Twarfing: Malicious Tweets Morton Swimmer Costin G

Click to edit Master title style

• Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level

Twarfing: Malicious tweets Morton Swimmer Costin G. Raiu Trend Micro Kaspersky Lab

June 10th, 2009 Virus Bulletin 2009 – SeptemberEvent details 24th (title,, Geneva place) Thanks to:

• Special thanks (Costin): – Selma Ardelean: GUI+statistics – Dan Demeter: daemon , downloader , scanning – Alexandru Tudorica: DB design, URL fetching, expansion, scanning – Stefan Tanase – suggestions and web 2.0 expertise (you can watch his presentation tomorrow morning in the Corp stream)

•Spp()ecial thanks (Morton) – Rainer Link (architecture) – David Sancho (URL expansion)

June 10th, 2009 Event details (title, place) Overview

• What is Twitter? • Malware on Twitter – Notable incidents • The link: Twitter and URL shortening services • Twitter and the Google SB API • RbtRobots: – Kaspersky Architecture and Statistics – Trend Architecture and Statistics • Conclusions

June 10th, 2009 Event details (title, place) What is Twitter?

• Publish/Subscribe Communications system • Founded by Jack Dorsey, Biz Stone and Evan Willi am s back in 2 006 • SMS/Website, WebService (API) • Subscribers can read from this Browser • Push App Phone • SSSMS: Phone • Pull • Web site: Browser

• WS API: Application App Browser Phone • RSS: Application June 10th, 2009 Event details (title, place) Related to:

• Instant Messaging/XMPP •Is manyyy to many, but best with small g gproups or one-to-one • Twitter similar, but publish/subscriber model more persistent • Twitter also has Direct Messages for IM capability • Internet Relay Chat (IRC) • Handles large groups fairly well • Twitter is manyyyy to many by default and scales pypretty well • But Twitter is proprietary • RSS feeds • One-to-many medium: li nk s f rom one source w/ o sel ecti on • In Twitter you follow who you like and read his selection of links • Tumblelogs • One-to-many medium, but not necessarily links from publisher • Link sharing, not messaging

June 10th, 2009 Event details (title, place) Twitter internals

• 140 chars max to be SMS compatible • SSMSMS hashas a 160160 ccharhar restrictionrestriction • But Twitter needed to add the user name • Message length has been hacked (fixed) • might cause BoFs in applications • Users not necessarily human! • Devices • From buoys to power meters • Search for Twitter on instructables .com • Not surprising that malware would use it, but • It's not the best means of C&C communications • Easily blocked after detection • … and twitter has been trigger ha ppy with blocking

June 10th, 2009 Event details (title, place) Twitter internals

• Historically • Multiple Ruby on Rails servers • Mongrel HTTP servers • Central MySQL backed • Currently: details super-secret, but this is what we think • Front end • Ruby-based front end • Mongrel HTTP servers • Back end • Starling for queuing/messaging • Scala-based • MySQL • denormalized data whenever possible • Only for backup and persistance • Lots of caching (memcached)

June 10th, 2009 Event details (title, place) Stats (June 2009)

Probably old already, but here they are:

• 25M users • 475K diff eren t users pos te d over a 1 wee k per io d (Whitetwarf) • 300 tweets/sec • MySQL handles 2400 reqs per second • API traffic == 10x website traffic! • Indicates that far more people are using applications • TweetDeck, Twitteriffic , Digsby , Twhirl • Many are Adobe Air based (!) • One key to Twitter 's success!

June 10th, 2009 Event details (title, place) But what is ON Twitter?

• SAtiSan Antonio-bdbased mar ktket researc hfiPAltih firm Pear Analytics analyzed 2,000 tweets (originating from the US and in Engg)lish) over a 2-week ppp()eriod from 11:00a to 5:00p (CST) and separated them into six categories: –News – Spam – Self-promotion – Pointless babble – Conversational – Pass-along value • 40.55% of Tweets were determined to be “pointless babble”

* Paper available at http://is.gd/3xmPz

June 10th, 2009 Event details (title, place) And what is inside a Tweet?

