1 00:00:00,083 --> 00:00:01,918 DANIEL CHECHIK: Hello. 2 00:00:01,918 --> 00:00:02,918 Hi. 3 00:00:02,918 --> 00:00:04,125 Hi, everyone. 4 00:00:04,501 --> 00:00:08,042 I'm Daniel Chechik and this is my colleague Anat Davidi, 5 00:00:08,042 --> 00:00:11,999 we are were with Trustwave Spiderlabs. 6 00:00:13,501 --> 00:00:15,999 We are going to show you security on RDI. 7 00:00:15,999 --> 00:00:16,999 Pay attention. 8 00:00:19,501 --> 00:00:23,667 ANAT DAVIDI: You better actually pay attention. 9 00:00:23,667 --> 00:00:25,626 I'm going to kind of help you out in case you can't see very well, 10 00:00:25,626 --> 00:00:28,083 but I won't tell you the cool parts. 11 00:00:28,125 --> 00:00:29,999 So this is a browser. 12 00:00:29,999 --> 00:00:30,999 (Applause). 13 00:00:30,999 --> 00:00:32,667 ANAT DAVIDI: Yeah, there you go. 14 00:00:41,167 --> 00:00:44,709 And this is our website, with a cool cat picture. 15 00:00:46,709 --> 00:00:50,375 Fiddler, which is an HTTP proxy, we will record all the traffic. 16 00:00:54,918 --> 00:00:56,999 And this is Google Translate. 17 00:01:11,999 --> 00:01:14,501 And that's Windows calculator! 18 00:01:16,876 --> 00:01:18,083 (Applause). 19 00:01:20,501 --> 00:01:22,125 And math. 20 00:01:24,542 --> 00:01:26,209 And that's it, really. 21 00:01:26,209 --> 00:01:29,999 No nah, I'm kidding. 22 00:01:29,999 --> 00:01:30,999 (Laughter). 23 00:01:30,999 --> 00:01:33,083 DANIEL CHECHIK: Okay, that's cool, because Google just exploited 24 00:01:33,083 --> 00:01:34,876 our machine. 25 00:01:35,083 --> 00:01:38,083 But before we go and talk about what are the RDI, 26 00:01:38,083 --> 00:01:41,709 went have one quick slide about why RDIs. 27 00:01:42,792 --> 00:01:45,584 Okay, security web scanners. 28 00:01:45,834 --> 00:01:49,751 That definitely looks like a really boring slide, but we are 29 00:01:49,751 --> 00:01:51,417 in DEF CON. 30 00:01:51,417 --> 00:01:53,459 So let's cut the crap and face the truth. 31 00:01:53,834 --> 00:01:57,459 There are 38 security URL scan engines on this list and they are all based 32 00:01:57,459 --> 00:02:01,083 on the same technology, most of them, actually. 33 00:02:01,667 --> 00:02:06,083 It doesn't matter how you call it, your reputation, it's just black list 34 00:02:06,083 --> 00:02:08,083 with fancy names. 35 00:02:08,501 --> 00:02:11,999 Of course, some of them are made with some other stuff, like, 36 00:02:11,999 --> 00:02:16,334 static analysis or even dynamic analysis, but the core of the majority 37 00:02:16,334 --> 00:02:18,167 is black list. 38 00:02:18,501 --> 00:02:22,959 It may sound surprising that in 2013 agent technology 39 00:02:22,959 --> 00:02:29,167 is still heavily used, but the fact is that it works pretty good. 40 00:02:29,999 --> 00:02:33,709 The way that your reputation is done is pretty simple. 41 00:02:33,709 --> 00:02:35,334 It's kind of a scoring system. 42 00:02:35,334 --> 00:02:40,999 So new domains or APs are more suspicious on popular websites. 43 00:02:41,417 --> 00:02:44,999 I mean, let's take Google.com, for instance. 44 00:02:44,999 --> 00:02:47,459 It's the website that everyone trusts, right? 45 00:02:47,459 --> 00:02:48,459 Right? 46 00:02:48,999 --> 00:02:50,083 ANAT DAVIDI: Okay. 47 00:02:50,083 --> 00:02:51,083 Sure. 48 00:02:51,083 --> 00:02:54,125 DANIEL CHECHIK: No one is ever going to black list Google. 