Social Zombies II: Your Friends Need More Brains


Published on

In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information. This was presented at Shmoocon 2010 on February 6, 2010.

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Social Zombies II: Your Friends Need More Brains

  1. 1. SOCIAL ZOMBIES II Your Friends Need More Brains
  2. 2. Starring...
  3. 3. tom Eston
  4. 4. Robin Wood
  5. 5. Kevin Johnson
  6. 6. Social Networks Where are we today?
  7. 7. 350 Million Users (how many of these are fake?)
  8. 8. 120 Million Login Daily
  9. 9. 6.2 million joining Twitter every month
  10. 10. End of 2009: 75 Million Users
  11. 11. It’s all about trust...
  12. 12. Fake accounts? Orly?
  13. 13. Who is the most dangerous woman on the Internet?
  14. 14. Advanced Persistent Threat
  15. 15. What makes a Jessica Biel?
  16. 16. Thank You! Prabhu Deva and Nathan Hamiel
  17. 17. Lava Roll FTW
  18. 18. Still easy to exploit trust! • More difficult to tell a bot from a real account • Accounts are easy to create • Socnet User Verification = FAIL • Twitter “Verified” Accounts? • Connections based on other “friends”
  19. 19. New Privacy Concerns
  20. 20. New Facebook Privacy Settings • Your info is even more open! • Your Name, Profile Picture, Gender, Current City, Networks, Friend List, and Pages are all public • “Suggested” settings are set to EVERYONE • Zuckerburg says users don’t want privacy...
  21. 21. Really?
  22. 22. Epic FAIL?
  23. 23. Blippy FTW
  24. 24. Blippy FTW
  25. 25. "I Joined BLIPPY and all I got was Jacked at the ATM" - Chris Nickerson (@indi303) via Twitter
  26. 26. What about the ultimate stalker tool?
  27. 27. Geo-Location Tracking
  28. 28. Blippy + Foursquare + Facebook + Twitter + LinkedIn = PWNAGE
  29. 29. Why the **** would Socnets do this??
  30. 30. “The more info you share... ...the more valuable you are”
  31. 31. Real Time Search FTW
  32. 32. How do pen testers and attackers use this? Thank you Social Networks!
  33. 33. Wealth of recon information! • Socnet Search Engines • Maltego (Twitter and Facebook) • Google Hacks • inurl:group (bofa | "bank of america") • Manual Searching • Status Updates • Real Time Search
  34. 34. Infiltrate a company with this information!
  35. 35. New Security Concerns
  36. 36. Koobface Evolving • Still the #1 socnet worm • Targets all major socnets • Socnet chat vectors • Now with CAPTCHA • Adobe/IE 0day, Zeus Trojans FTL *Screen shots via McAfee Labs/PandaLabs
  37. 37. Danger! Social Network Applications
  38. 38. Months of Bugs! • July 2009 - Month of Twitter Bugs (Aviv Raff) • September 2009 - Month of Facebook Bugs (theharmonyguy) • Vulnerabilities affecting over 9,700 Facebook applications • Over half of vuln apps had passed the Facebook “Verified” Application program • Six of the hacked applications in the “Top 10” (Farmville and Causes!) • Most could be used with ClickJacking to install
  39. 39. More than 218 million Facebook users were vulnerable!
  40. 40. Facebook Application Autopwn Demo
  41. 41. Advanced Social Network Bots
  42. 42. More Evil Twitter Bots • Bots that pull trending malware links • Used recently to promote warez like pirated movies • Easy to code. Twitter API FTW
  43. 43. Better Automated Tools • Tools are getting more reliable • CAPTCHA bypass built in, able to off load to outsourced solution • Automated tools are cheap! Why roll your own? (or get it for free via Torrent!)
  44. 44. What is it? Command and control system running over social media
  45. 45. Written in Ruby as a proof of concept Not optimized. Not stealthy.
  46. 46. Currently runs over: •Twitter • JPEG • TinyURL
  47. 47. And now...
  48. 48. Uses LinkedIn API to read and write the Status field
  49. 49. Also new... Windows Support Basic Ruby install with a few gems and off it goes
  50. 50. What’s Next? Other media types, possibly non- HTML based. Please give suggestions!
  51. 51. New KreiosC2 Demo
  52. 52. Third Party APIs FTW
  53. 53. SocNet APIs • Social network APIs provide a wealth of information • All the big ones offer them • Some play catch up • We get to play with these APIs
  54. 54. Im'ma Let You Finish • New front end for Social Butterfly • KanyeWestify allows us to update your wall
  55. 55. Westify'ing someone • Select a friend • Drop down helps • Their wall now has the update
  56. 56. So what did we do? • Using the API, we grabbed the user's information • And their Friends' data • In this version we used the FQL queries from theHarmonyGuy • Full backup of your account • We also used JS to brute force browser history • We can map visited pages to user's of Facebook! • Marketing FTW!
  57. 57. Have the undead won?
  58. 58. We need more brains! • User education...yeah, it’s hard • Better privacy controls • End opt-in developer models • Tighter control of APIs
  59. 59. Questions? • News, Research, Guides,Video’s • Download KreiosC2 • Follow us...if you dare @agent0x0, @digininja, @secureideas