• RT passes the note along • L tells friends where I am • # SifuMoraga: ppggresenting together with – show associations @craiu at #vb2009 L: Geneva – show ggproup associations schouw:RT: RT @SifuMoraga: presenting – just for tagging together with @craiu at #vb2009 L: Geneva • @ – for public discussion – also 'follow friday' • links – URLs automatically identified

June 10th, 2009 Event details (title, place) Long URLs, short URLs

• URLs can be long and ugly • URL s hor ten ing serv ices have grown up around Twitter – longur l.org coun ts 208 differen t ones • Malicious URLs are one potential threat • URL Shorteners – obscure the true URL – May become malicious – RickRolling, but maliciously • Benefits: – ‘bi t.ly ’ bl ock s m ali ci ous URL s

June 10th, 2009 Event details (title, place) Most popular URL shortening services

% 80 70 Default URL shortener on Twitter 60 since May 2009 50

40 30

20 10 0

ly m e y e c d .nl im bit. .gs url tr. rl.co loc.m ow.l is.g re.m iny.c y cli tw ig t yu m m tin

June 10th, 2009 Event details (title, place) Malware on Twitter

August 2008

June 10th, 2009 Event details (title, place) Notable incidents

• April 2009 – Twitter gets hit by XSS worm • MltilMultiple var ian tsof th e worm (JS .T wetti r.a-h) were id entifi e d • Thousands of spam messages containing the word "Mikeyy“ filled the timeline • Proof of concept – no malicious intent • Later, the author (Mikey Mooney) got a job at exqSoft Solutions, a web security company

June 10th, 2009 Event details (title, place) Notable incidents • June 2009 – Trending topics start being exploited

June 10th, 2009 Event details (title, place) Notable incidents

• June 2009 – Koobface spreading through Twitter • Originally, Koobface was only targeting Facebook and MySpace users • Constantly “improved”, now spreading through more social networks: Facebook, MySpace, Hi5, Bebo, Tagged, Netlog and most recently… Twitter

June 10th, 2009 Event details (title, place) Notable incidents

• August 6, 2009 – massive DDoS attack against Twitter (and others) • Twitter knocked offline for several hours, API problems lasted for days • Reason: to silence a relatively unimportant blogger in Georgia (really?)

June 10th, 2009 Event details (title, place) Twitter and Google SB API

• Google Safe Browsing API – malicious websites blacklist • Used (at least) in Firefox and Chrome • Basically: two lists of MD5’s • A hash is computed on various parts of the URL and checked against the lists • http://a.b.c.d/1.htm -> a.b.c.d -> b.c.d -> c.d -> a.b.c.d/1.htm?p=1

June 10th, 2009 Event details (title, place) Google SB API

•In Augg,ust 2009, Twitter began filtering malicious URLs – Mikko Hypponen: • Initial testing seemed to indicate Google SB API! • But after a bit more testing, w e discov ered it is SB API but with some additional filtering

June 10th, 2009 Event details (title, place) A bit about ‘bit.ly’ / ‘j.mp’

• Originally, Twitter used ‘tinyurl.com’ to shorten URLs. Around May 2009 it h owever d ecid ed t o sil en ty rep lace it w ith ‘bit. ly ’, a service from ‘Betaworks’, a startup accelerator

Q: How can I be sure a bit.ly link is safe to click on?

A: Bit.ly filters all links through several independent services to check for spp,am, susp ected phishin g scams , malware , and other ob jectionable content. We currently include Google Safe Browsing, SURBL, and SpamCop in our operations. For Firefox browser users, we also have a Preview Plugin that allows you to view more information about a link before clicking. If you are a Twitter user, similar preview features are offered by Tweetdeck (we’ve got a writeup of how it works here). Source: http://bit.ly/pages/faq/

June 10th, 2009 Event details (title, place) Our Robot(s) – Krab Krawler

June 10th, 2009 Event details (title, place) Kaspersky Robot

• Codenamed: Krab Krawler • Specs: Linux + PHP + MySQL • Operation: It continuously fetches the Twitter public timeline on multiple threads, extracts URLs and injects them into a DB • Target: URLs are analysed and expanded if necessary • Execution: Modules check the URLs for malware • Design: Costin G. Raiu, Stefan Tanase • Assembly: Selma Ardelean, Dan Demeter, Alexandru Tudorica

June 10th, 2009 Event details (title, place) Krab Krawler: Architecture

June 10th, 2009 Event details (title, place) New unique URLs per day

500,000 450, 000000 400,000 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0

9 9 09 09 09 0 0 09 0 0 /20 2009 /2009 2009 /2 /20 20 /20 2009 /2 2 3/ 4 5/ 6 7 8/ 9 1 /1 /1 /1 /1 /1 /20/ /2 9 9/1 9 9 9 9 9/1 9/1 9 9

June 10th, 2009 Event details (title, place) Malware we found so far

0 5 10 15 20 25 30 %

Trojan-Clicker.HTML.IFrame.ob

Trojan-Clicker.JS.Agent.gr

Trojan-Downloader.JS.Gumblar.a

Trojan-Downloader.VBS.Psyme.gf

Trojan-Downloader.JS.Iframe.atl

Hoax.HTM L.BadJoke.Agent.c

Trojan-Clicker.JS.Agent.hz

Trojan-Clicker.HTML.IFrame.aem

Trojan-Downloader.HTML.FraudLoad.a

Trojan.JS.Agent.wh

Others

June 10th, 2009 Event details (title, place) General stats

• URL duplication: 1 URL is posted in average 1.59 times • Twitter posts with URLs: ~26% • Down loa de d o bjec ts: ~ 60GB per mon th • The most popular single URL posted to Twitter: – http://tinyurl. com/nxsavh – http://getiton.com/go/g1108066-pct

