How do you know that last friend request or Twitter follower was an actual live human being? The truth is...you don't! Bots and bot manufacturers have become rampant in social networks such as MySpace, Facebook and Twitter exploiting the trust relationships that make social media work. Why are bots taking control of social networks? It's simple. Social networks are the fastest growing phenomenon of our time. For example, Facebook alone recently reached 150 million potential targets for spammers, malware authors, and other undesirables in 2008. Social networks are only getting bigger and bots will be part of this trend. This presentation will take you on a journey into the thriving bot underground where bots are manufactured for every purpose imaginable. We will talk about good bots, bad bots, really evil bots, how to identify bots, terminating bots and the future possibility of social network botnets to rule them all. This was presented at Notacon 6 in Cleveland Ohio.

1. Rise of the Autobots
Into the Underground of Social Network Bots

2. Hi! I’m not a bot
• Tom Eston
• Social Media Security
Researcher
• Pentester
• Bot lover
• Blog: spylogic.net
• Podcast: securityjustice.com
• Tweet me: agent0x0

3. WARNING!
What you are about to see violates
the Terms of Service (TOS) and
acceptable use policies of social
networks!
Accounts used in these tests have
been deleted or “removed” (not by
me...)
Don't try this at home!
KTHKSBAI

4. Social Networks

6. 200 Million Users

8. 110 Million Users

10. 35 Million Users

12. Grew 752% in 2008

13. 8 Million Visitors in
March 2009

14. quot;Social Networks & Blogs
are now the 4th most
popular online activity,
ahead of personal email.quot;
-Nielsen Online Report,
March 2009

15. It’s a target rich environment...

16. The Culture of Trust

17. Why is trust
important?
• It’s how social networks
work!
• Trust EVERYONE!
• Share as much as
possible...the social networks
don’t mind!
• Social networks are mining
your data!

18. Trust exploited
by Bots??

20. Bot or Not?

21. BOT!!
Bot or Not?

22. Bot or Not?

23. BOT!!
Bot or Not?

28. FAIL!

29. Bot or Not?

30. BOT!!
Bot or Not?

31. Bot or Not?

33. Not a Bot!

34. Not a Bot!
But still...
LOTS OF FAIL!

35. Bot or Not?

36. BOT!!
Bot or Not?

44. Biggest
Rick Roll ever?

45. Biggest
Rick Roll ever?

46. Biggest
Rick Roll ever?

47. Biggest
Rick Roll ever?

48. What’s the point?
• Trust is easy to exploit!
• People will trust bots...
• Accounts were created and
used with tools we will talk
about
• Rick Astley is EVIL!

49. The Rise of
the Bots

50. What are bots?
“...perform tasks that are
both simple and structurally
repetitive at a much higher
rate than a human alone.”
“Applications that run
automated tasks”

51. Ever see this?

52. Why use Bots?
• Automation...on a mass
scale
• Easy to use
• Multiple purpose
• Malware, Blackhat SEO,
phishing...pr0n!
• Highly Effective

53. The Bot
Underground

54. “It’s the “Spammers Choice!”

55. The Underground
Business Model
• Create and Sell accounts
• Buy and Use accounts
• Custom bot scripts and
software (Freelancing)

56. It’s all about
Blackhat SEO...
• Not just for search engine
rankings!
• Evil Search Engine
Optimization techniques...
• PPC (Pay Per Click)
• PPI (Pay Per Install)
• Cookie Stuffing
How money is made on the “net”

57. Want to know
more?

58. What’s for Sale?
• Hacked accounts
• Hacked accounts w/friends
(more friends, more $$)
• Webmail accounts (verified)
• Bot software/scripts
• Services!

59. Example...

60. Let’s talk $$
• Facebook w/30+ Friends = $8
• Facebook Phone Verified = $5/$6
• 1,000 Gmail Accounts = $13
• 500 YouTube Accounts = $30

61. But there are controls
in place, right?

62. What about
CAPTCHA?

63. CAPTCHA=FAIL
• Algorithms can be
cracked
• OCR technology
• They have hawt chix
• and if that doesn’t
work...

64. OUTSOURCE IT!

65. OR...use Melissa!
She wants you..srsly

66. What about
Friend Request/
Messaging
Controls...

67. Phone SMS
Verification?
• Great idea! But...can be
broken..

68. It kind of works,
but...
• Prepaid cell phones
• Overseas virtual
SMS Services (SMS
Receive)
• SMS back to ICQ
and Yahoo
Messenger (works
with some socnets)

69. How about rate
Limits?
• Easy to bypass...just test it,
modify your code and/or slow
down!

70. Types of Bots on
Social Networks

71. Good Bots

72. Twitter Bots

73. n0taB0t
• Tweets
mindless
rants....
• Likes to reply
to you
• Likes Notacon
• Mostly
harmless

74. Annoying Bots

76. Auto Follow/
Reply
• Bots looking for “keywords” in
your tweets...

77. Evil Bots

78. U-Bot

79. U-Bot in Action

80. Webdominator

81. Webdominator in Action

82. Need help?

83. Other Pay Services

84. Realboy
• Project to make Twitter bots as
human as possible!
• Real interactions with your
Twitter network
• Source code available...

85. Social Network
Botnets?
• Malware distribution for C&C
• Koobface!
• DDos botnet via third-party
applications
• Facebot!
• Control a botnet via Twitter?

86. Twitter for Botnet C&C
• Bot looks for commands on
legitimate Twitter accounts
• Takes action based on the
command
• Commands are obfuscated
• Proof of Concept code
released today at Notacon!
• “TwitterBot” created by Robin
Wood aka: @digininja

87. Twitterbot C&C In Action

88. TwitterBot
Enhancements
• add a hash (or part of) to the
command to stop fake
requests
• encrypt the whole command
(obfuscation)
• get the bot to talk back
Get it now at:
http://www.digininja.org/twitterbot/

89. Is the end near?
How to stop the bots!

90. Bot detection
• Look carefully!
• Lots of
clues..spammer
s are doing it
wrong!
• Programs/API’s
to detect
(Twitter
specific)

91. Some possible
solutions...
• Account creation/message
throttling
• Why can you still create
multiple accounts from the
same IP?? WTF?
• No more opt-in developer
models!
• Education of users? We can
try...the socnets won’t!

92. But wait...there’s
more!
• socialnetworkbots.com
• open source project
• Twitter and other bots
(n0tab0t)....
• get the code...don’t use your
real account!
• Twitterbot Command & Control
POC Code:
www.digininja.org/twitterbot

93. Questions?