All right. Good afternoon. Speaking about audience participation and the audience helping out, I want to thank everybody that's been here this week so cooperative. New hotel and new challenges. It was great to have everybody being so cooperative in trying to fill the rooms, dealing with it whenever we had to rearrange where the tracks were. You guys have been fantastic. Why don't you give yourselves a hand. So there's really, really interesting malware and different intelligence platforms that have been unveiled in the past couple years, and this talk will break down what it will do on networks, not just on processes. The stuff they're doing on boxes is fascinating enough, but this is a you new area of research. Let's get Omer a big hand. ( Applause ) >> So hello. Thank you very much for coming out to listen to my talk. Today I'm going to present you the network security research related to the state attacks targeting telecommunication networks. My name is Omer. I just basically start with what we are going to cover is introduction to the telco architecture, and the network protocols that are targeted such as the architect and the seven -- server protocol and look the practical scenarios. Once you establish a basic understanding of the geometric protocols, this is the main concern of the talk. The government has the malware. Before delving into the capabilities, I will try to briefly remind you of techniques for the long-term intelligence covering it. Afterwards we will talk about the capabilities and then analyze how it could be weaponized in the offensive network hacking as recently there are more technically complex implants discovered by the searches. We will briefly take a look at them. Finally, I'm going to present you how some of the techniques employed by the malware could be implanted by a high level programming language. Talking about Windows driver and the API programming with Windows systems. So just briefly myself, my name is Omer. My academical background is political science and I studied at the university on artificial intelligence. I'm currently employed with KP Royal Dutch telecom in the Netherlands. I work for a company like IBM and Verizon. I perform security assessments on my day-to-day work, and I'm very interested in malware and techniques in these areas. We're based in Amsterdam, and ( inaudible ). This is an attraction center known as the red-light district. If you're at Amsterdam visit us to have a beer and do some stuff together with us. What inspired us to carry out this research was to analyze and determine the service of the DNS networks. Governments are not only hacking there but they spy on each other like taking corporations with tools like Regin and sell malwares. So they reach a crazy level, and the recent leaks are confident that the telecom networks are victims. Pretty much each and every telecommunications company got paranoid and tried to make sure sure they haven't been affected by the same attack. It requires a lot to learn about operating the system internal, the internal working principles and computer architecture. So I'm sure not only understanding but also to be able to produce and assimilate would mean a lot to those who do day-to-day systems, especially such as the I.T. members. So just very briefly the architecture looks like this. It's a very complex network architecture. I tried to break it down for this. The network is looking for the digital or wireless and voice communication, GPS is an extension of GSM network that provides wireless and data communication. UMTS stands for the telecommunications system, an extension of GPLS network that is on our IP network by delivering broadband information including commerce and entertainment services for mobile users. UMT pays for the interfaces for the red unit for controllers. To our communications they're based over functions in GPS networks and GSM networks. Adjacent network consist of following constants like mobile stations based at a station, base station control systems, mobile switching center, authentication center, communication register and visitor location and registers. These are the most important companies of the GSM network. It is being argued in these Regin-related attacks. So very briefly I tried to explain what I -- what the functionality is of the competence, and it will delve into how it can be targeted by the government in an SPNH campaign. The mobile station is this starting point of the mobile wireless network. So it can contain a mobile terminal and terminal. The base station is a station when a subscriber uses a mobile station to make a call to the network, the mobile station transfers the call to the base from the receiver. The base station transfer includes acutements like antennas, signalling, processing Internet and things necessary for transmission within the geographical area. I like to tell very briefly about the GSM network units. This is important information such as accouterment is a database looking for identities known as IMEIs. With the mobile situation in the network, this is accouterment are found by the manufacturering of the mobile station. That provides security features such as blocking calls from the handset and that have been stolen like stolen phones within the network and attached to the mobile network. HLI is the home location register. It's where you have the network, and first you have the information about the subscriber such as international mobile subscriber identities, subscriber services and a key for authentication subscribers. Another important is the authentication center, and the authentication center database contains things about subscribers through the necessary keys for the encryption for this. This is VLR, visitor location register. It temporarily stores information about the mobile stations and the activity in the geographic area, which is being allowed. And the architecture has released interfaces for the network elements. The mobile transmits the BTS and the BTS to the BSC. And the communication also appears to go to the phases of the databases. So HLR and ELR in the unit. These are the key elements that can be targeted by the attackers over either protocol. We're concerns about the malware playing a role in such attacks. It specifically targets to the GSM networks. They stay that the Regin has been designed to be a low that can be used as Danish confines, and according to claims of antivirus companies, it has been active since 2008. It's a good demonstration. The picture was taken in Germany. They've put it against GCHQ, and they have to get their data from the databases. I was also one of the participants of the demonstration. So our work pretty much looked like this. Since our competitors, actually enemies are high-profile organizations like GCHQ and NSA, which always listen to their customers. It very much looked like this. Like using old school techniques on bring them to their knees, but we didn't give up and take a try. So in order