00:00:00.767,00:00:05.138
>> Let's get started. So uh my
name is Brad Woodberg, I'm a

00:00:05.138,00:00:08.308
project manager with Emerging
Threats at Proof point. And uh

00:00:08.308,00:00:11.278
today we're gonna be talking
about command and control panels

00:00:11.278,00:00:15.249
. So uh just quick uh run down
of what we'll be doing, a few

00:00:15.249,00:00:17.784
minutes on the intro but we're
gonna go heavy in some malware

00:00:17.784,00:00:20.821
techniques. We're gonna talk
about you know actual malware uh

00:00:20.821,00:00:23.891
case studies, what's what we're
kind of seeing, predictions and

00:00:23.891,00:00:29.062
trends uh for the malware. Um..
I think this is actually‚

00:00:29.062,00:00:33.133
sorry we were having an issue on
that, I think I have like one

00:00:33.133,00:00:36.236
older uh version of the rev on
here but we're just plow through

00:00:36.236,00:00:40.040
it. Uh we're gonna talk about
defense and then we're gonna

00:00:40.040,00:00:43.543
wrap this up in about 45 minutes
so uh we can go get some beer

00:00:43.543,00:00:46.179
and have some fun tonight.
[Cheers] [Clapping] So why

00:00:46.179,00:00:48.649
Command and Control right? So
why is this topic so interesting

00:00:48.649,00:00:52.753
because uh you know so much of
the uh uh you know so much of

00:00:52.753,00:00:54.988
the information that you know
that we talked that we see in

00:00:54.988,00:00:58.158
the security industry blogs
articles etcetera focus on

00:00:58.158,00:01:01.161
vulnerabilities, exploits and
the actual malware and these are

00:01:01.161,00:01:04.564
all great topics. Uh you know
all very interesting uh but uh

00:01:04.564,00:01:07.668
you know one of the big
challenges for anybody is

00:01:07.668,00:01:09.903
operating the IDS actually
dealing with this on the front

00:01:09.903,00:01:13.206
lines we know that trying to
detect uh you know the

00:01:13.206,00:01:17.110
vulnerabilities. The CVE game um
you know different types of

00:01:17.110,00:01:20.981
exploits uh you know it's very
noisy it's not very high

00:01:20.981,00:01:23.984
infidelity oftentimes will uh
you know have um alerts that

00:01:23.984,00:01:28.021
trigger when actually uh you
know an asset was actually

00:01:28.021,00:01:31.792
breached. Um but actually when
you look at command and control,

00:01:31.792,00:01:34.294
that's actually the point where
you can say hey with high

00:01:34.294,00:01:36.697
confidence I know that this
asset has been compromised uh

00:01:36.697,00:01:38.031
you know when you see that that
control channels reaching out

00:01:38.031,00:01:39.399
its kind of uh as a re-sheeted
wall. Some uh Detroit Pistons

00:01:39.399,00:01:40.734
would say uh the ball don't lie
and uh when you see that actual

00:01:40.734,00:01:45.739
channel we know that somethings
going on. But probably the other

00:01:50.210,00:01:52.279
thing is really interesting
about command and control is

00:01:52.279,00:01:55.148
that this is actually a point
where you go you know from being

00:01:55.148,00:01:57.918
on pure defense uh you know
you're getting hounded all day

00:01:57.918,00:02:01.054
long you know attacked from
every which way to actually the

00:02:01.054,00:02:04.157
tables are being turned on the
attacker so um you know where

00:02:04.157,00:02:07.127
you had to get it right every
single time and they only had to

00:02:07.127,00:02:09.429
get the right once now it's the
other way around. In order for

00:02:09.429,00:02:12.366
them to maintain that connection
uh to maintain their control

00:02:12.366,00:02:16.036
over the assets they have to be
right all the time and so that's

00:02:16.036,00:02:19.272
why I you know think this is
interesting and why you know why

00:02:19.272,00:02:22.376
we should talk about it today.
So uh just a minute or two just

00:02:22.376,00:02:26.346
when we look author how this
whole thing gets started I, the

00:02:26.346,00:02:29.516
way I see it theres really two
primary ways that after being

00:02:29.516,00:02:32.919
compromised. You have executable
content uh you know this is your

00:02:32.919,00:02:36.957
traditional malware uh scripts
macro embedded word documents

00:02:36.957,00:02:40.027
and other office file formats
etcetera, um you know there's

00:02:40.027,00:02:42.729
actually not an exploit
happening here it's just uh

00:02:42.729,00:02:45.432
oftentimes now it's just social
engineering. Get someone to open

00:02:45.432,00:02:49.536
a doc and uh and and then
malware that now runs the

00:02:49.536,00:02:53.173
machine. Uh the other way is the
exploit driven approach which is

00:02:53.173,00:02:56.977
obviously ever so popular with
the exploit kits um and this is

00:02:56.977,00:03:00.347
where you're actually taking
advantage of a vulnerability to

00:03:00.347,00:03:04.351
be over gain execution control
on an end point. But really

00:03:04.351,00:03:07.421
doesn't matter how it happened
the fact is uh you know all that

00:03:07.421,00:03:11.925
matters is that it's been
compromised. So um you know to

00:03:11.925,00:03:14.428
say a word or two why‚ like
why does malware even need

00:03:14.428,00:03:17.230
command and control channels.
Like what's happening here? Um

00:03:17.230,00:03:21.334
you know, often times when an
asset is breached it's not under

00:03:21.334,00:03:25.505
the best of of scenarios um you
know it may happen on the asset

00:03:25.505,00:03:27.808
that really isn't the ultimate
target, ultimate goal, it

00:03:27.808,00:03:31.144
doesn't have the information
that uh you know uh uh that

00:03:31.144,00:03:34.014
attackers looking for. Um there
might not be sufficient

00:03:34.014,00:03:36.783
privileges and might you know
especially when you're dealing

00:03:36.783,00:03:39.920
with uh exploits uh you know you
have a very small buffer or uh

00:03:39.920,00:03:43.290
window in which to fit the
actual payload in so you have to

00:03:43.290,00:03:48.829
deliver in pieces and um you
know you really often times a

00:03:48.829,00:03:51.164
lot of malware just doesn't have
a full especially if you're

00:03:51.164,00:03:54.568
dealing with like crime ware not
so much target attacks um you

00:03:54.568,00:03:57.771
know it's basically shipped bare
bones and needs to get more

00:03:57.771,00:04:00.674
information before it can uh
pull off whatever it's trying to

00:04:00.674,00:04:05.412
do. So that's where command and
control comes in. Uh um you

00:04:05.412,00:04:08.682
know, just a word to you, I mean
basically the command control

00:04:08.682,00:04:11.351
channel is gonna be used for a
lot of different things for

00:04:11.351,00:04:14.721
pushing the actual configuration
for escalating the breaches I

00:04:14.721,00:04:17.524
mentioned um and this is where
it's gonna be reaching out to

00:04:17.524,00:04:20.260
command and control
infrastructure. Um another

00:04:20.260,00:04:24.397
aspect of command-and-control is
actually exfiltration so getting

00:04:24.397,00:04:27.334
the information, you know the
intellectual property that's on

00:04:27.334,00:04:31.338
an endpoint, on an asset, out
into uh you know the attackers

00:04:31.338,00:04:34.307
hands so if we look at something
like uh like Locky uh you know

00:04:34.307,00:04:36.743
it may be going through and
cataloging all the files on the

00:04:36.743,00:04:39.646
endpoint uh figure out what's
interesting and encrypting them.