49 00:02:54,125 --> 00:02:59,999 Okay, so we use the virus total to go to another popular website, yahoo.com. 50 00:03:00,417 --> 00:03:06,375 And you see it pretty much agrees, it's a clean website. 51 00:03:07,584 --> 00:03:11,999 One finds it suspicious, but I don't know why. 52 00:03:14,999 --> 00:03:16,542 What is RDI. 53 00:03:16,999 --> 00:03:19,667 You are probably wondering what the hell are we talking 54 00:03:19,667 --> 00:03:23,083 about and why are they talking about your reputation? 55 00:03:23,083 --> 00:03:26,167 Well, don't worry, and don't even bother to looking it 56 00:03:26,167 --> 00:03:28,834 up either, because we came up with this term, 57 00:03:28,834 --> 00:03:32,667 and even Wikipedia doesn't know what it means, but in a few minutes, 58 00:03:32,667 --> 00:03:34,417 you will know. 59 00:03:34,584 --> 00:03:35,709 Okay. 60 00:03:35,834 --> 00:03:38,542 So let's assume you have a user, we have some kind of a website 61 00:03:38,542 --> 00:03:41,834 to provide a service and we have a website. 62 00:03:41,918 --> 00:03:46,709 In the user accesses our website, you will see a legitimate website. 63 00:03:47,083 --> 00:03:49,501 If service accesses the website, it will receive 64 00:03:49,501 --> 00:03:52,083 the same legitimate website. 65 00:03:52,584 --> 00:03:54,999 Basically so far, who goes to our website 66 00:03:54,999 --> 00:03:58,083 is safe and shouldn't suspect anything. 67 00:03:59,167 --> 00:04:04,083 But if the user accesses our website, using the service, which download 68 00:04:04,083 --> 00:04:08,667 the content from our website, and does whatever it does with it, 69 00:04:08,667 --> 00:04:13,959 the code is executed and turn the page into a malicious page. 70 00:04:13,959 --> 00:04:17,834 ANAT DAVIDI: So that's sort of the bird's eye view on RDI. 71 00:04:17,834 --> 00:04:19,959 And now we are going to kind of take a look at what we need 72 00:04:19,959 --> 00:04:22,751 in order to execute such an attack. 73 00:04:22,999 --> 00:04:26,167 So the first thing we are going to need is one simple web page, 74 00:04:26,167 --> 00:04:28,959 and really any web page will do. 75 00:04:28,959 --> 00:04:30,501 We chose to use award press blog. 76 00:04:33,584 --> 00:04:36,542 And what we need is a trustworthy web utility 77 00:04:36,542 --> 00:04:40,375 and what I mean by trustworthy web utility. 78 00:04:40,501 --> 00:04:42,542 We need some sort of website that people are pretty 79 00:04:42,542 --> 00:04:45,999 familiar with, that's sort of trusted and it needs to have some sort 80 00:04:45,999 --> 00:04:48,375 of service that will take content that's provided 81 00:04:48,375 --> 00:04:50,792 by the user and manipulated somehow and finally 82 00:04:50,792 --> 00:04:53,542 in some way also return it to users. 83 00:04:53,834 --> 00:04:56,459 For example, we're going to use the yahoo cache service, 84 00:04:56,459 --> 00:04:59,751 and it doesn't really matter that it's Yahoo!. 85 00:04:59,751 --> 00:05:01,626 It could be Google, Bing. 86 00:05:01,999 --> 00:05:03,959 Anything will do really. 87 00:05:04,751 --> 00:05:07,584 And the last thing we need, we need a script, 88 00:05:07,584 --> 00:05:10,334 JavaScript code that will behave differently 89 00:05:10,334 --> 00:05:16,334 within certain contexts and really this will be the core of the concept of RDI. 90 00:05:16,334 --> 00:05:17,501 This will be a script that sort of represents 91 00:05:17,501 --> 00:05:20,417 the behavior that Daniel described earlier. 