Click to edit Master title style • Click to edit Master text styles – Second level • Third level – Fourth level » Fifth level Twarfing: Malicious tweets Morton Swimmer Costin G. Raiu Trend Micro Kaspersky Lab June 10th, 2009 Virus Bulletin 2009 – SeptemberEvent details 24th (title,, Geneva place) Thanks to: • Special thanks (Costin): – Selma Ardelean: GUI+statistics – Dan Demeter: daemon , downloader , scanning – Alexandru Tudorica: DB design, URL fetching, expansion, scanning – Stefan Tanase – suggestions and web 2.0 expertise (you can watch his presentation tomorrow morning in the Corp stream) •Spp()ecial thanks (Morton) – Rainer Link (architecture) – David Sancho (URL expansion) June 10th, 2009 Event details (title, place) Overview • What is Twitter? • Malware on Twitter – Notable incidents • The link: Twitter and URL shortening services • Twitter and the Google SB API • RbtRobots: – Kaspersky Architecture and Statistics – Trend Architecture and Statistics • Conclusions June 10th, 2009 Event details (title, place) What is Twitter? • Publish/Subscribe Communications system • Founded by Jack Dorsey, Biz Stone and Evan Willia m s back in 2 006 • SMS/Website, WebService (API) • Subscribers can read from this Browser • Push App Phone • SSSMS: Phone • Pull • Web site: Browser • WS API: Application App Browser Phone • RSS: Application June 10th, 2009 Event details (title, place) Related to: • Instant Messaging/XMPP •Is manyyy to many, but best with small g gproups or one-to-one • Twitter similar, but publish/subscriber model more persistent • Twitter also has Direct Messages for IM capability • Internet Relay Chat (IRC) • Handles large groups fairly well • Twitter is manyyyy to many by default and scales pypretty well • But Twitter is proprietary • RSS feeds • One-to-many medium: li nk s f rom one source w/ o sel ecti on • In Twitter you follow who you like and read his selection of links • Tumblelogs • One-to-many medium, but not necessarily links from publisher • Link sharing, not messaging June 10th, 2009 Event details (title, place) Twitter internals • 140 chars max to be SMS compatible • SSMSMS hashas a 160160 ccharhar restrictionrestriction • But Twitter needed to add the user name • Message length has been hacked (fixed) • might cause BoFs in applications • Users not necessarily human! • Devices • From buoys to power meters • Search for Twitter on instructables .com • Not surprising that malware would use it, but • It's not the best means of C&C communications • Easily blocked after detection • … and twitter has been trigger ha ppy with blocking June 10th, 2009 Event details (title, place) Twitter internals • Historically • Multiple Ruby on Rails servers • Mongrel HTTP servers • Central MySQL backed • Currently: details super-secret, but this is what we think • Front end • Ruby-based front end • Mongrel HTTP servers • Back end • Starling for queuing/messaging • Scala-based • MySQL • denormalized data whenever possible • Only for backup and persistance • Lots of caching (memcached) June 10th, 2009 Event details (title, place) Stats (June 2009) Probably old already, but here they are: • 25M users • 475K diff eren t users pos te d over a 1 wee k per io d (Whitetwarf) • 300 tweets/sec • MySQL handles 2400 reqs per second • API traffic == 10x website traffic! • Indicates that far more people are using applications • TweetDeck, Twitteriffic , Digsby , Twhirl • Many are Adobe Air based (!) • One key to Twitter 's success! June 10th, 2009 Event details (title, place) But what is ON Twitter? • SAtiSan Antonio-bdbased mar ktket researc hfiPAltih firm Pear Analytics analyzed 2,000 tweets (originating from the US and in Engg)lish) over a 2-week ppp()eriod from 11:00a to 5:00p (CST) and separated them into six categories: –News – Spam – Self-promotion – Pointless babble – Conversational – Pass-along value • 40.55% of Tweets were determined to be “pointless babble” * Paper available at http://is.gd/3xmPz June 10th, 2009 Event details (title, place) And what is inside a Tweet? • RT passes the note along • L tells friends where I am • # SifuMoraga: ppggresenting together with – show associations @craiu at #vb2009 L: Geneva – show ggproup associations schouw:RT: RT @SifuMoraga: presenting – just for tagging together with @craiu at #vb2009 L: Geneva • @ – for public discussion – also 'follow friday' • links – URLs automatically identified June 10th, 2009 Event details (title, place) Long URLs, short URLs • URLs can be long and ugly • URL s hor ten ing serv ices have grown up around Twitter – longur l.org coun ts 208 differen t ones • Malicious URLs are one potential threat • URL Shorteners – obscure the true URL – May become malicious – RickRolling, but maliciously • Benefits: – ‘bit .ly ’ b loc k s m ali ci ous URL s June 10th, 