00:04:39.646,00:04:43.283
Uh you know if we look at
something like uh uh ZBOT uh

00:04:43.283,00:04:47.154
it's actually, this one is
actually using a DNS channel for

00:04:47.154,00:04:50.323
you know command and controls.
So uh you know they didn't even

00:04:50.323,00:04:53.994
have to use anything special
customize or actually or even

00:04:53.994,00:04:56.963
direct for that matter with DNS,
you can just send a query and

00:04:56.963,00:05:00.267
it's gonna find its way home and
essentially all the way to the

00:05:00.267,00:05:03.670
uh server and back. So you know,
in this case is actually

00:05:03.670,00:05:06.740
exchanging commands and
information for the uh for the

00:05:06.740,00:05:12.312
malware to take advantage of. So
let's just take a quick look at

00:05:12.312,00:05:16.383
uh you know an ever popular uh
uh vector. So the Angler Exploit

00:05:16.383,00:05:20.587
Kit. May it rest in peace. Um
you know, this is I chose this

00:05:20.587,00:05:23.356
because it is just so
pro‚ prolific uh you know in

00:05:23.356,00:05:27.527
the last years. Um you know even
you know I saw like a bakery

00:05:27.527,00:05:30.163
down the street from my house
and had uh their website had

00:05:30.163,00:05:33.300
actually been popped and was
serving up an Angler redirector

00:05:33.300,00:05:36.102
and that's really the
interesting thing um you know uh

00:05:36.102,00:05:40.040
uh is that um you know it‚
not that there's not that the

00:05:40.040,00:05:43.109
signs are always so obvious um
you know leading up to an

00:05:43.109,00:05:46.112
infection. You know, it‚ not
like it was uh defaced or

00:05:46.112,00:05:48.615
something like that it was just
you know there was a little i

00:05:48.615,00:05:51.351
frame shoved in there and you
know if your weren't running uh

00:05:51.351,00:05:53.320
you know some security software
you wouldn, you would never

00:05:53.320,00:05:58.058
know. Um but anyhow. We digress,
uh. So, so looking at the Angler

00:05:58.058,00:06:00.560
Exploit Kit, you know first, you
know typically you're gonna

00:06:00.560,00:06:03.230
hit some sort of a redirector
right? And this case as I

00:06:03.230,00:06:07.434
mentioned our our poor bakery uh
and that is going to redirect

00:06:07.434,00:06:11.471
you to a traffic distribution
system. Um so this is basically

00:06:11.471,00:06:14.441
going to evaluate your endpoint
it‚ gonna say hey, you now

00:06:14.441,00:06:17.744
they're running Microsoft
Windows uh 7 and flash, this

00:06:17.744,00:06:21.381
version, and okay we're gonna
custom tailor and exploit to

00:06:21.381,00:06:26.086
that actual um um and exploit to
that endpoint. Um and then

00:06:26.086,00:06:29.623
finally you know an exploit will
be delivered. Oftentimes, by a

00:06:29.623,00:06:32.158
different infrastructure now
here's the really interesting

00:06:32.158,00:06:37.330
thing about this. Up until this
point there's no, you really

00:06:37.330,00:06:40.533
don't have confidence that an
asset has actually been

00:06:40.533,00:06:42.836
compromised and all the while
you're probably chasing down a

00:06:42.836,00:06:46.573
million alerts from your IDS and
also some other endpoint systems

00:06:46.573,00:06:49.309
because you know it's saying
hey we saw this Angler

00:06:49.309,00:06:52.545
redirector blah blah blah and
there's this exploit, you know

00:06:52.545,00:06:55.548
check what Version of Flash. But
there's really know

00:06:55.548,00:06:59.085
indicate‚ you know no no high
fidelity uh uh indication that

00:06:59.085,00:07:02.489
this has actually been fully
compromised, until you see that

00:07:02.489,00:07:06.159
command and control. And once
you see that and you know for

00:07:06.159,00:07:10.530
sure that um you know that that
the system has been overtaken.

00:07:12.766,00:07:15.769
Just a quick word uh you know
for uh you know a lot a lot of

00:07:15.769,00:07:20.040
times people will get lateral
infections uh uh confused with

00:07:20.040,00:07:24.444
uh actual command-and-control
and so basically lateral

00:07:24.444,00:07:27.547
infections you know typically
what we are talking about is how

00:07:27.547,00:07:32.185
malware is going to spread
within an organization um and um

00:07:32.185,00:07:35.555
you one thing that I think is a
big differentiator is that

00:07:35.555,00:07:38.958
typically lateral infections
will leverage needed enterprise

00:07:38.958,00:07:43.563
protocols to to spread
exclusively but that's a lot of

00:07:43.563,00:07:46.566
what we see um whereas
command-and-control maybe

00:07:46.566,00:07:51.104
anything from the traditional
channel um to uh you know uh uh

00:07:51.104,00:07:54.407
so basically maybe like a HTTP
or HTTPS. And the maybe like a

00:07:54.407,00:07:56.910
custom protocol and we'll talk
about the different trends and

00:07:56.910,00:08:02.282
things uh in just a little bit.
Um but uh but effectively um uh

00:08:02.282,00:08:04.884
you know the the internal
lateral stuff like if we take

00:08:04.884,00:08:09.289
Locky for as a perfect example.
And all the hospitals that uh

00:08:09.289,00:08:12.292
made a lot of news um you know
when they got breached in all

00:08:12.292,00:08:14.761
the you know their files are
encrypted and the whole place

00:08:14.761,00:08:18.465
shut down uh and they had to pay
$17,000 in ransom which is

00:08:18.465,00:08:21.701
really quite a steal in my, my
opinion for operations of the

00:08:21.701,00:08:26.039
hospital but uh glad it wasn't
more. Um, in that case you know

00:08:26.039,00:08:28.308
basically it was just an
endpoint that got compromised.

00:08:28.308,00:08:31.945
It wasn't like a file server got
breached and then you know it

00:08:31.945,00:08:34.447
actually your broken uh you know
that you're actually encrypted

00:08:34.447,00:08:36.483
the files. It was actually an
endpoint that had access to the

00:08:36.483,00:08:40.286
file server using SMB and
encrypted the files and so you

00:08:40.286,00:08:43.189
actually do see a lot of that.
You're just leveraging the

00:08:43.189,00:08:47.260
native protocols that are within
uh the network itself whereas

00:08:47.260,00:08:51.998
command and control is a far, uh
far more uh you know rich and

00:08:51.998,00:08:56.970
exotic and interesting uh um uh
set of uh protocols that are

00:08:56.970,00:09:02.409
used. Now I like to kind of just
you know just before we get into

00:09:02.409,00:09:05.879
the meat you know, just talking
about how kind of the cat and

00:09:05.879,00:09:09.549
mouse game has evolved because
like many things um you know,

00:09:09.549,00:09:13.086
the attackers kind of operate on
a uh you know on a economical

00:09:13.086,00:09:15.755
scale. Right? They don't want
to, especially when you're

00:09:15.755,00:09:18.258
talking about crime ware, they
don't want do, you know take

00:09:18.258,00:09:21.094
more effort, than they need to
spend more money and more time

00:09:21.094,00:09:25.198
to uh to make their
infrastructure more robust um so

00:09:25.198,00:09:27.967
they're going to you know play
along with the vendors and what

00:09:27.967,00:09:31.504
is you know um actually‚ you
know being affective to the

00:09:31.504,00:09:34.841
point where it's not then they
kind of up the game. Um and you

00:09:34.841,00:09:37.677
know a lot of the very early
malware was just you know

00:09:37.677,00:09:42.282
leveraging very simple you know
high-level or higher higher high

00:09:42.282,00:09:45.718
range uh I liked tcp, udp
ports... Um that you know could

00:09:45.718,00:09:49.422
really easily be filtered out on
a router or on a firewall, you

00:09:49.422,00:09:53.526
know as easy as that. Um you
know, kind of evolved in a

00:09:53.526,00:09:57.564
leveraging other applications
like IRC uh uh for command and

00:09:57.564,00:10:02.101
control and then of course as
some organizations start t tamp

00:10:02.101,00:10:05.305
down more and more and restrict
firewall access and outbound

00:10:05.305,00:10:08.808
proxy access uh you know a lot
of them, really the funny thing

00:10:08.808,00:10:13.246
is uh at the exact same time, I
feel like uh you know a lot of

00:10:13.246,00:10:16.216
the peer to peer applications,
the file sharing apps, Bit Tor

00:10:16.216,00:10:18.418
and so forth. They kind of
converge along with malware

00:10:18.418,00:10:22.122
because I realize that hey these
ports are almost always open so

00:10:22.122,00:10:25.525
you know we can leverage them
malware also shifted over port

00:10:25.525,00:10:29.729
80/443 then you have an NGFWs
come out, they can identify hey

00:10:29.729,00:10:33.066
this isn't HTTP this is
something you know uh binary

00:10:33.066,00:10:37.604
protocol that we never seen so
we can block it and all that

00:10:37.604,00:10:39.939
isn't very interesting but
what's starting to get more

00:10:39.939,00:10:44.043
interesting is how a lot of the
malware is leveraging um you

00:10:44.043,00:10:47.447
know different types of cloud
apps uh and it's actually you

00:10:47.447,00:10:53.052
know doing uh steganography in
in encoding messages in um in

00:10:53.052,00:10:56.823
files and and various other uh
metadata that we'll we'll see.