92 00:05:20,999 --> 00:05:26,334 It will behave differently when it's under the Yahoo! 93 00:05:26,334 --> 00:05:29,209 cache service and we will dig in the details of that. 94 00:05:29,959 --> 00:05:32,083 And of course, you need funny cat pictures and this 95 00:05:32,083 --> 00:05:34,999 is by the way what Daniel looked like when I said, let's put lots 96 00:05:34,999 --> 00:05:37,250 of funny cat pictures in there. 97 00:05:37,250 --> 00:05:39,667 DANIEL CHECHIK: No, it isn't. 98 00:05:39,667 --> 00:05:40,999 ANAT DAVIDI: Yes, it is. 99 00:05:41,918 --> 00:05:45,292 All right, so we are going to do a demo of Yahoo! 100 00:05:45,292 --> 00:05:47,667 cache, the attack but this time we will go into a bit more detail, 101 00:05:47,667 --> 00:05:49,999 not just show you a video. 102 00:05:49,999 --> 00:05:51,999 We will do it hopefully live. 103 00:05:51,999 --> 00:05:52,999 This is Vegas. 104 00:05:52,999 --> 00:05:54,292 We are gambling and hoping. 105 00:05:54,292 --> 00:05:57,292 This is my first time gambling in Vegas. 106 00:05:57,292 --> 00:06:00,209 I'm doing it live and let's hope I win. 107 00:06:00,999 --> 00:06:04,999 I will go to a website that we prepared and cached on Yahoo!. 108 00:06:05,125 --> 00:06:07,999 This is a regular Word Press blog. 109 00:06:08,209 --> 00:06:10,125 We can take a quick peek at the source. 110 00:06:11,250 --> 00:06:13,792 You will be able to see that there's nothing particularly 111 00:06:13,792 --> 00:06:15,626 suspicious about it. 112 00:06:15,626 --> 00:06:18,834 I know that there are important stuff you will have to trust us. 113 00:06:18,834 --> 00:06:21,125 We will not go over everything, but it's a completely clean Word Press 114 00:06:21,125 --> 00:06:25,250 website and the next thing we will do is we will go to the cached version 115 00:06:25,250 --> 00:06:29,083 of this website which we have prepared in advance. 116 00:06:29,501 --> 00:06:31,083 And see what happens. 117 00:06:32,459 --> 00:06:34,999 Now, we'll get to the end sort of RDI and the advantages 118 00:06:34,999 --> 00:06:37,125 of different services but the fun part about using 119 00:06:37,125 --> 00:06:40,459 a caching service is (Applause) ANAT DAVIDI: Hi. 120 00:06:47,626 --> 00:06:49,667 What's this called? 121 00:06:49,667 --> 00:06:51,375 AUDIENCE MEMBER: Shot the n00b. 122 00:06:51,375 --> 00:06:52,375 Shot the n00b. 123 00:06:52,375 --> 00:06:53,375 Why do we do it? 124 00:06:53,375 --> 00:06:54,459 First time speakers. 125 00:06:54,459 --> 00:06:56,125 We got one back there. 126 00:06:56,125 --> 00:07:04,459 There you go, first time attendee. 127 00:07:05,751 --> 00:07:08,375 You guys are like I don't even have to say it anymore. 128 00:07:24,999 --> 00:07:50,999 You guys know each other? 129 00:07:50,999 --> 00:07:51,999 ANAT DAVIDI: Yeah. 130 00:07:51,999 --> 00:07:52,999 Yeah. 131 00:07:52,999 --> 00:07:54,417 No, we don't know each other. 132 00:07:54,417 --> 00:07:55,417 Okay, cheers! 133 00:07:55,417 --> 00:07:56,417 Cheers! 134 00:07:56,417 --> 00:07:57,417 (Applause). 135 00:07:57,417 --> 00:07:59,834 ANAT DAVIDI: So as I was saying (Chuckles). 136 00:07:59,834 --> 00:07:59,834 The cool thing about using Yahoo! 137 00:07:59,834 --> 00:08:00,918 , we can remove it completely once the page is cached and we will have 138 00:08:00,918 --> 00:08:03,918 an attack that's completely hosted by Yahoo! 139 00:08:03,918 --> 00:08:05,375 and only by Yahoo! 