to determine the scenarios, we decided to get a large service innovation from the base stations. For these reasons we have possibly attempted the GSM communication from the ready base stations, and we greatly utilized the passive network tapping into the research. I would like to thank him. I think he's in one of the audiences. He left yesterday, I think, and we talked about this. We tried to collect as much information as possible from different end points of the 2G and 4G services. There were those reachable from the base station and the metro reaches. You would definitely be shocked what we discovered on the assessments. So the absence of the physical introduction to the devices that if a device is altered or changed, most GSM companies don't care about the possible of it and they don't take into account it. We found less vulnerable services running and are typical from the base stations and reachable interfaces with default passwords, public/private key for different communications. The absence of the temporary distance and the axis prediction, the network tapping shouldn't be possible otherwise. And improper network segmentation in the nonroutable segments of the teleco company could be accessible. The core GPS network and metro substation could be exploited as well. So since the base station saw one of the most network companies, we wanted to see where it is possible to upload other inner companies and they stored information such as access control, HLV, VLR. If you ever have a similar assessment, you could see that the stations, especially the segmentations are not correctly implemented. To it's practically possible, so let's take a look on the network companies that could be targeted by locally and remotely. GPS roaming exchange acts as a hub for the GPS communications from roaming users with the need of the link between GPIS and the service provider. That's appearing enter connecting the units. So the main are located to Europe in Amsterdam or for Asia in Singapore. Then you travel abroad. You're from -- regardless of your location, so the communication is being held or utilized by the network. So what networks? It's a German exchange, and it's for your local GFM provider. It's a trust-based network that made sharing possible. Any malicious activity would affect multiple connective machines. GPSI is a group of protocols to core regular radio services within the GSN in the LT networks. It can be composed to separate protocols like satellite GPTC, GPTU, and GPT. GPTC is used for signalling between the support nodes known as GGSI and serving the support. So these active stations are on the user's behalf to the activation to the quality of the service. It's an updated station for subscribers who have just arrived from another SGNCM. GTP can be used, it's an monitored ( inaudible ) inversion zero. GTP is running lose only on the BP protocol. So one of the most important features is the DNS is used for resolving a PS to set up a GPT tunnel, and an access point is known as the gate for between 3G and 4G network and another network for the public Internet. So there are some network dumps, and how and what this looks like. There's a lot of information here. ( Inaudible ) the GP packet has a lot of information like the subscriber network information. This might be correlated with the person and she's active to the rest of the world. As you can see here, here is the API/APM access networks and the DNS information. So I will tell you all the communication intercepted and looked at including the physical location. It can be possible in such cases because it's providing an exchange within the trust-based networks globally. This is a 7 and 6 run. 7 signals a protocol which was built like 30 years ago, and widely commonly used protocol and other vulnerabilities. This is a procedure for user identity, routing, billing and management. It looks like as in the picture, did they link to NPT layers, PT 2 and 3 layers. Some of the features if you look at what we are really interested in, this is the flow that transfers the information, traffic congestion and there's a measurement. Everything on the protocol like voice-over IP and interconnected IP networking and lots of new networks within the GSM network utilizes a certain protocol. It simply looks like this. It's utilized as a certain protocol. So with this protocol analysis, it revealed in a sense information is being transmitted between different nodes in the network. For instance, Microsoft interesting information could be related to the ( inaudible ) code number and code status. There are some public tools that are available that you can analyze the network, and we also created a script to honor and tap into all the network flow information. Lately I found that here on the slide. You can download it on the XS-7 network flow. So this is a certain protocol and loss. The information is being transmitted, and the protocol is enough to feed into our giant database. So practical scenarios. This is something that you can work things out communicating and talking to each other from the subscriber line. So it's possible to introduce a change in the ELR and MSC database. It introduces a conference call type of mechanism to intercept calls to victims. It's also possible to get a subscriber service change. For example, it was introduced as a decoy database. The GSM network that he's supposed to reach to do a certain protocol, so he can do much more attacks with an interception of MSS calls and outgoing calls and the direction of incoming and outgoing calls. In other words, anything including final. During my research I was cooperating with the researchers from Finland. So I was informed that they have found another vulnerability in S-7, and the vulnerability is simply exploiting the relationship between MA and use AR access module within the GSM network. So they are able to look at the stolen mobile devices without requiring a GSM cart attached to it. So attacks look like this. Simply modified in my information sent the database and the change and that's the verification of the DLR data. So it's simply communicating to the GSM network there. If you like to read more about this academic paper will be presented on IE conference in August. So it will be available. So this is a is network not only targeted bid good guys or the government but also that's after this ( inaudible ). This is the mail exchange between one of their customers, so they were trying to implement malware that are targeting 7 signalling protocol. So they were after victims to locate the phone location. According to the main exchange, the location information and how they're going to obtain the location information is just requiring it and signalling protocol. The mobile phone location could be obtained by such it requires. These are the brief techniques, so I think -- I hope it's nation-state interested in attacking networks. I will briefly cover the techniques. We mentioned and talked about the root