00:10:56.823,00:11:00.026
We'll go through some examples,
examples in a bit. Um and this

00:11:00.026,00:11:03.062
is kind of where you know where
I think a lot of future is but

00:11:03.062,00:11:06.299
um you know essentially the
malware has gone to a point

00:11:06.299,00:11:10.003
where it it is really getting
sophisticated in command control

00:11:10.003,00:11:12.739
channels. And you know at the
same time it's important to look

00:11:12.739,00:11:16.876
at how uh command and control
systems are being hosted um you

00:11:16.876,00:11:21.281
know uh this isn't like
categorically you know uh uh a

00:11:21.281,00:11:26.019
precise drop off at any point in
time uh for for when things

00:11:26.019,00:11:29.255
change over but you know but we
actually do see you know

00:11:29.255,00:11:32.458
progression especially with some
more sophisticated actors and

00:11:32.458,00:11:35.328
malware. You know in the very
beginning everything was kind of

00:11:35.328,00:11:38.665
statically hosted. Uh you had
IP's that are hardcoded in

00:11:38.665,00:11:42.001
malware and in our was really
changing so today we still see

00:11:42.001,00:11:45.805
IP's are hard coded into
malware... But um you know it it

00:11:45.805,00:11:49.108
it wasn't really you would have
these c2 hosts that are up for

00:11:49.108,00:11:52.645
you know years and you know you
time for that to kind of filter

00:11:52.645,00:11:56.849
into you know uh various lists
so on and so forth um you know

00:11:56.849,00:12:00.019
that though I think in those
days are uh you know things have

00:12:00.019,00:12:04.290
evolved uh uh quite a bit um you
know shifted to leveraging DNS

00:12:04.290,00:12:08.127
but again you still had a single
point of failure. A name um you

00:12:08.127,00:12:10.797
know and even though the IP
could change and you could route

00:12:10.797,00:12:15.001
the traffic elsewhere uh you you
still had to you know cope with

00:12:15.001,00:12:19.405
that fact that if that DNS name
was discovered blacklisted.

00:12:19.405,00:12:21.641
Wasn't changed, and we're
talking about over a long period

00:12:21.641,00:12:24.010
time you know not like what we
have today which can be you know

00:12:24.010,00:12:28.248
hours or days. Um basically the
the DNS uh uh you know the

00:12:28.248,00:12:31.751
malware can be shutdown config
updates. Malware will actually

00:12:31.751,00:12:35.221
go out and update itself, again
not particularly sophisticated

00:12:35.221,00:12:39.225
but where thing's started to get
interesting, in my mind is you

00:12:39.225,00:12:41.961
know around the time of the game
over bot net with the with the

00:12:41.961,00:12:45.832
Zeus malware because um it it
certainly wasn't the the very

00:12:45.832,00:12:48.768
first but we saw you know
organization's really really

00:12:48.768,00:12:52.839
really had a very hard time for
for several years I mean you

00:12:52.839,00:12:56.776
know for for almost you know
eight years or something uh

00:12:56.776,00:12:59.879
trying to control this malware
because it leverage more

00:12:59.879,00:13:02.815
advanced techniques. You know,
domain generation, algorithms

00:13:02.815,00:13:07.453
peer-to-peer. Um you know, C2
infrastructure so you really got

00:13:07.453,00:13:11.624
rid of that um you know that
that centralized model in the

00:13:11.624,00:13:15.328
same way that you know like bit
torrent and you know uh uh Skype

00:13:15.328,00:13:18.831
and other types of uh
peer-to-peer based networking

00:13:18.831,00:13:22.935
protocols and applications that
work. And perhaps the most

00:13:22.935,00:13:26.472
interesting is that now so many
of the uh uh not so many but

00:13:26.472,00:13:30.443
we're seeing more more of the uh
uh malware starting to leverage

00:13:30.443,00:13:33.513
cloud services as C2 so
basically you don't even have to

00:13:33.513,00:13:36.582
operate anything yourself uh you
know we'll get into this a

00:13:36.582,00:13:39.419
little bit but you can use
Twitter, you can use Amazon, you

00:13:39.419,00:13:42.789
can use the comment section um
you know kind of the classic

00:13:42.789,00:13:45.391
Cold War spy drop where you know
you bring the briefcase in the

00:13:45.391,00:13:48.661
park and you drop it, leave and
someone else comes picks it up.

00:13:48.661,00:13:51.264
It's kind of the same approach
and the beauty of it is, it

00:13:51.264,00:13:55.635
requires almost no investment um
and uh we'll get you know we'll

00:13:55.635,00:14:00.506
save more for that uh uh in just
a bit. Um so yeah so want of the

00:14:00.506,00:14:02.909
things that I found most
interesting is is

00:14:02.909,00:14:06.245
steganography and uh you know
what's kinda happening uh you

00:14:06.245,00:14:09.582
know some of the potential,
we've see you know hints of this

00:14:09.582,00:14:12.719
certainly in a bunch of
different malware and I think

00:14:12.719,00:14:16.622
it's you know probably one of
the most uh you know powerful uh

00:14:16.622,00:14:20.993
ways to be able to exchange
information in in a covert

00:14:20.993,00:14:23.763
channel. Uh you know basically
this is hiding information in

00:14:23.763,00:14:26.199
plain sight. It's been used,
you know it's not anything new.

00:14:26.199,00:14:29.335
It's been used for centuries. Uh
if you guys have ever seen the

00:14:29.335,00:14:33.439
video of um uh I think it was
either an army or naval captain,

00:14:33.439,00:14:36.609
Jeremiah Denton, uh was captured
in Vietnam and he actually

00:14:36.609,00:14:38.811
blinked morse code. You know
they were doing one of those

00:14:38.811,00:14:41.147
kind of captive videos where
they interview him and all of

00:14:41.147,00:14:44.350
these questions. And he actually
blinked in morse code torture.

00:14:44.350,00:14:47.653
And of course they put out
video‚ everyone I'm sure they

00:14:47.653,00:14:50.289
probably knew that everything
was going on anyways but it was

00:14:50.289,00:14:52.792
you know very very powerful
because here you know no uh uh

00:14:52.792,00:14:57.230
uh obviously the Vietnamese uh
army didn't know and uh you know

00:14:57.230,00:15:01.934
it it kinda made it through. So
I think a lot of the kind of

00:15:01.934,00:15:05.438
similar techniques can be used
in actual malware uh for covert

00:15:05.438,00:15:08.641
channels and when you look at it
there's actually just a uh

00:15:08.641,00:15:12.011
wealth of of potential
opportunities in places that you

00:15:12.011,00:15:17.049
can hide this data. Um you know
everything from protocol headers

00:15:17.049,00:15:19.919
uh if you're on uh talking about
the network layer uh metadata

00:15:19.919,00:15:24.290
and files that you have the all
different types of um uh you

00:15:24.290,00:15:27.693
know, encodings. Um audio,
video, et cetera. we're going to

00:15:27.693,00:15:31.497
go into some of this and um it
just really makes for a

00:15:31.497,00:15:34.767
excellent place to hide your
data and to have plausible

00:15:34.767,00:15:40.006
deniability and of course you
can layer other um uh techniques

00:15:40.006,00:15:43.075
on top of it so you can leverage
encryption plus steg to kind of

00:15:43.075,00:15:47.680
hide things um you know in plain
sight if you will. So let's take

00:15:47.680,00:15:51.584
a look at a few examples so um
this is actually an APT malware

00:15:51.584,00:15:56.622
sample uh that that we saw. Um
and uh uh I obviously anonymized

