A group of security researchers have developed an automated "honeybot" system for protecting against the use of social botnets, such as the infamous Koobface, an increasingly popular strategy for spreading malware and spam via Facebook and Twitter.
A team of computer scientists from the University of Illinois at Urbana-Champaign and the University of Washington have created a system called Sodexo, which aims to study social botnets from the inside and works out how to take them down
Social botnets are created via infected user’s device and compromise their social networking accounts. The compromised account is then used to send spam messages to the user’s contacts, containing links to websites with the executable malware.
To sneak into the social botnet, Sodexo creates fake accounts and farms out a series of friend requests, until it achieves a critical mass.
It then simply watches its social network on the look out for links to follow – once it finds one linking to unblocked malware, it can simply follow it and become part of the social botnet.
This honeypot then goes in to exploitation mode, where it attempts to glean as much information as possible about the workings of the botnet.
Sodexo uses a combination of data mining and machine learning techniques to infer the structure of the botnet and identify command and control channels.
It can also help detect signatures for malware and spam, to improve the efficacy of intrusion detection systems and spam filters and even alert users.
According to the team's research paper, Sodexo was able to learn enough about social botnets to be able to restrict their lifespan to a mere five days, helping wipe out botnet populations on the systems they studied.
“Deploying deception through honeybots signiﬁcantly reduces the botnet population, even when the number of honeybots is small relative to the population size,” they concluded.