140 00:08:05,375 --> 00:08:06,667 which is what we did here. 141 00:08:11,751 --> 00:08:18,999 And, you know, it's pretty nice. 142 00:08:18,999 --> 00:08:19,999 There we go. 143 00:08:24,876 --> 00:08:29,999 So we will take a look at the script and we will try 144 00:08:29,999 --> 00:08:35,250 to understand what happened and what we did. 145 00:08:35,999 --> 00:08:40,375 The first part is the first thing that the script really does is access 146 00:08:40,375 --> 00:08:44,209 a span tag that exists within the page, because we are running 147 00:08:44,209 --> 00:08:47,459 under Yahoo!'s cache, the Spam tag. 148 00:08:47,999 --> 00:08:49,125 Yahoo! 149 00:08:49,125 --> 00:08:51,667 is not responsible for the content of this page. 150 00:08:52,626 --> 00:08:56,209 We thought that would be a fun string to use and we decided 151 00:08:56,209 --> 00:08:59,999 to use this as a sort of key, we will take this string and we 152 00:08:59,999 --> 00:09:02,918 will generate some sort of pseudo unique key, 153 00:09:02,918 --> 00:09:05,667 just something unique for us. 154 00:09:05,667 --> 00:09:08,999 We encrypted most of our malicious code with this key. 155 00:09:10,459 --> 00:09:11,999 And yeah. 156 00:09:12,459 --> 00:09:15,999 The next thing we will do is this is a side track thing, 157 00:09:15,999 --> 00:09:20,999 that's used constantly in the wild, what we will do here is, we put 158 00:09:20,999 --> 00:09:24,918 in the page, a huge div tag, it includes waka number, 159 00:09:24,918 --> 00:09:27,083 waka number, waka. 160 00:09:28,792 --> 00:09:31,125 It's basically our malicious code. 161 00:09:31,125 --> 00:09:32,999 It's slightly obfuscated. 162 00:09:35,292 --> 00:09:38,083 It's tried to prevent the silly defenses that go, 163 00:09:38,083 --> 00:09:40,999 if you have a really strong string that has percent 164 00:09:40,999 --> 00:09:43,999 U in it many times, so just block it. 165 00:09:44,501 --> 00:09:48,709 So we replaced it with something, and we will fix it back here. 166 00:09:48,999 --> 00:09:50,999 And we will evaluate it. 167 00:09:58,999 --> 00:10:01,209 It means that right now we have some sort 168 00:10:01,209 --> 00:10:04,999 of string that has been de obfuscated and encrypted and it will try 169 00:10:04,999 --> 00:10:07,626 to turn it into JavaScript. 170 00:10:07,667 --> 00:10:10,125 So only if we are really in the contempt 171 00:10:10,125 --> 00:10:14,542 of Yahoo!'s caching service, that we knew exactly where it would be, 172 00:10:14,542 --> 00:10:17,000 only then will these two methods that we 173 00:10:17,000 --> 00:10:19,292 will try to execute actually exists 174 00:10:19,292 --> 00:10:22,999 because as you can see, they are not defined anywhere else 175 00:10:22,999 --> 00:10:24,999 within our code. 176 00:10:24,999 --> 00:10:27,250 We just pretty much showed you everything. 177 00:10:27,834 --> 00:10:32,667 And that's that's sort of how the script pulls off this cool trick. 178 00:10:32,667 --> 00:10:34,792 Do you want to take? 179 00:10:34,792 --> 00:10:37,501 DANIEL CHECHIK: Well, that's cool because we just managed 180 00:10:37,501 --> 00:10:40,083 to host our attack on Yahoo!. 181 00:10:40,834 --> 00:10:43,751 But we want to take things one step further. 182 00:10:43,751 --> 00:10:45,375 We want to make it more evasive. 