00:15:56.622,00:16:00.059
the uh the IP addresses. But uh
uh basically what was happening

00:16:00.059,00:16:03.629
here was that the um the intro
machine was compromised. We

00:16:03.629,00:16:08.801
think of it kind of as a Chinese
APT. Um uh it was sending TCP

00:16:08.801,00:16:12.338
packets um you know and there
was no flash which is obviously

00:16:12.338,00:16:17.109
a a interesting uh uh problem.
Zero window, um and it was never

00:16:17.109,00:16:20.613
establishing sessions. So it was
actually communicating to a C2

00:16:20.613,00:16:24.183
you know just by sending these
packets just by leveraging the

00:16:24.183,00:16:27.220
the the fields and headers. Um
and this can really be done with

00:16:27.220,00:16:29.555
a number of different protocols.
It's not anything that's

00:16:29.555,00:16:34.627
restarted to the TCP. Um,
another example is um you know

00:16:34.627,00:16:37.129
when it comes to images we're
seeing you know malware like VA

00:16:37.129,00:16:41.234
track and others that they'll
actually embed configuration in

00:16:41.234,00:16:43.970
an image. Uh so this‚ in this
case what I did was I used a

00:16:43.970,00:16:47.907
tool called Open Puff and I took
um uh you know the DefCon

00:16:47.907,00:16:51.344
logo‚ DefCon 24 logo. In one
logo I had you know is just the

00:16:51.344,00:16:54.380
original and the other is
there's an encoded message. Um

00:16:54.380,00:16:57.350
and as you can see, there
there's you know you can't see

00:16:57.350,00:17:00.920
right? Uh uh there's nothing
that our eyes can distinguish.

00:17:00.920,00:17:05.558
What's actually happen here is
it's actually uh, uh using the

00:17:05.558,00:17:08.861
least significant bit, and it's
encoding the malware passage or

00:17:08.861,00:17:11.998
the file, you can do anything in
that least significant bit. So

00:17:11.998,00:17:15.167
you know the color palette is
tweaked by you know just one

00:17:15.167,00:17:19.839
tiny uh value in in each pixel
and that's enough that you know

00:17:19.839,00:17:22.608
another party could come across
it and grab it, extract the

00:17:22.608,00:17:25.945
message out if they know what to
look for to but to not only the

00:17:25.945,00:17:29.015
human eye but even other
computers, it would be very hard

00:17:29.015,00:17:32.551
to be able to detect this type
of technique. So let's talk

00:17:32.551,00:17:36.188
about another set uh you know
besides just trying to hide what

00:17:36.188,00:17:39.025
our attackers try to do to
ensure that uh their

00:17:39.025,00:17:43.863
command-and-control channels are
um you know are are uh uh not

00:17:43.863,00:17:47.266
compromised um and so there's a
number of different uh

00:17:47.266,00:17:50.770
counteroffensive techniques that
they're taking um you know one

00:17:50.770,00:17:55.875
technique is um is is actually
filter who can connect uh back.

00:17:55.875,00:17:59.946
And and this is used in other
cases too I mean, maybe used in

00:17:59.946,00:18:04.250
the case not just for C2 but it
can be used in the case of um uh

00:18:04.250,00:18:06.919
you know actual malware
infections right especially

00:18:06.919,00:18:09.755
targeted phishing. You know they
want to make sure that vendors

00:18:09.755,00:18:14.694
and also non target um you know
assets uh uh when we when

00:18:14.694,00:18:17.463
they're dealing with targeted
attacks aren't going to be a

00:18:17.463,00:18:19.899
potentially compromised because
of course they don't vendors

00:18:19.899,00:18:23.636
learning the secrets and so on
and so forth. Um you know with

00:18:23.636,00:18:26.272
crime ware, there might be a
little bit less, you know they

00:18:26.272,00:18:29.675
they they might care less and
and cast a wider net over what

00:18:29.675,00:18:32.611
they're trying to uh to
compromise so you might not see

00:18:32.611,00:18:35.982
that quite as much but we do
actually see a lot of filtering

00:18:35.982,00:18:39.285
uh from you know the IP address
spaces. Um you know, not only

00:18:39.285,00:18:41.721
countries but even down to
individual organizations if

00:18:41.721,00:18:45.458
they're targeting an actual
organization. Um another thing

00:18:45.458,00:18:48.728
is that that can be leveraged is
actual uh you know kind of

00:18:48.728,00:18:52.498
stagger you know hidden messages
in in handshakes uh, Poison Ivy

00:18:52.498,00:18:55.568
is a really interesting uh you
know a long-standing piece of

00:18:55.568,00:18:59.505
malware that does that it it
actually kind of encodes uh uh a

00:18:59.505,00:19:03.309
handshake in the in the um in
the initial connection and so

00:19:03.309,00:19:06.879
you‚ even on that that
essentially uh first uh data

00:19:06.879,00:19:11.417
packet it'll know you know hey
this is uh uh a legit um you

00:19:11.417,00:19:14.520
know system or not. So we can um
you know just filter than out

00:19:14.520,00:19:17.223
without uh you know uh
i..i..i..if there's you know

00:19:17.223,00:19:19.892
just some other type of asset
trying to reach out, it can

00:19:19.892,00:19:24.196
filter it. And of course
encryption. Um you know, uh

00:19:24.196,00:19:27.867
especially leveraging uh you
know a pretty loaded SSL certs.

00:19:27.867,00:19:30.403
Um essentially we'll talk about
Let's Encrypt 'cause it has some

00:19:30.403,00:19:33.506
implications here but
essentially you know, you can if

00:19:33.506,00:19:37.143
you just preload a trusted SSL
relationship you know the kind

00:19:37.143,00:19:41.047
of public key uh or or or or
symmetric key into the actual

00:19:41.047,00:19:45.284
malware it can make a connection
out uh immediately um and uh so

00:19:45.284,00:19:49.889
they can basically ensure that
only malware um that that at

00:19:49.889,00:19:52.191
least until that that
certificate has been

00:19:52.191,00:19:54.994
compromised, only malware that
has the actual target malware

00:19:54.994,00:19:58.898
can reach out and so other types
of uh uh uh you know SSL

00:19:58.898,00:20:02.001
snooping tools are trying to
grab information uh wouldn't be

00:20:02.001,00:20:06.939
able to..to have success there.
And uh just anecdotally you

00:20:06.939,00:20:09.442
know, just in terms of what what
some of the things that we're

00:20:09.442,00:20:12.378
seeing is that there's actually
been a pretty strong push to a

00:20:12.378,00:20:16.015
lot of anti-sand-boxing
techniques uh by the attackers.

00:20:16.015,00:20:18.918
Um I won't get into a lot of
specifics but you can you know

00:20:18.918,00:20:21.654
we're seeing that it's getting
harder and harder you know if

00:20:21.654,00:20:24.490
any of you guys like um you know
there's open source tools like

00:20:24.490,00:20:27.626
CooCoo and other rigs. You know
the attackers are definitely

00:20:27.626,00:20:31.864
trying to get wise to um you
know to to prevent sand-boxing

00:20:31.864,00:20:35.367
analysis of their uh you know in
in a major way right? This is

00:20:35.367,00:20:38.971
not a new thing but we're seeing
just uh uh really the stakes are

00:20:38.971,00:20:42.775
ramping up on malware that's
trying to you know fly below the

00:20:42.775,00:20:46.245
radar so it's not just from a C2
perspective there's a lot of

00:20:46.245,00:20:50.049
things all the way from the
exploit to the um you know to to

00:20:50.049,00:20:54.954
the command and control where
this type of thing is happening.

