In Social Zombies II: Your Friends Need More Brains, Tom Eston, Kevin Johnson and Robin Wood continue the Zombie invasion from "Social Zombies: Your Friends want to eat Your Brains" presented at DEFCON 17. This presentation will further examine the risks of social networks and then present new techniques and tools that can be used to exploit these issues. This presentation begins by discussing new twists on existing privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses social network botnets and bot programs. Both the delivery of malware through social networks and the use of these social networks as command and control channels will be examined. Tom, Kevin and Robin next explore the use of browser-based bots and their delivery through custom social network applications and show new ways social network applications can be used for malware delivery. Finally, the information available through the social network APIs is explored using third-party applications designed for penetration testing. This allows for complete coverage of the targets and their information. This was presented at Shmoocon 2010 on February 6, 2010.

1. SOCIAL ZOMBIES II
Your Friends Need More Brains

2. Starring...

3. tom Eston

4. Robin
Wood

5. Kevin Johnson

6. Social Networks
Where are we today?

8. 350 Million Users
(how many of these are fake?)

9. 120 Million Login Daily

11. 6.2 million joining Twitter
every month

12. End of 2009:
75 Million Users

13. It’s all about trust...

14. Fake accounts? Orly?

25. Who is the most dangerous
woman on the Internet?

28. Advanced
Persistent
Threat

31. What makes a
Jessica Biel?

35. Thank You!
Prabhu Deva
and
Nathan Hamiel

36. Lava Roll
FTW

37. Still easy to exploit trust!
• More difficult to tell a bot from a real
account
• Accounts are easy to create
• Socnet User Verification = FAIL
• Twitter “Verified” Accounts?
• Connections based on other “friends”

38. New Privacy Concerns

39. New Facebook Privacy
Settings
• Your info is even more open!
• Your Name, Profile Picture, Gender, Current
City, Networks, Friend List, and Pages are all
public
• “Suggested” settings are set to EVERYONE
• Zuckerburg says users don’t want privacy...

40. Really?

41. Epic FAIL?

42. Blippy FTW

43. Blippy FTW

44. "I Joined BLIPPY and all I got
was Jacked at the ATM"
- Chris Nickerson (@indi303) via Twitter

45. What about the ultimate
stalker tool?

46. Geo-Location Tracking

50. Blippy + Foursquare +
Facebook + Twitter +
LinkedIn = PWNAGE

51. Why the **** would Socnets
do this??

53. “The more info you share...
...the more valuable you are”

54. Real Time Search FTW

55. How do pen testers and
attackers use this?
Thank you Social Networks!

56. Wealth of recon
information!
• Socnet Search Engines
• Maltego (Twitter and Facebook)
• Google Hacks
• site:facebook.com inurl:group (bofa | "bank of america")
• Manual Searching
• Status Updates
• Real Time Search

57. Infiltrate a company with
this information!

58. New Security Concerns

59. Koobface Evolving
• Still the #1 socnet
worm
• Targets all major
socnets
• Socnet chat vectors
• Now with CAPTCHA
• Adobe/IE 0day, Zeus
Trojans FTL
*Screen shots via McAfee Labs/PandaLabs

60. Danger!
Social
Network
Applications

61. Months of Bugs!
• July 2009 - Month of Twitter Bugs (Aviv Raff)
• September 2009 - Month of Facebook Bugs
(theharmonyguy)
• Vulnerabilities affecting over 9,700 Facebook
applications
• Over half of vuln apps had passed the Facebook
“Verified” Application program
• Six of the hacked applications in the “Top
10” (Farmville and Causes!)
• Most could be used with ClickJacking to install

65. More than 218 million Facebook users
were vulnerable!

66. Facebook Application
Autopwn Demo
http://www.youtube.com/watch?v=chvwtGPkAIQ

67. Advanced
Social Network Bots

68. More Evil Twitter Bots
• Bots that pull
trending
topics...post
malware links
• Used recently to
promote warez like
pirated movies
• Easy to code.
Twitter API FTW

69. Better Automated Tools
• Tools are getting more reliable
• CAPTCHA bypass built in, able to off load to
outsourced solution
• Automated tools are cheap!
Why roll your own?
(or get it for free via Torrent!)

72. What is it?
Command and control system
running over social media

73. Written in Ruby as a
proof of concept
Not optimized. Not stealthy.

74. Currently runs over:
•Twitter
• JPEG
• TinyURL

75. And now...

76. Uses LinkedIn API to read
and write the Status field

79. Also new...
Windows Support
Basic Ruby install with a few
gems and off it goes

80. What’s Next?
Other media types, possibly non-
HTML based.
Please give suggestions!

81. New KreiosC2 Demo
http://www.vimeo.com/9295657

82. Third Party APIs FTW

83. SocNet APIs
• Social network
APIs provide a
wealth of
information
• All the big ones
offer them
• Some play
catch up
• We get to play
with these APIs

84. Im'ma Let You Finish
• New front end for
Social Butterfly
• KanyeWestify
allows us to
update your wall

85. Westify'ing someone
• Select a friend
• Drop down helps
• Their wall now has the
update

86. So what did we do?
• Using the API, we grabbed the user's
information
• And their Friends' data
• In this version we used the FQL
queries from theHarmonyGuy
• Full backup of your account
• We also used JS to brute force
browser history
• We can map visited pages to user's
of Facebook!
• Marketing FTW!

87. Have the undead won?

88. We need more brains!
• User education...yeah, it’s hard
• Better privacy controls
• End opt-in developer models
• Tighter control of APIs

89. Questions?
• News, Research, Guides,Video’s
SocialMediaSecurity.com
• Download KreiosC2
digininja.org
• Follow us...if you dare
@agent0x0, @digininja, @secureideas