June 10th, 2009 Event details (title, place) Our Robot(s) – Red Twarf

June 10th, 2009 Event details (title, place) Whitetwarf

• An earlyyp protot ype s ystem • Receives a subset of the tweets via twitter search • Stores external metadata from twitter • Processes text part for internal metadata – User references, hashtags, Informal tags • Creates canonical text representations • Export to an RDF store for analysis • Hard coded detection of attacks

June 10th, 2009 Event details (title, place) WhiteTwarf – the exploratorium

HTTP request Twitter URL processing Shortener API URLs

WT-Redirector Analysis Tweet processing RDF Domain Converter reputations

Attacks, Redirectors MliiMalicious and Text users, etc Shorteners Sigs RDF Store Tweets SPARQL Queries June 10th, 2009 Event details (title, place) WhiteTwarf in detail

• Tweet Processing phase – lfloop forever • Fetch a limited number of tweets – These come back as JSON code • Extract metadata • Enter this into the database • then we wait adaptively before doing this again – from the tweets, we extract • Tags, URLS, user references • Text signatures – Meant to remove small differences in text – Normalization and whitespace removal – UTF-8 tricks expansion/removal – Keyword extraction (future) • other metadata June 10th, 2009 Event details (title, place) URL redirector processing

• For every URL en tere ditthDBd into the DB we fllfollow thlikthe link • With a HEAD request • ItIn most cases we get t30 a 30x response • These get entered into the DB for further processing • TiTesting s howe dhiid that it is usua llflly faster to use shortener APIs • So we are testing code that will ID shorteners and use API instead of HEAD • We also capture other HTTP metadata • Basically we are looking for possible file downloads

June 10th, 2009 Event details (title, place) The next stage: RedTwarf

• Will capture the entire Twitter feed • Goal: looking for new attack patterns • Based on same data as in WhiteTwarf • Using Text-mining techniques tdttto detect rul es

June 10th, 2009 Event details (title, place) Detection malicious activity

• Data exported to an RDF Store – This is a graph database – Allows for complex queries – Does have some performance issues and is not real time • Simp le Attac k scenar io – User is observed to post to a malicious domain – We want to see what else he has posted

mal http:// mal .com/ evil .exe malicous posts drs:rating tw:hasURL drs:hasFQDN posts mal.com tweet/1234

tw:hasURL tweet/5678 http://unk.com/what.exe

June 10th, 2009 Event details (title, place) Matching graphs

mal http://mal.com/evil.exe posts drs:hasFQDN tw:hasURL drs:rating malicous posts mal.com tweet/1234

tw:hasURL tweet/5678 http://unk.com/what.exe

?m ?1?u1

posts drs:hasFQDN tw:hasURL drs:rating malicous posts ?f ?t1

tw:hasURL ?t2 ?u2

June 10th, 2009 Event details (title, place) More complex attack

@iceman: This link is cool Observed: User modified http://cool. com/ice. html URL on retweet to be @notniceman: RT: @iceman: This link malicious is cool http://c00l.com/ice.exe

posts hasURL http://cool.com/ice.html iceman tweet/1001 textSig

thislinkiscool textSig notniceman posts tweet/1005 hasURL

http://c00l.com/ice.exe

June 10th, 2009 Event details (title, place) Matching Graphs

posts hasURL http://cool.com/ice.html iceman tweet/1001

textSig thislinkiscool textSig posts notniceman tweet/1005 hasURL http://c00l.com/ice.exe

posts hasURL ?u1 ?u1 ?t1 textSig ?s textSig posts ?mu ?t2 ?2?u2

June 10th, 2009 Event details (title, place) Conclusions

• Twitt er i s b ecom ing a popu lar a ttac k vec tor • Two approaches to detecting threats broadcast via Twitter • There are serious security dependencies due to the URL Shorteners • Common goal: protecting you, our customers • Identifying the future development directions of Twitter threats

We would like to thank VB and the charminggypp audience for your support with 140 characters and guess what, we just did it! #vb2009

June 10th, 2009 Event details (title, place) Click to edit Master title style

• Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level [email protected] Thank you! twitter.com/sifumoraga

[email protected] twitter.com/craiu

June 10th, 2009 Event details (title, place)