00:20:54.954,00:20:58.591
Uh‚ Just a word I mean, there's
obviously different types of uh

00:20:58.591,00:21:01.193
uh you know kind of families
right? Uh you know, crime where

00:21:01.193,00:21:04.029
this is just gonna be casting a
huge wide net. Um typically

00:21:04.029,00:21:07.166
these are pretty chatty but they
will you know we will see uh

00:21:07.166,00:21:10.269
that you know they'll go to a
little bit greater lengths uh in

00:21:10.269,00:21:14.507
a lot of cases to avoid uh uh
detection a lot of targeted

00:21:14.507,00:21:17.810
attacks, uh you'd be surprised
uh uh a lot of them are still

00:21:17.810,00:21:20.980
just leveraging off-the-shelf
remote access tools right; and

00:21:20.980,00:21:24.650
other commercial tools um you
know they they they are targeted

00:21:24.650,00:21:27.620
in that they are you know the
the the actual actor is

00:21:27.620,00:21:30.956
targeting a particular party a
particular organization but

00:21:30.956,00:21:33.459
they're not terribly
sophisticated all the way up to

00:21:33.459,00:21:36.428
the targeted espionage uh you
know where just the sky is the

00:21:36.428,00:21:40.266
limit. Um you know this this
this is you know in some cases

00:21:40.266,00:21:43.402
they may lack C2 all together
but if you think about all the

00:21:43.402,00:21:46.505
stuck nuts and the flame in the
dukes and others um you know

00:21:46.505,00:21:48.574
there can be some pretty
sophisticated uh

00:21:48.574,00:21:52.278
command-and-control that can
happen and and even insider

00:21:52.278,00:21:56.448
threats to to basically make
those.. make those work. So now

00:21:56.448,00:21:59.051
that we've kind of covered you
know we kind of talked about

00:21:59.051,00:22:01.921
some evolution, things that
we've seen, uh historically over

00:22:01.921,00:22:04.924
time. We talked about some of
the different uh components of

00:22:04.924,00:22:08.327
uh malware or let's actually
dive into a bunch of different

00:22:08.327,00:22:12.598
case studies and look at how
different pieces of malware are

00:22:12.598,00:22:16.402
uh you know um are communicating
with the with command and

00:22:16.402,00:22:19.238
control. So Gh0stRAT is like you
know probably one of the most

00:22:19.238,00:22:22.308
simple examples and again you
know this is this is out there.

00:22:22.308,00:22:26.111
There still is a you know a a
lot of Gh0stRAT that we see.

00:22:26.111,00:22:31.183
Infections, um because this is
such a um you know um um a

00:22:31.183,00:22:35.454
prevalent tool that anyone can
use. And you know this is just

00:22:35.454,00:22:38.624
essentially you know the the at
least the commodity versions.

00:22:38.624,00:22:41.660
Obviously anyone can modify any
of these things. Um but you know

00:22:41.660,00:22:44.029
they're‚ it's actually gonna
have you know a string in‚ in

00:22:44.029,00:22:47.399
the actual payloads. So um so
it's really easy for say like an

00:22:47.399,00:22:50.903
IDS to be able to identify it
because it's just you know it's

00:22:50.903,00:22:53.906
just there.. it's not really
just so obfuscated. Uh it's kind

00:22:53.906,00:22:56.508
of like if you look at like the
evolution of Bit Torrent, uh you

00:22:56.508,00:23:00.112
know when it started on uh just
running on random ports and then

00:23:00.112,00:23:03.048
they switch port 80 but then
they you know not exclusively

00:23:03.048,00:23:05.618
but you know they would see bit
torrent and the in the in the

00:23:05.618,00:23:08.287
actual uh protocol and they got
to the point where they were

00:23:08.287,00:23:13.425
using you know very advanced um
uh uh uh forgetting the name

00:23:13.425,00:23:18.397
cat‚ catamilia um.. Uh‚ uh
distribute hash table functions

00:23:18.397,00:23:22.167
to ensure that you know there
there wasn't such a a an easy

00:23:22.167,00:23:25.404
way to match specific bits
because everything was being

00:23:25.404,00:23:29.742
dynamically generated on the
fly. So PoisonIvy we kind of

00:23:29.742,00:23:33.078
talked about a little bit
earlier where basically um you

00:23:33.078,00:23:36.915
know this is leveraging uh you
know a handshake so uh you know

00:23:36.915,00:23:40.619
it's trying to basically
identify is who's connecting to

00:23:40.619,00:23:45.324
me you know a target asset um is
it actually you know could it

00:23:45.324,00:23:47.760
potentially be a researcher?
They typically will embed. You

00:23:47.760,00:23:49.928
know there'll be some sort of‚
the malware will be delivered,

00:23:49.928,00:23:53.198
have a password in it uh and
that is used in the challenge

00:23:53.198,00:23:56.535
authentication so that uh even
if you have different strains of

00:23:56.535,00:24:00.005
poison ivy um you know an
individual after can you know

00:24:00.005,00:24:03.475
differentiate and make sure that
the only the correct target is

00:24:03.475,00:24:06.679
talking to them. Um and again
that can be important because if

00:24:06.679,00:24:10.182
you you know just allow it to be
wide open, it means that you

00:24:10.182,00:24:13.285
know the viability of this
malware of this actual

00:24:13.285,00:24:16.889
compromise is going to be uh you
know uh not as long-lived

00:24:16.889,00:24:19.258
because it'll be too easy
identified and too easy to take

00:24:19.258,00:24:25.331
down. NanoLocker. This one uh uh
you know is‚ came out uh uh

00:24:25.331,00:24:28.500
last year. There is really
interesting uh uh JavaScript um

00:24:28.500,00:24:31.103
uh you know. Ransom-ware,
Ransom-ware has just been

00:24:31.103,00:24:35.374
absolutely blowing up but one of
the the you know the things that

00:24:35.374,00:24:39.311
I found really interesting is
again not necessarily leveraging

00:24:39.311,00:24:43.215
uh you know like HTTP or a TCP
based protocol but actually uh

00:24:43.215,00:24:46.885
leveraging uh the network itself
and some of the you know your

00:24:46.885,00:24:49.355
traditional you now tools within
a network in this case, it was

00:24:49.355,00:24:55.494
actually you know encoding the
uh the bitcoin address in ICMP.

00:24:55.494,00:24:59.064
Uh so basically you know just
you know send a packet, get a

00:24:59.064,00:25:00.332
packet back and uh know exactly
uh what to do for the uh you

00:25:00.332,00:25:02.334
know for for basically uh uh you
know uh it it holding the uh‚

00:25:02.334,00:25:03.669
extorting the uh the victim. Um
and um you know uh again the

00:25:03.669,00:25:10.275
network protocol
layers,especially a lot of the

00:25:10.275,00:25:17.116
legacy protocols have a lot of
great hiding spots. I mean if

00:25:17.116,00:25:19.485
you look at the difference
between before like IPv4 and

00:25:19.485,00:25:23.322
IPv6. Not granted IPV6 has all
the next headers and you know

00:25:23.322,00:25:25.090
there could be some things,
interesting things that you

00:25:25.090,00:25:28.293
could do there, but there's a
lot of you know uh space where

00:25:28.293,00:25:32.731
at the time and in the days of
Yohr, they didn't know precisely

00:25:32.731,00:25:35.234
that this whole Internet thing
was gonna blow up so they put a

00:25:35.234,00:25:38.771
lot of you know lots of padding
in other other potential areas

00:25:38.771,00:25:42.408
where you could hide things in.
Um and uh you know as prevalent

00:25:42.408,00:25:45.744
as the protocols still are today
it makes a really great uh

00:25:45.744,00:25:51.016
channel for attackers. So game
over Zeus. We you know, we

00:25:51.016,00:25:53.852
talked about this a little bit
earlier where um you know

00:25:53.852,00:25:58.424
basically they they want to
avoid having the you know kind

00:25:58.424,00:26:01.994
of fix string centralized model
and um you know and to make it

00:26:01.994,00:26:06.865
hard for IDS' to identify um so
actually what they do is is a

00:26:06.865,00:26:09.701
combination of techniques but
basically uh they will XOR

00:26:09.701,00:26:13.272
information in the packet
payload so it always changing

00:26:13.272,00:26:16.675
and it you know it's very
difficult to leverage signature

00:26:16.675,00:26:19.611
based technologies with
traditional IDS' to be able to

00:26:19.611,00:26:23.982
identify this malware because
basically um it is it is always

00:26:23.982,00:26:26.018
changing now. That doesn't mean
that there isn't others way to

00:26:26.018,00:26:29.988
do it um but uh you know your
traditional uh tools of the

00:26:29.988,00:26:33.959
trade if you will will um you
know need not apply. Now, Dridex