183 00:10:46,250 --> 00:10:48,834 So this time, we'll use Google as an example, 184 00:10:48,834 --> 00:10:53,334 because we don't really want to pick on anyone in particular here. 185 00:10:53,334 --> 00:10:57,792 So here's Google Translate service, because I use it quite a lot. 186 00:10:58,000 --> 00:11:00,999 I don't know English quite a lot. 187 00:11:00,999 --> 00:11:03,918 ANAT DAVIDI: That's if you haven't noticed. 188 00:11:03,918 --> 00:11:05,083 Never mind. 189 00:11:05,083 --> 00:11:08,999 DANIEL CHECHIK: So this time we will execute our attack not only 190 00:11:08,999 --> 00:11:13,375 in the context we are in but we will actually construction our attack 191 00:11:13,375 --> 00:11:16,417 using Google translate service. 192 00:11:17,292 --> 00:11:19,751 So I hope you still remember the demo we presented 193 00:11:19,751 --> 00:11:21,501 in the beginning. 194 00:11:21,501 --> 00:11:24,876 We are going to get back to it now and take it step by step. 195 00:11:24,876 --> 00:11:28,334 So this is Google Translate service and we just typed in the link 196 00:11:28,334 --> 00:11:30,250 to our website. 197 00:11:30,250 --> 00:11:33,167 And asked Google to translate it from Hebrew to English. 198 00:11:33,999 --> 00:11:36,918 Of course, we can't really expect the user to browse 199 00:11:36,918 --> 00:11:39,999 through Google translate and type in the link to our website 200 00:11:39,999 --> 00:11:43,459 and get exploited because probably won't do it. 201 00:11:43,459 --> 00:11:44,959 ANAT DAVIDI: Hopefully. 202 00:11:44,959 --> 00:11:46,417 DANIEL CHECHIK: So as you probably notice, 203 00:11:46,417 --> 00:11:50,542 Google allows gave us the ability to generate a direct link 204 00:11:50,542 --> 00:11:55,751 to a translated page, including the languages in everything. 205 00:11:55,751 --> 00:11:57,083 So it shouldn't be a problem. 206 00:11:57,083 --> 00:11:59,918 And, of course, with this URL, we can spread it via email, 207 00:11:59,918 --> 00:12:02,792 social networks or any other media. 208 00:12:02,999 --> 00:12:04,709 And, again, it's Google. 209 00:12:04,709 --> 00:12:06,083 Who will black list Google? 210 00:12:07,459 --> 00:12:10,292 So let's take a look on the flow of the attack we 211 00:12:10,292 --> 00:12:13,626 will be using Google translate service. 212 00:12:13,626 --> 00:12:14,626 Okay. 213 00:12:14,626 --> 00:12:16,918 And the user trying to access our website. 214 00:12:17,083 --> 00:12:19,999 And using the Google translate service. 215 00:12:19,999 --> 00:12:25,417 So we access the content from our website and it simply sends 216 00:12:25,417 --> 00:12:29,334 back the content of the page. 217 00:12:29,459 --> 00:12:35,375 The Google translate drop the content and add some translation 218 00:12:35,375 --> 00:12:40,876 script, and finally, send it back to the user. 219 00:12:40,876 --> 00:12:42,999 The user browser translate the content of the page, and 220 00:12:42,999 --> 00:12:46,792 by doing so ANAT DAVIDI: Oh, we have this one. 221 00:12:46,792 --> 00:12:50,334 DANIEL CHECHIK: And by doing so, it creates the encryption key for us. 222 00:12:52,709 --> 00:12:56,959 Afterwards the JavaScript is executed and uses the key 223 00:12:56,959 --> 00:13:00,501 to decrypt the JavaScript, which turns the page 224 00:13:00,501 --> 00:13:03,125 into a malicious page. 225 00:13:03,709 --> 00:13:07,292 ANAT DAVIDI: Okay. 226 00:13:07,292 --> 00:13:10,459 So once more, we come and take a look at exactly how it happens. 