Social networks as a platform for creating a botnet

Introduction

It's no secret that social networks have long been attractive platforms for various kinds of cyber crimes, such as spamming, phishing, pharming accounts, and others. The reason lies in a number of properties that all social networks have and which can be used by hackers for their own purposes. These properties are primarily:

• Huge user base
• The emergence of relationships of trust both between individual users and between groups of users
• High distribution of user base by geographic and temporal parameters
• Computer illiteracy of social network users

People familiar with information security do not need to explain that with a combination of technical and social engineering methods, these properties make it possible to achieve the desired result in a short time while spending minimal effort.

Legitimate vulnerability

At the moment, providing an API for creating third-party applications for social networks has become de facto standard. In most cases, it is assumed that the applications created with the help of these APIs will not be harmful, and of course, due to the huge number of applications created, checking each of them seems an impossible task. Respectively created applications are added to the base of the social network without proper verification of whether they are malware.
The situation is also aggravated by the previously mentioned relationships of trust and, above all, trust in the social network itself. Despite the fact that the administration strongly points out that these applications are a third-party product, most users do not pay attention to this, preferring to trust any application by default.
As a result, attackers have the ability to add and distribute malware using the tools provided by the social network itself.

Wormholes

Large social network Facebook is regularly subjected to attacks of worms. Even the special term - rogue app has come into use. Using absolutely legitimate means provided by the Facebook API, worms are distributed by sending messages to friends of an infected account. Of course, the main purpose of these worms is to spread other malware that infects the user's machine, thereby creating a botnet.
The domestic VKontakte network is subject to similar attacks. In this case, there were also direct attacks on the user's machine using vulnerabilities in flash technology.
I will not delve more into the topic of such attacks, since most of them have already been covered on Habré.
')

So where is my botnet or first swallow

Apparently, the idea of ​​using social networks to organize a botnet is as old as the APIs themselves. In this article I would like to draw attention to a relatively new way. This year, a group of Greek researchers created a proof of concept application for Facebook that, without the knowledge of users, made a DDOS attack on a given target (a server controlled by researchers).
The application itself was the “Picture of the Day”, which loaded the image from the National Geographic server into the user profile. In parallel with this download, client-side JavaScript code was executed, which loaded the file from the attacked server into the hidden iframe.
In fact, an elementary botnet was created that blocked the channel of the attacked server. The possibility of creating a distributed botnet directly by executing legitimate code in the application user's browser was clearly demonstrated.
Interested in the development of this topic, I went to Google to search for evidence of real attacks using similar methods. In the public domain I could not find a lot of information on the topic. I found only one mention in the Facebook application developer blog, which by the way is also quite interesting in itself. In this case, one application attacked another, sending requests to the attacked application in an infinite loop. According to the author of the attacked application, it took him several days to determine the nature of the attack (due to the fact that the application was disguised by replacing the referrer), and the problem itself was resolved by a ban on connection from other applications.

Conclusion

In the form in which they are provided now, the social networking APIs can be used as platforms for various types of attacks. Of course the simplest and most effective application is the DDOS attack.
I see three main points that make this method of creating a botnet attractive to attackers:

• Ease of writing. Enough elementary javaskrit code (hello scripts).
• Ease of distribution. In a few days you can get a botnet of several thousand users.
• High attack distribution, making it harder to block

Of course there are a number of disadvantages:

• The difficulty of controlling a botnet, a limited number of actions
• For high performance, a certain threshold of simultaneous use of the application must be reached.
• The use of most applications is limited to just a few minutes, which minimizes the effectiveness of the attack.
• Relative ease of protection

Having spent some effort, attackers can overcome these drawbacks, increasing the effectiveness of the attack and making it difficult to detect / block. I also want to add that, in addition to DDOS attacks, there are a number of other malicious actions that can be performed based on this kind of botnet.

As an afterword, I note that this method can be used for good. Already there are proof of concept applications in JavaScript to perform distributed computing. Time will tell in which direction the development will go and whether it will go at all.