case could be analyzing two categories and using those internal notes and the root kit. We're referring to an executable or DLL. And there are techniques, and then they say the internal route kit. We are simply referring to the Windows driver that can install a system with a table and et cetera. So this is simply able to intercept a function, alter it, and change the content and sometimes intercept it the way you want. There's the motion ( inaudible ) implementing it. You're simply monitoring the calls into the system, and you're simply logging into the function that corresponding to the calls and logging it. The techniques can be used, for instance, on the firewall for the ( inaudible ). For instance, let's assume that malware affected your computer and you're looking for activities by simply monitoring the calls and how it behaves. So some of the basic root techniques like if you analyze it on the user mode, for instance the ELL injections are very stable hooking or in-line hooking techniques. The level will get a driver that can employ ( inaudible ). You can find quite a lot of information from the calls on the Internet. I do not go into these much details. Well, once I stumbled from Regin malware, and after completing an analysis on the network, the research I have, my next goal was to analyze every single malware and simulate it. So the companies really did a great job on analyzing tomorrow, but they didn't dive into what actually being targeted and achieved by the malware. So we have to understand the malware and produce it and reimplement it. That might help it to be understandable by the GSM providers, so Regin malware looked like complex malware. I have everything. It's consisting of different modules. It uses very specific features of an operating system called Orchestrator. It's the oriented architecture, and they were being organized and prioritizing depending on the RPC calls. So this simply shows the stages like we can break down the malware into five different stages they're stage four there and simply state it first request extracting to the next stage and decrypting it. So distinguishing the detection of antiviruses. There are quite the challenges while analyzing this malware from the first module. It's still a little bit unclear how the systems were affected, and initially infected by the malware. As the Regin targeted multiple institutions and GSM networks, it's still unclear. However, another challenge was multi-stage and encrypted structure, so it was really hard to find samples, even if you have the sample, you don't have the next stage correctly it could be a problem to extract it. So the modules were invoked by the architecture. Malware data is stored inside it and the research of the GSM network had no indication of compromise, which is good. So my solution was to Orchestrator and use the memory available on the Internet and look at the analysis for the similar tools to maintain the costs and the analysis. So from stage 1 to 2 I will go through a little bit quicker because we're about to run out of time. I want to do a demonstration that I have implemented. The one was simply extracting to the next stage from first to three if you can look at this system cost. There are simply having a memory in the internal space and the next stage and extracting it. Stage 2 is a little bit different because it implements and extracts the next stage. There's a block. So it will really very specific feature of the Regin malware. It's similar to it you can see the details of it. It just searchings it, and there's a big function from the calls. Stage 3 and 4 could be the most interesting one because stage 3 is simply the brain of the Regin malware. It simply accepting Orchestrator calls and executing them. For instance, it was in the internal module, criminal and module calls and executing them within the process memory of the executable. So how could we recognize it. I simply said what it does in the Orchestrator call and try to implant them using driver kits. You can take a look at them. The code will be available. So just this compilation might be a little bit subjective, but according to the complexity, it's the most complex ( inaudible ) that has ever been seen. Each one implements a very specific features. So after the reverse engineering can do the technical analysis, I implemented the region so state 3 and stage 4 a little bit tighter course. So such features like data extraction or running a threat of applications in the space, the Orchestrator hasn't finished yet but simply orchestrates it. There's network calls with the category module. There's a utility there. You can see the changes of the system within the system. For example, ( inaudible). Right now there's no et cetera. What I have implemented is simply a Turner module and driver. This corresponding to the Regin stage 4, and it may be stage 3 or 2 or a combination. What it simply does is simulates for malicious activities in the system. So I will show you demonstrate it very quickly. This is batch file. It hasn't been weaponized yet, so it's simply around the system to transfer the driver and is executable. >> Can I interrupt? Go ahead and hit next. All right. You all know this work. Is he doing a good job? ( Applause ) We have ourselves a new speaker, and he's doing demos and they're working. That never happens. I feel it at DEF CON. ( Applause ) All right. Demos, trust me. >> Thank you. >> I have a little gift here for you. Somebody dropped it off in the speaker room. It appears to plug into the USB in your computer. It has a lot of Chinese writing on it. You know what? Good luck. >> I would not use that. >> I'm simply executing the batch file that will run. I will show you. Registered a little small region like the root kit in the system and then run it in the system and then execute through stage 1. It's running now. Okay. All right. So it's executed. As you can see, I implemented the root kit using very simple techniques for the beginning. It simply allows us to look at the simple system but efficient, and stage 1 is also executed but it's executable and has some hooks from to hide from the registry. I will briefly demonstrate what it is. I will try to delay this one. I also show you a very specific one. I'll a stand-up user now. As a client I have implemented so you can simply connect back to the affected system. You can do some things like executing commands from the system, for example. It says something about the malicious features like encrypting the entire Windows partition. It's cueing the system and writing it and the structure. And I also want to show you, for example, it protects the stage 1 executable. For example, you say it couldn't find it, but actually they practice it to execute and it is there. For example when I tried to show another executable which doesn't exist, it gives it there. It's simply intercepts calls, and there's the international calls and it simply has it. Thank you very much. ( Applause )