00:26:33.959,00:26:40.265
uh uh you know Bin Trojan uh
obviously has uh you know just

00:26:40.265,00:26:44.203
kind it it took for a quite a
long time, you know just the

00:26:44.203,00:26:48.173
whole enterprise sector by storm
and who would have thought that

00:26:48.173,00:26:53.011
you know in 2015 through 2016
that macro based malware would

00:26:53.011,00:26:56.849
be you know so pervasive and
successful um but the fact of

00:26:56.849,00:27:01.320
the matter is that it it it it
is and it was um uh you know

00:27:01.320,00:27:04.823
even to this day you know,
there's still is you know a

00:27:04.823,00:27:09.194
great deal of of malware that's
leveraging these age old

00:27:09.194,00:27:13.899
techniques from you now the days
of Windows 95 or whatever. Um uh

00:27:13.899,00:27:17.536
particularly interesting is you
know one shift that we've kind

00:27:17.536,00:27:21.039
of seen is you know it's getting
harder and harder to attack the

00:27:21.039,00:27:25.377
machine right um uh uh because
of you know different types of

00:27:25.377,00:27:28.480
security protections that are
built-in. Um and so attackers

00:27:28.480,00:27:30.749
are you know kind of saying ah
forget about that were just

00:27:30.749,00:27:33.318
going to attack the human. And
so I think like Dridex is a

00:27:33.318,00:27:37.189
great example of that. Um where
you know someone will get a

00:27:37.189,00:27:40.692
document delivered, it'll you
know. One really cool example

00:27:40.692,00:27:45.330
that that I loved was uh it it
the document actually be blurred

00:27:45.330,00:27:47.699
and so it'd be an invoice
document, it'd be blurred but

00:27:47.699,00:27:49.234
there'd be a message that says
uh you know click, enable

00:27:49.234,00:27:50.569
content uh so that the message
will be you know uh uh um you

00:27:50.569,00:27:51.904
know visible. Or you know, this
may this this uh this payload

00:27:51.904,00:27:53.272
may be uh you know corrupted if
you uh uh click enable content,

00:27:53.272,00:27:58.277
it'll‚ it'll be visible and
that's exactly what I did.

00:28:04.249,00:28:07.052
Unbeknownst to the user, it also
reached out grabbed a payload.

00:28:07.052,00:28:10.856
You know, popped the machine um
and antivirus, traditionally we

00:28:10.856,00:28:13.025
couldn't keep up with that
because they would send you know

00:28:13.025,00:28:15.928
a new hash of those documents.
They would send millions and

00:28:15.928,00:28:19.064
millions and hundreds of
millions even on some days. Um

00:28:19.064,00:28:24.269
and so tremendously successful
even to this day and obviously

00:28:24.269,00:28:28.540
there's a lot of different um uh
you know uh uh uh flavors if you

00:28:28.540,00:28:31.343
will, of the different malwares
because they're maybe done by

00:28:31.343,00:28:35.414
different actors um but you know
in this case in then in this one

00:28:35.414,00:28:37.950
you know they're actually again
leveraging the kind of blind,

00:28:37.950,00:28:40.519
the dead drop uh I just like I
kind of talked about with like

00:28:40.519,00:28:44.756
Twitter, Amazon you know using
Microsoft comments to be able to

00:28:44.756,00:28:48.427
essentially deliver uh
command-and-control information

00:28:48.427,00:28:52.064
um that can be you know
exchanged between uh this end

00:28:52.064,00:28:57.202
point and the actual server in a
covert fashion. Now ToR you know

00:28:57.202,00:29:02.007
obviously ToR is near and dear
has uh you know some very

00:29:02.007,00:29:05.077
important real-world uh uh
applications uh you know

00:29:05.077,00:29:08.246
especially in uh certain
countries and regimes and for

00:29:08.246,00:29:11.650
journalists. So certainly not
trying to knock on ToR uh but

00:29:11.650,00:29:12.985
you know for the same reasons
why it's great for the um you

00:29:12.985,00:29:14.319
know the after mentioned uh uh
use cases uh it's actually

00:29:14.319,00:29:16.221
becoming quite a problem for uh
for a lot of the research

00:29:16.221,00:29:21.226
committee because it doesn't
even really require any type of

00:29:26.665,00:29:29.735
uh you know client. You know you
can literally uh use like ToR to

00:29:29.735,00:29:33.705
the web and do this whole thing
clienteles so uh whether it's uh

00:29:33.705,00:29:37.242
Vol Track, or dilexis or you
know there's a whole number.

00:29:37.242,00:29:40.479
We'll look at some trends that
that I've seen uh in a minute.

00:29:40.479,00:29:44.916
You know, ToR really is uh is uh
uh a great way to essentially

00:29:44.916,00:29:47.119
bridge that gap between the end
point and the

00:29:47.119,00:29:49.855
command-and-control channel. Um
you know just kind of you don't

00:29:49.855,00:29:52.024
have to worry about anything
once you establish that tunnel.

00:29:54.960,00:29:58.096
Oh yeah so basically uh uh a
quick animation here. Uh so you

00:29:58.096,00:30:01.633
know, just showing here, we got
the initial compromise uh where

00:30:01.633,00:30:06.104
where uh the the the the payload
is delivered as exchange um uh

00:30:06.104,00:30:10.609
you know the the endpoint is
probing for uh ToR information,

00:30:10.609,00:30:14.613
ToR notes doing DNS resolution
and then finally it's making

00:30:14.613,00:30:18.150
its' connection to uh to ToR to
Web. Uh and so it can exchange

00:30:18.150,00:30:24.322
this information and uh
covertly. Now AridViper, this is

00:30:24.322,00:30:27.726
one uh you know we did some
research on that on at Proof

00:30:27.726,00:30:31.563
Point. Uh this is obviously a
targeted APT attack. Um you know

00:30:31.563,00:30:36.334
uh against um uh you know uh uh
the parties in the middle east

00:30:36.334,00:30:41.139
tool site. Uh Israeli and uh and
basically um you know it was

00:30:41.139,00:30:45.977
just leveraging simple PCP. Um
so even though that this is kind

00:30:45.977,00:30:48.380
of a sophisticated target
attack, you can see that you

00:30:48.380,00:30:53.118
know sometimes it's easier to
blend and remain kind of

00:30:53.118,00:30:57.189
obscured if you will then to go
completely out of your way to be

00:30:57.189,00:31:02.294
able to essentially evade
detection. So we talked about a

00:31:02.294,00:31:04.763
few different uh you know types
of malware. Let's look at some

00:31:04.763,00:31:08.934
trends. So one of the first ones
that's really interesting is

00:31:08.934,00:31:13.505
SSL. Again, just like ToR, SSL
is you know is is is is a

00:31:13.505,00:31:18.577
critical, fundamental, you know
component of uh of our lives and

00:31:18.577,00:31:21.913
and justly so. Um you know we
basically went in last couple

00:31:21.913,00:31:26.351
years from about 30% of the
Internet traffic um to you know

00:31:26.351,00:31:31.723
just right around uh you know
70% today uh leveraging SSL. And

00:31:31.723,00:31:35.127
so what does that mean when it
comes to um you know to

00:31:35.127,00:31:40.565
encryption or to uh to
command-and-control um uh uh in

00:31:40.565,00:31:44.302
it of itself it didn't mean much
but one thing that was a huge

00:31:44.302,00:31:48.573
game changer is Let's Encrypt.
Again uh excellent uh project

00:31:48.573,00:31:51.543
and you know basically allowing
anyone to get SSL certificates

00:31:51.543,00:31:54.613
without having the security
poverty line and you know the

00:31:54.613,00:31:58.583
browsers would trust it and so
on and so forth. So you could

00:31:58.583,00:32:01.186
secure your application but now
the attackers are leveraging

00:32:01.186,00:32:04.322
that too, right? Uh because they
say hey you know I can now in

00:32:04.322,00:32:07.759
automated fashion get legit SSL
certs that the client is going

00:32:07.759,00:32:11.997
to trust for free and you know I
can just burn them and just like

00:32:11.997,00:32:15.700
a domain name uh just kind of
rifled through them. Um so while

00:32:15.700,00:32:18.103
I don't think this will have
much of an impact on like the