227 00:13:10,751 --> 00:13:12,792 You will see that the concept, as you could see right now, 228 00:13:12,792 --> 00:13:14,999 the concept is very similar. 229 00:13:15,083 --> 00:13:16,918 What we wanted to do by giving two different services 230 00:13:16,918 --> 00:13:19,334 and two different examples is just show you where it defers 231 00:13:19,334 --> 00:13:22,667 between services and where it kind of looks the same. 232 00:13:22,667 --> 00:13:25,292 I'm not going to go over the things that look the same. 233 00:13:25,292 --> 00:13:27,626 I will just show you what we did with this one. 234 00:13:27,999 --> 00:13:30,999 So this time, we added a couple of div tags into the page 235 00:13:30,999 --> 00:13:33,125 with text in Hebrew. 236 00:13:33,626 --> 00:13:35,959 The first one contains the following text, 237 00:13:35,959 --> 00:13:38,876 as you can obviously see, it says "script" or is going 238 00:13:38,876 --> 00:13:42,626 to be translated to script by Google's translation. 239 00:13:42,999 --> 00:13:45,542 And we needed a key as well. 240 00:13:45,542 --> 00:13:49,083 So we used the obvious choice which is Bob Marley, and it translates 241 00:13:49,083 --> 00:13:54,375 to Bob Marley by the way, and we will use this to generate a key. 242 00:13:55,792 --> 00:13:59,667 You can see the waka div and it will look similar 243 00:13:59,667 --> 00:14:02,792 but yet kind of different. 244 00:14:02,792 --> 00:14:04,083 I hope you can read this. 245 00:14:04,999 --> 00:14:08,999 The first thing that is going to happen here, we will try to create 246 00:14:08,999 --> 00:14:12,250 an actual element within the DOM and this element is going 247 00:14:12,250 --> 00:14:16,083 to take content from within the translated page. 248 00:14:16,083 --> 00:14:17,459 We are going to try to dynamically fetch 249 00:14:17,459 --> 00:14:20,626 the awards script that was just translated by Google and generate 250 00:14:20,626 --> 00:14:24,083 the actual element script within the DOM of the page. 251 00:14:24,292 --> 00:14:26,999 Of course, this means if the Google translation scripts didn't 252 00:14:26,999 --> 00:14:30,209 work or anything went wrong this won create a script element and absolutely 253 00:14:30,209 --> 00:14:32,584 nothing malicious will happen. 254 00:14:34,209 --> 00:14:37,667 Now, the next thing we will do is we will take the key, Bob Marley 255 00:14:37,667 --> 00:14:40,999 and we will do actually, we will use the exact same code to generate 256 00:14:40,999 --> 00:14:43,751 the code and do the obfuscation. 257 00:14:43,751 --> 00:14:45,334 We're lazy and it works. 258 00:14:50,667 --> 00:14:54,501 We are decrypting our code, using Bob Marley, the English string, 259 00:14:54,501 --> 00:14:58,542 Bob Marley, which, again, only exists if Google's translation worked 260 00:14:58,542 --> 00:15:01,584 on our page, and as opposed to the caching service, 261 00:15:01,584 --> 00:15:04,167 which just sort of made sure that we are kind 262 00:15:04,167 --> 00:15:06,334 of under the Yahoo! 263 00:15:06,334 --> 00:15:07,334 cache context. 264 00:15:07,459 --> 00:15:09,459 The translation here, we actually waited for Google to do 265 00:15:09,459 --> 00:15:11,375 the translation work. 266 00:15:11,375 --> 00:15:13,083 They actually constructed the attack for us when they did the translation 267 00:15:13,083 --> 00:15:15,292 of the page on the client side. 268 00:15:16,709 --> 00:15:20,834 And, of course, finally, we're going to try to execute a method, 269 00:15:20,834 --> 00:15:24,667 hello world which does not anywhere except in our obfuscated 270 00:15:24,667 --> 00:15:26,626 encrypted code. 271 00:15:29,667 --> 00:15:32,334 I guess what we are trying to say here. 272 00:15:32,876 --> 00:15:36,751 That RDI is really a technique, it's sort of a method. 