Koobface on Facebook: How malicious contents sneak into social networking Mohammad Reza Faghani
Outline Introduction Trend of Web malware Social networks malware What is XSS!? Potentials of XSS Worms Social Networks XSS worm propagation ClickJacking malware propagation Trojan malware propagation Summarizing the results from various studies Recent study results Our proposed scheme for malware detection Conclusion
Introduction Four key threats to consider Spam Bugs Denial of Service Malicious Software (malware) Propagate via Spam Exploits bugs Mount DOS Viruses, Worms, Trojans, SpyWare ScareWare,
Introduction (cont.) Why is malware so important to study? Privacy and security issues Cyber War Stuxnet, Predator Drone ISPs struggle under virus generated traffic Cyber Criminals make a lot of money Hidden costs Reputation
Introduction (cont.) Malware is propagated via Email P2P networks Vulnerable OS services Mobile phones Web Can even be Hybrid
Trends of Web malware Web malware Most people frequently use Web Population of the victims are much larger than other types of malware. Social networks are popular among people No barriers for web users Malware writers prefer to exploit Web users Suppose each active user has on average 128kbps of bandwidth, potential of 10 percent of active users is : 80Mx128kbps= 10 Tbps 80% of web servers have critical vulnerabilities such as XSS (will discuss XSS later) Aggregated traffic of the web users browser would be huge
Social networks malware Samy could affect over 1 million people in less that 20 hours. MySpace was the first but : 1200000 1000000 800000 600000 Code Red I Code Red II Slammer Blaster Samy 1000000 Sina, July 2011 FB on March 29, 2011 400000 359000 275000 336000 ClickJacking types Almost everyday 200000 0 55000 Twitter on Sep. 2010
Propagation of a Malware
Why studying malware? To have a better understanding of propagation behaviors Damage assessment Providing enough traffic to avoid Denial of Service Detecting the weaknesses of spreading How we can counter-measure in the best way
Social networks malware We can consider three main types of social networks malware attacks: XSS worms e.g. Samy Trojans e.g. Koobface ClickJacking types Forced like Can lead to DriveByDownloads malware
What is XSS!? Cross Site Scripting (XSS) is a common vulnerability in web applications. Has two types: Reflected Stored
Reflected XSS Application reflects exactly what it gets from the user. user may inject a harmful script
Stored XSS Attacker stores a harmful script in the application database for further exploitation. Comments Forum talks FB Wall
XSS + AJAX = w0rm XSS threat becomes more noticeable due to the combination of HTML and AJAX technology. AJAX allows browsers to issue HTTP requests on behalf of the user. No need for the attacker to deceive the victim to click on a special crafted link!
XSS worm propagation XSS worm propagation consists of the following two steps: Download A visitor downloads (views) an infected profile and automatically executes the JavaScript payload. Propagation The payload is extracted from the contents of the profile being viewed and then added to the viewer s profile.
ClickJacking Worm Propagation Unwittingly clicking on a hidden like button and more friends get infected
Trojan Propagation Then they post a similar link on the victim s profile or send private messages to friends of the victim containing the malicious link. Sometimes, they ask you to download the appropriate decoder to play the movie, which is indeed the Trojan itself.
Research on OSN malware Three main papers on OSN malware propagation (in chronological order): [1] Faghani M. R., Saidi H., Malware Propagation in Online Social networks, Malware09, Montreal, 2009. [2] W. Xu, F. Zhang, and S. Zhu., Toward worm detection in online social networks, (ACSAC), 2010. [3] Guanhua Y., Guanling. And et al., Malware Propagation in Online Social Networks: Nature, Dynamics, and Defense Implications, (ASIACCS'11), March 2011.
Result Summary (from simulations) Social network structure itself slows down the worm propagation. 10000 9000 Total Number of Infected profiles 8000 7000 6000 5000 4000 3000 2000 1000 Random (q=0.9) Small World (q=0.9) 0.5 1 1.5 2 2.5 3 Number of Visits x 10 5
Result summary (cont.) User activities play an important role. 10000 Total Numer of Infected profiles 9000 8000 7000 6000 5000 4000 3000 2000 1000 q=1 q=0.9 q=0.7 q=0.5 q=0.3 q=0.1 0.5 1 1.5 2 2.5 3 3.5 4 Numbe of Visits Number of visits x 10 5
Result summary (cont.) Trojan type spreads faster than XSS 10000 9000 Total Number of Infected profiles 8000 7000 6000 5000 4000 3000 2000 1000 XSS Koobface, p=0.5 Koobface, p=0.7 0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 Times in minutes x 10 4
Result summary (cont.) Effect of Clustering coefficient is linear Time required to have the whole population infected 1.75 x 105 1.7 1.65 1.6 1.55 1.5 0.1 0.105 0.11 0.115 0.12 0.125 0.13 0.135 0.14 0.145 0.15 Clustering Coefficent
Result summary (cont.) Effect of Infection Probability is exponential Time required to have the whole population infected 10 x 105 9 8 7 6 5 4 3 2 1 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Probability of Executing the malware
Recent Results (1) Considering cliques Those who have common interests create a group. Total Number of Infected 10000 9000 8000 7000 6000 5000 4000 3000 2000 1000 A1 with 1 Clique C with 1 Clique A1 with 2 Cliques C with 2 Cliques 0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 Total Number of Visits x 10 5
Recent Results (2) Considering overlapping cliques: 10000 Total Number of Infected 9000 8000 7000 6000 5000 4000 3000 2000 1000 2 Cliques + 1 Common Clique 3 Cliques 3 Cliques + 1 Common Clique 4 Cliques 0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 Total Number of Visits x 10 5
Proposed Defense System Identify big cliques Among them distinguish those users who are connected to different cliques. Implement decoy friends or other detection mechanisms to detect malicious behaviors. It is more efficient than current Facebook classifier system.
Conclusion User relationship structure plays an important role in malware propagation. User activities affect speed of propagation. Propagation of XSS types is slower than that of Trojan types. A new defense mechanism can be built using OSN graph topology.
Acknowledgement Thank you Any Question?