Social Zombies: Your Friends Want To Eat Your Brains presented at OWASP Appsec 2009

by Kevin Johnson, Tom Eston (Fortune 500 Financial),

Tags: Security Botnets


Summary : In Social Zombies: Your Friends want to eat Your Brains, Tom Eston and Kevin Johnson explore the various concerns related to malware delivery through social network sites. Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues. This presentation begins by discussing the various privacy concerns that are caused by the trust mass that is social networks. We use this privacy confusion to exploit members and their companies during our penetration tests. The presentation then discusses typical botnets and bot programs. Both the delivery of this malware through social networks and the use of these social networks as command and control channels will be examined. Tom and Kevin next explore the use of browser-based bots and their delivery through custom social network applications and content. This research expands upon previous work by researchers such as Wade Alcorn and GNUCitizen and takes it into new C&C directions. Finally, the information available through the social network APIs is explored using the bot delivery applications. This allows for complete coverage of the targets and their information.

Tom Eston: Tom Eston is a penetration tester for a Fortune 500 financial services organization. Tom currently serves as the security assessment team lead. Tom began his career over twelve years ago as a systems and network administrator for several large and medium size businesses. He began his career in security by helping form an information security department for a real estate development company. Tom is actively involved in the security community and focuses his research on the security of social media. He is a contributing author to a social media eBook and has written a Facebook Privacy & Security Guide which is used in several major universities as part of student security awareness programs. Tom is also a security blogger, co-host of the Security Justice podcast and is a frequent speaker at security user groups and conferences. Tom recently gave a talk at Notacon 6 titled "The Rise of the Autobots: Into the Underground of Social Network Bots".