00:32:18.103,00:32:21.139
state sponsored uh uh you know
malware I think that you know

00:32:21.139,00:32:23.775
especially for crime ware it's
like why wouldn't you throw it

00:32:23.775,00:32:25.110
in in a you know a encrypted
tunnel. Just make it that much

00:32:25.110,00:32:26.444
harder for organizations to
burden in hearing encrypted

00:32:26.444,00:32:29.981
tunnel just make it that much
harder organizations to uh to to

00:32:29.981,00:32:35.620
find this information. Now IPV6
is really interesting because

00:32:35.620,00:32:39.224
you know we don't see quite as
much of it as one would expect

00:32:39.224,00:32:43.328
an even in the case of malware
today um you know it's uh you

00:32:43.328,00:32:47.566
know it's it's not as prevalent
uh uh as as as you know we

00:32:47.566,00:32:50.101
probably would have predicted
you know five years ago you know

00:32:50.101,00:32:53.972
even with all the basically IPV4
net blocks being uh uh

00:32:53.972,00:32:58.376
exhausted. Um and uh but but but
it actually represents a pretty

00:32:58.376,00:33:01.613
big challenge for us in the
security community. You know you

00:33:01.613,00:33:05.317
can get your own you know slash
48 from uh from you know

00:33:05.317,00:33:10.889
hurricane electric. Uh you know
which is uh 65,000 uh net blocks

00:33:10.889,00:33:12.924
which each you know I don't even
know what that number is a

00:33:12.924,00:33:17.329
trillion whatever, uh of hosts
for yourself, right? And so uh

00:33:17.329,00:33:19.931
some of the traditional things
that we could do where we could

00:33:19.931,00:33:23.001
say hey you know we can be a
blacklist individual IPs or even

00:33:23.001,00:33:26.705
you know kind of sudo net
blocks. How do you do that when

00:33:26.705,00:33:30.308
you know anyone can get access
to such a massive number of IP

00:33:30.308,00:33:33.845
addresses. Um you know I
definitely think that sooner or

00:33:33.845,00:33:37.883
later IPv6 is gonna start to
make a big splash once we have

00:33:37.883,00:33:42.921
that tipping point of uh you
know uh of availability uh to to

00:33:42.921,00:33:44.923
to endpoints. And we're
definitely, I think we're

00:33:44.923,00:33:48.727
starting to get there very soon.
And uh the other interesting

00:33:48.727,00:33:52.130
thing about IPv6 is a lot of
security technology actually

00:33:52.130,00:33:54.833
still doesn't support it
surprisingly enough. Or or it

00:33:54.833,00:33:57.669
does but you know you're running
an ancient version of whatever

00:33:57.669,00:34:01.339
firmware you know from a vendor
and in it and it doesn't support

00:34:01.339,00:34:05.377
it or uh you know one of the
interesting things is you know

00:34:05.377,00:34:08.413
with IPv6 um you know there's
all the different tunneling

00:34:08.413,00:34:12.984
capabilities so um you know even
today you can do IPv6 over IPv4

00:34:12.984,00:34:15.954
tunneling in a number of
different protocols. IP protocol

00:34:15.954,00:34:19.925
41 uh is is a good example of
that but you can do it over GRE

00:34:19.925,00:34:24.195
and so on and so forth. And um
because you can take that

00:34:24.195,00:34:28.533
approach, you can you know if uh
security technology can't strip

00:34:28.533,00:34:34.172
off those layers can't recognize
it, um then it's just you know

00:34:34.172,00:34:36.374
it's it's a perfect path right?
Because it can just send it

00:34:36.374,00:34:38.977
right on through where it may
tech‚ detect it in an

00:34:38.977,00:34:43.114
unencapsulated format. It'll
totally be blind to totally miss

00:34:43.114,00:34:48.320
it uh when it comes to just you
know slapping a header on. ToR

00:34:48.320,00:34:52.424
as I mentioned, so this from uh
you know some of the internal uh

00:34:52.424,00:34:56.361
data I have access to but we've
definitely seen an increase of

00:34:56.361,00:34:59.064
the malware samples of of ToR
over time. I mean it's a little

00:34:59.064,00:35:03.034
bit lumpy in some cases um but
uh it certainly isn't going down

00:35:03.034,00:35:07.372
and um you know it it I think it
just kind of a matter of time

00:35:07.372,00:35:11.376
you know on the threat landscape
. You know if people um you know

00:35:11.376,00:35:14.079
don't start blocking other
mechanisms that they don't

00:35:14.079,00:35:17.582
really do anything address ToR,
then you know more and more

00:35:17.582,00:35:21.119
authors will just uh will just
go with that. Now leveraging uh

00:35:21.119,00:35:26.091
you know actual cloud apps for
command and control. Um you know

00:35:26.091,00:35:28.226
again this is this is so
attractive and you know here's

00:35:28.226,00:35:30.261
the thing. You know, I talked
about some of the names that you

00:35:30.261,00:35:33.531
would know right, the Twitters,
the Amazon, the Microsoft. Um

00:35:33.531,00:35:36.368
you know how they're using like
Tech nat or something to to to

00:35:36.368,00:35:40.171
uh encode messages but really
I'm actually a lot less worried

00:35:40.171,00:35:44.643
about the the name brand cloud
apps than I am you know other

00:35:44.643,00:35:48.013
types of systems, just like how
my bakery got you know popped

00:35:48.013,00:35:51.416
with with Angler. There's so
many mom-and-pop shops or other

00:35:51.416,00:35:54.886
organizations uh other
applications that are out there

00:35:54.886,00:35:57.822
that won't have you know such a
sophisticated team with you know

00:35:57.822,00:36:00.425
incredible research staff
that'll be able to you know

00:36:00.425,00:36:03.261
basically identify that hey
something is going on here.

00:36:03.261,00:36:05.230
'Cause now there's all these
thousands posts that are

00:36:05.230,00:36:07.966
connecting and you know there's
there's some shenanigans a foot

00:36:07.966,00:36:10.702
right? Um you know they might
notice eventually when

00:36:10.702,00:36:13.371
everything totally crashes but
it might take a long time before

00:36:13.371,00:36:18.176
they get that point . Um and uh
and and and and again it's so uh

00:36:18.176,00:36:20.812
it it it it's just it's such an
attractive target because again

00:36:20.812,00:36:23.181
you don't have to host anything.
You you give up a little bit of

00:36:23.181,00:36:26.251
control uh but you know if you
can do it right, it's uh it's

00:36:26.251,00:36:29.888
you know kind of primed for the
for the picking. Um and along

00:36:29.888,00:36:35.160
those lines um you know there‚
it it‚ there's so many

00:36:35.160,00:36:38.263
different ways that you could
leverage the cloud app uh to be

00:36:38.263,00:36:41.666
able to you know hide the
information. Um you know whether

00:36:41.666,00:36:44.936
it's an application like Dropbox
where you can upload files,

00:36:44.936,00:36:48.006
whether it's a you know uh uh
you know Snapchat or something.

00:36:48.006,00:36:50.742
Who knows? SnapChat but
Instagram where you can upload

00:36:50.742,00:36:53.712
an image and have the
information literally encoded in

00:36:53.712,00:36:55.714
that image and have people
grabbing it and all the sudden

00:36:55.714,00:36:58.550
you're trending on you know
Instagram or whatever you know

00:36:58.550,00:37:02.020
but but it's really because all
this you know malware is phoning

00:37:02.020,00:37:05.090
home and it's grabbing and it's
getting this information. Um you

00:37:05.090,00:37:10.495
know uh it really creates uh you
know uh you know an infinite set

00:37:10.495,00:37:14.032
of possibilities. So you know I
expect in future years and

00:37:14.032,00:37:16.768
really all the steg that we
could dedicate a whole talk to,

00:37:16.768,00:37:19.838
maybe that'll be something I'll
cover in a future, future talk.

00:37:19.838,00:37:23.475
Um but you know it's it's really
uh uh you know in my view uh..

