.com/sifumoraga
craiu@kaspersky.ro
twitter.com/craiu
June 10th, 2009
Event details (title, place)