273 00:15:36,751 --> 00:15:39,542 It's taking all of these services that take content from the user 274 00:15:39,542 --> 00:15:43,375 and somehow reflected back in order to construct our attack or rather 275 00:15:43,375 --> 00:15:46,999 in order to obfuscate or evade with our attack. 276 00:15:48,083 --> 00:15:50,999 As you probably noticed throughout here, the point 277 00:15:50,999 --> 00:15:52,999 of RDI is context. 278 00:15:52,999 --> 00:15:54,999 That's the most important thing here, because obviously when you think 279 00:15:54,999 --> 00:15:56,959 about it, you might be asking yourselves, 280 00:15:56,959 --> 00:16:00,999 why don't I just take my malicious link and put it in Google translate? 281 00:16:03,667 --> 00:16:06,876 And basically, the problem is that if you go to Google translate 282 00:16:06,876 --> 00:16:10,459 and you try to put in a malicious link, it's obviously going to be flagged 283 00:16:10,459 --> 00:16:12,459 as a malicious page. 284 00:16:12,459 --> 00:16:14,999 It's not like you will be able to go to it. 285 00:16:14,999 --> 00:16:18,626 It will give up the big red message, this website is suspicious. 286 00:16:18,626 --> 00:16:19,626 Don't come near it. 287 00:16:24,292 --> 00:16:26,918 However, they don't scan the website they are 288 00:16:26,918 --> 00:16:30,209 about to translate within their own context. 289 00:16:30,209 --> 00:16:33,999 They don't scan it as if they are a user using this service and so 290 00:16:33,999 --> 00:16:38,501 they will not see what we are trying to do here at all. 291 00:16:38,876 --> 00:16:42,459 Of course, everything I just said leads us to the fact that it's very hard 292 00:16:42,459 --> 00:16:45,918 to detect, because if you think about all the elements here, 293 00:16:45,918 --> 00:16:49,334 everything we did, we had a big div tag, we could have split it 294 00:16:49,334 --> 00:16:52,999 up and done lots of things with it, when you consider what we did 295 00:16:52,999 --> 00:16:56,501 with the key, for translation, we could use this for languages 296 00:16:56,501 --> 00:16:58,999 and put it different places and use any string 297 00:16:58,999 --> 00:17:02,209 for the caching service, we could have picked any element 298 00:17:02,209 --> 00:17:04,876 that's added through Yahoo! 299 00:17:04,876 --> 00:17:07,417 cache which means it's extremely difficult. 300 00:17:07,417 --> 00:17:08,999 You can't sign it statically. 301 00:17:08,999 --> 00:17:11,334 You have to be in line and looking at the content as it's going 302 00:17:11,334 --> 00:17:14,250 to the user in order to understand what's happening 303 00:17:14,250 --> 00:17:16,999 and see what's going to happen. 304 00:17:18,417 --> 00:17:21,584 And our conclusion from this is that RDI is pretty awesome 305 00:17:21,584 --> 00:17:25,501 for evasion, but our word in all of that, we want to test it against some 306 00:17:25,501 --> 00:17:29,083 of the Internet and see how awesome it really is. 307 00:17:31,584 --> 00:17:35,667 It has lots of security engines tested against it. 308 00:17:35,667 --> 00:17:38,250 And we wanted to test it against wepawet. 