Last-minute presentation:
12.10 - 12:40 Twarfing: malicious tweets Costin Raiu, Kaspersky Lab, & Morton Swimmer, Rainer Link and David Sancho Trend Micro
download slides (PDF)
12.10 - 12:40 Twarfing: malicious tweets, Costin Raiu, Kaspersky Lab, & Morton Swimmer, Rainer Link and David Sancho Trend Micro
Twitter is a web and mobile phone service that has become a major player in the social networking world
over the last few years. Being so close to other services, it is hard to describe. It is not quite Instant
Messaging, nor Tumblelogs, nor RSS feeds. It is not entirely a social network either, though it augments
these. It normally provides 140 characters of unstructured space to broadcast a message to anyone who
decides to listen. The listening can happen via Twitter's own website, via one of their APIs, or via SMS
(mobile phones). In some ways, Twitter is replacing RSS feeds, while providing an RSS feed API to its
streams. While Twitter does not impose any structure on those few characters, some order has been
established by the users over time by using special syntax to denote things like other users, tags, or
retransmissions (retweets).
Increasingly, Twitter interacts with other services. First and foremost, the lack of message space, has
made URL shorteners much more important than they were before. But other add-on services have been
important, such as search, grouping, and tagging. The brilliance of Twitter was to resist closing off
access by these add-ons and even embrace (or buy) them as they saw fit. However, Twitter's openness
is also a problem.
There is nothing particularly evil about Twitter itself, but like any medium, it can be used for good
as well as for bad. Society still has to sort out how a medium like Twitter should be used. However, we
are more concerned with more direct attacks on the user or other malicious use of Twitter. We have seen
the obvious CSRF and XSS attacks. Links in Twitter messages have pointed to malware or malicious sites.
Malware has used Twitter as a command and control medium. All of this should not be surprising to security
experts.
In a project we call Twarf, we are exploring more generic patterns of abuse. For instance, some
attacks utilize the social nature of Twitter: someone posts a link he liked, someone else also likes it,
so she retweets it, and so on. A recently observed attack piggybacks on this template and retweets a
malicious link instead of the original. In our system, one component called WhiteTwarf collects and
datamines for possible attacks, while another components called RedTwarf uses the generated patterns to
detect attacks based on the templates that were found.
In this paper, we shall explore Twitter as a social networking medium and as a set of technical APIs.
We shall see how WhiteTwarf and RedTwarf work and what results we have had so far in this young project.
The paper will also describe the design and implementation of an automated system which scans the Twitter
public timeline, extracts all URLs and analyses them in various ways for malicious content. The system
enables us to track what malware is being distributed over Twitter, as well as identifying infected
users and malicious profiles which have been specifically crafted by the bad guys in order to spread
malware.
The presentation will describe the system's technical details; the implementation; provide statistics on
which malware is most common on Twitter and look at how the bad guys have adapted their tactics in order
to evade newly implemented security features.