2009 Event details (title, place) Most popular URL shortening services % 80 70 60 50 40 30 shortener on Twitter De 20 since Mayf ault2009 URL 10 0 bit.ly June 10 th , 2009 tinyurl.com myloc.me ow.ly is.gd cli.gs twurl.nl migre.me tr.im Event details (title, place)tiny.cc Malware on Twitter August 2008 June 10th, 2009 Event details (title, place) Notable incidents • April 2009 – Twitter gets hit by XSS worm • MltilMultiple var ian tsof the worm (JS. Twe ttir.a-h) were id entifi e d • Thousands of spam messages containing the word "Mikeyy“ filled the timeline • Proof of concept – no malicious intent • Later, the author (Mikey Mooney) got a job at exqSoft Solutions, a web security company June 10th, 2009 Event details (title, place) Notable incidents • June 2009 – Trending topics start being exploited June 10th, 2009 Event details (title, place) Notable incidents • June 2009 – Koobface spreading through Twitter • Originally, Koobface was only targeting Facebook and MySpace users • Constantly “improved”, now spreading through more social networks: Facebook, MySpace, Hi5, Bebo, Tagged, Netlog and most recently… Twitter June 10th, 2009 Event details (title, place) Notable incidents • August 6, 2009 – massive DDoS attack against Twitter (and others) • Twitter knocked offline for several hours, API problems lasted for days • Reason: to silence a relatively unimportant blogger in Georgia (really?) June 10th, 2009 Event details (title, place) Twitter and Google SB API • Google Safe Browsing API – malicious websites blacklist • Used (at least) in Firefox and Chrome • Basically: two lists of MD5’s • A hash is computed on various parts of the URL and checked against the lists • http://a.b.c.d/1.htm -> a.b.c.d -> b.c.d -> c.d -> a.b.c.d/1.htm?p=1 June 10th, 2009 Event details (title, place) Google SB API •In Augg,ust 2009, Twitter began filtering malicious URLs – Mikko Hypponen: • Initial testing seemed to indicate Google SB API! • But after a bit more testing, w e discov ered it is SB API but with some additional filtering June 10th, 2009 Event details (title, place) A bit about ‘bit.ly’ / ‘j.mp’ • Originally, Twitter used ‘tinyurl.com’ to shorten URLs. Around May 2009 it h owever d ecid ed t o sil en ty rep lace it w ith ‘bit. ly ’, a service from ‘Betaworks’, a startup accelerator Q: How can I be sure a bit.ly link is safe to click on? A: Bit.ly filters all links through several independent services to check for spp,am, susp ected p hishin g scams , malware , and other ob jectionable content. We currently include Google Safe Browsing, SURBL, and SpamCop in our operations. For Firefox browser users, we also have a Preview Plugin that allows you to view more information about a link before clicking. If you are a Twitter user, similar preview features are offered by Tweetdeck (we’ve got a writeup of how it works here). Source: http://bit.ly/pages/faq/ June 10th, 2009 Event details (title, place) Our Robot(s) – Krab Krawler June 10th, 2009 Event details (title, place) Kaspersky Robot • Codenamed: Krab Krawler • Specs: Linux + PHP + MySQL • Operation: It continuously fetches the Twitter public timeline on multiple threads, extracts URLs and injects them into a DB • Target: URLs are analysed and expanded if necessary • Execution: Modules check the URLs for malware • Design: Costin G. Raiu, Stefan Tanase • Assembly: Selma Ardelean, Dan Demeter, Alexandru Tudorica June 10th, 2009 Event details (title, place) Krab Krawler: Architecture June 10th, 2009 Event details (title, place) New unique URLs per day 500,000 450 000 400,000,000 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 June 10 9/12/2009 th , 2009 9/13/2009 9/14/2009 9/15/2009 9/16/2009 9/17/2009 9/18/2009 9/19/2009 9/20/2009 Event details (title,9/2 place)1/2009 Malware we found so far 0 5 10 15 20 25 30 % Trojan-Clicker.HTML.IFrame.ob Trojan-Clicker.JS.Agent.gr Trojan-Downloader.JS.Gumblar.a Trojan-Downloader.VBS.Psyme.gf Trojan-Downloader.JS.Iframe.atl Hoax.HTM L.BadJoke.Agent.c Trojan-Clicker.JS.Agent.hz Trojan-Clicker.HTML.IFrame.aem Trojan-Downloader.HTML.FraudLoad.a Trojan.JS.Agent.wh Others June 10th, 2009 Event details (title, place) General stats • URL duplication: 1 URL is posted in average 1.59 times • Twitter posts with URLs: ~26% • Down loa de d o bjec ts: ~ 60GB per mon th • The most popular single URL posted to Twitter: – http://tinyurl. com/nxsavh – http://getiton.com/go/g1108066-pct June 10th, 2009 Event details (title, place) Our Robot(s) – Red Twarf June 10th, 2009 Event details (title, place) Whitetwarf • An earlyyp protot ype s ystem • Receives a subset of the tweets via twitter search • Stores external metadata from twitter • Processes text part for internal metadata – User references, hashtags, Informal tags • Creates canonical text representations