309 00:17:39,250 --> 00:17:41,999 We wanted to see if the code is actually executed, what 310 00:17:41,999 --> 00:17:43,999 they are going to see. 311 00:17:44,751 --> 00:17:48,584 And we first took the translation page, but when accessed directly, 312 00:17:48,584 --> 00:17:50,999 our translation attack page, when accessed 313 00:17:50,999 --> 00:17:53,667 without the translation link. 314 00:17:53,959 --> 00:17:56,459 And, of course, as you can see, virus total said that zero 315 00:17:56,459 --> 00:17:58,667 out of how many is it? 316 00:17:58,667 --> 00:17:59,918 39 detections. 317 00:17:59,918 --> 00:18:01,999 Nobody said it was malicious. 318 00:18:01,999 --> 00:18:03,792 And well, they would be correct. 319 00:18:03,999 --> 00:18:07,292 Our code is not at all malicious, when accessed directly 320 00:18:07,292 --> 00:18:11,125 and when we put it on wepawet, we said this page is benign 321 00:18:11,125 --> 00:18:15,334 and no evals were executed and, again, when accessed this way, 322 00:18:15,334 --> 00:18:20,083 they would be correct, because, again, nothing happened. 323 00:18:20,417 --> 00:18:23,918 But then we said, okay, now, let's take the actual attack URL, 324 00:18:23,918 --> 00:18:28,959 the one with all the translation features added and see what happens then. 325 00:18:28,999 --> 00:18:32,334 And well, we put wepawet, the dynamic analysis 326 00:18:32,334 --> 00:18:35,167 and it broke, apparently. 327 00:18:35,167 --> 00:18:39,375 We are going to let them know, but they are actually pretty cool people. 328 00:18:39,375 --> 00:18:41,709 They fixed it before we could even tell them. 329 00:18:41,709 --> 00:18:44,834 I think it flags it as suspicious, I believe. 330 00:18:45,292 --> 00:18:49,542 And more interestingly, is when we put it back on virus total, 331 00:18:49,542 --> 00:18:53,292 we got one detection, one single engine that dynamically 332 00:18:53,292 --> 00:18:58,542 scanned our content and that would be the security site check. 333 00:18:58,584 --> 00:19:02,459 If there's any security people in the crowd, good job. 334 00:19:02,459 --> 00:19:05,542 They dynamically analyzed the content, exactly as we intended for the attack 335 00:19:05,542 --> 00:19:09,959 to be executed and figured out we were attacking with this page. 336 00:19:10,542 --> 00:19:13,751 In the context of RDI, this doesn't really concern us. 337 00:19:13,999 --> 00:19:17,125 As Daniel said at the boring slide at the beginning, RDI is not meant 338 00:19:17,125 --> 00:19:20,584 to deal with these dynamic sort of engines. 339 00:19:20,584 --> 00:19:22,667 It's meant to weed out the 38 other engines that use 340 00:19:22,667 --> 00:19:25,292 the black listing techniques. 341 00:19:25,292 --> 00:19:27,459 It's meant to push us forward from really using 342 00:19:27,459 --> 00:19:31,667 the old technologies and force us to understand what's happening when 343 00:19:31,667 --> 00:19:37,209 we are analyzing a website and trying to understand if it's malicious or not. 344 00:19:37,999 --> 00:19:41,667 So, this is RDI. 345 00:19:41,709 --> 00:19:43,417 Thank you for listening. 346 00:19:43,417 --> 00:19:45,918 I don't think we'll have questions and answers right here, but we'll be 347 00:19:45,918 --> 00:19:49,999 in the Q&A room later if you want to chat, request questions and all that. 348 00:19:49,999 --> 00:19:50,999 Thank you.