00:37:23.475,00:37:24.809
uh you know as soon as the kind
of cat and mouse game kind of

00:37:24.809,00:37:26.144
catches up the arms race, and
attackers say okay you know,

00:37:26.144,00:37:27.479
some of these traditional
methods that aren't working. I

00:37:27.479,00:37:29.481
think that you'll definitely see
more and more take advantage of

00:37:29.481,00:37:30.815
such a prime target. Another
thing is Layered Evasions so um

00:37:30.815,00:37:32.183
you know we see this with you
know I would say more like the

00:37:32.183,00:37:33.518
APT factors um uh because you
know they can kinda rather than

00:37:33.518,00:37:38.523
being crime ware and and
massively you know uh uh

00:37:52.403,00:37:55.140
triggering a lot of activity,
you know if you're just sending

00:37:55.140,00:37:58.543
you know, doing some IP
fragmentation with TCP segment

00:37:58.543,00:38:02.347
you know of Asians on top of
that um you know maybe throw in

00:38:02.347,00:38:05.683
SSL above that, HTTP, there's
obviously a lot that you can do

00:38:05.683,00:38:10.121
within uh the HTTP protocol uh
to be able to hide information.

00:38:10.121,00:38:13.858
Um and of course as I've gone in
some uh length, you know there's

00:38:13.858,00:38:16.561
a lot that you can do in the
actual embedded content itself

00:38:16.561,00:38:21.733
uh‚ starting to leverage these
techniques uh uh in um you know

00:38:21.733,00:38:27.305
in concert right? Um because
really it uh it's it's uh a a

00:38:27.305,00:38:31.309
way that you can catch uh you
know some security vendors off

00:38:31.309,00:38:36.080
guard that don't basically uh
you know, even even in 2016,

00:38:36.080,00:38:39.384
might be blind to either the
individual mechanisms or some

00:38:39.384,00:38:43.788
combination of the mechanisms.
Um it's uh it's definitely uh a

00:38:43.788,00:38:47.659
real concern and you know again
then you can keep on looping all

00:38:47.659,00:38:51.062
these evasions and you tunnel
all the traffic it it it's kind

00:38:51.062,00:38:53.665
of uh you know up to uh you know
the mind's eye in terms of

00:38:53.665,00:38:56.868
imagination uh for how how
sophisticated the evasions could

00:38:56.868,00:38:58.203
get. And uh you know as I've
been saying a whole bunch of

00:38:58.203,00:38:59.571
steganography is uh you know
just a um you know the

00:38:59.571,00:39:00.839
possibilities there.. so
limitless. So um you know I

00:39:00.839,00:39:02.173
would definitely expect to see
more and more actors and I guess

00:39:02.173,00:39:04.242
the really scary thing about
Steg is that you know, when done

00:39:04.242,00:39:05.643
right, it's‚ it's so
incredibly difficult to identify

00:39:05.643,00:39:07.011
um you know as we saw earlier
with the with the mirrored

00:39:07.011,00:39:13.184
images right? So um it, it's
almost um you know uh what

00:39:13.184,00:39:18.189
concerns me is more the unknown
and known aspect of uh of

00:39:27.365,00:39:30.335
attackers that that could
leverage this type of uh

00:39:30.335,00:39:33.871
technique um because unlike you
know some of the traditional

00:39:33.871,00:39:37.475
mechanisms that we can use to
identify individual patterns,

00:39:37.475,00:39:40.678
identifying steganography is
incredibly difficult in a lot

00:39:40.678,00:39:45.383
of, a lot of cases both for
human and even for machine so

00:39:45.383,00:39:48.486
yeah how you know, how do you do
that when you know you have the

00:39:48.486,00:39:51.289
bandwidth that we're sending you
ever-increasing it's getting

00:39:51.289,00:39:54.192
more and more expensive to cope
with that how do you even

00:39:54.192,00:39:57.895
identify uh when this type of
technique is being used. Um it's

00:39:57.895,00:40:01.599
a, it's a very big problem. So
we kind of talked a little bit

00:40:01.599,00:40:04.469
about uh you know uh uh the
different trends and

00:40:04.469,00:40:06.504
predictions. Let's talk about
defense right? What are some of

00:40:06.504,00:40:09.474
the things that you could do, to
take away from this talk to you

00:40:09.474,00:40:12.910
know basically uh defend your
network, your assets, your

00:40:12.910,00:40:16.514
infrastructure. Um and start
with the really obvious but

00:40:16.514,00:40:21.119
shockingly it's still is not
even in this in this uh 2016

00:40:21.119,00:40:25.290
isn't uh that highly used. So
basically, I took a ton of

00:40:25.290,00:40:28.159
malware samples. Millions of
malware samples that we had um

00:40:28.159,00:40:30.528
and looked specifically at the
command-and-control ports um

00:40:30.528,00:40:34.432
and, and what ports they were
using and about 17 percent of

00:40:34.432,00:40:39.671
the of the malware was using
high rangeTCP ports for command

00:40:39.671,00:40:42.707
and control. So I'm not even
talking about you know uh uh

00:40:42.707,00:40:45.243
other aspects of the malware.
I'm talking specifically for the

00:40:45.243,00:40:48.079
command and control. Um and they
do that because of course most

00:40:48.079,00:40:51.516
people leave those wide open uh
and that's kind of a bad idea. I

00:40:51.516,00:40:55.753
totally get why and it can be an
administrative nightmare but um

00:40:55.753,00:40:58.456
you know‚ it's you can
eliminate a lot of low hanging

00:40:58.456,00:41:00.925
fruit uh when it comes to
command-and-control and

00:41:00.925,00:41:04.329
basically if you can with a lot
these pieces of malware, you

00:41:04.329,00:41:06.831
might be able to totally break
it if it can't phone home right

00:41:06.831,00:41:09.334
if you can't get that extra
payload if you can't you know

00:41:09.334,00:41:12.470
share that encryption key or
whatever you can prevent this

00:41:12.470,00:41:15.473
attack from being successful
with you know a click of the

00:41:15.473,00:41:18.910
mouse. Um you know another big
thing is making sure that you

00:41:18.910,00:41:22.647
don't have um you know
applications uh that you

00:41:22.647,00:41:25.783
wouldn't expect or wouldn't
desire on your network running

00:41:25.783,00:41:28.986
on your network so you know if
you're an enterprise and there's

00:41:28.986,00:41:31.622
no real reason for you to be
running ToR, you probably

00:41:31.622,00:41:35.493
shouldn't allow ToR out because
um you know that malware will

00:41:35.493,00:41:38.763
definitely take advantage of
that. Um you know even um

00:41:38.763,00:41:42.033
unknown binary, we shouldn't say
streams but basically, you know

00:41:42.033,00:41:44.669
some malware on occasion will
just run you know some sort of

00:41:44.669,00:41:48.339
odd encryptive protocol. If you
can do deep packet inspection

00:41:48.339,00:41:51.476
and do uh basically encryption
entropy which is something that

00:41:51.476,00:41:55.880
a lot of modern IDS' do. Uh and
then JFW's, you can identify

00:41:55.880,00:41:58.883
potentially uh you know, unknown
uh types of uh of malware just

00:41:58.883,00:42:02.653
because it's you now again it's
not matching a traditional

00:42:02.653,00:42:05.356
protocol. It's actually not
leveraging steganography, it's

00:42:05.356,00:42:10.461
kind of standing out like a sore
thumb. The next thing is the

00:42:10.461,00:42:14.932
fingerprint known malware. Um
and uh uh this um you know

00:42:14.932,00:42:19.203
definitely gonna give a shootout
and plug to uh you know to ET

00:42:19.203,00:42:23.841
Open which is you know free to
anyone. Maintain uh you know we

00:42:23.841,00:42:26.611
curate it, but it's free to
anyone in the community and

00:42:26.611,00:42:30.114
that's something that we focus
heavily on because you know

00:42:30.114,00:42:32.984
rather than having you know just
trying only fingerprint all the

00:42:32.984,00:42:36.621
CVE's.You know play the CVE game
with you know 15 year old,

00:42:36.621,00:42:39.490
German help desk software,
whatever. You know focusing on

00:42:39.490,00:42:42.360
hey, we see this malware in the
wild, right now and we're going

00:42:42.360,00:42:47.231
to specially identify it and so
if you see this trigger uh you

00:42:47.231,00:42:50.401
know, you really know that, that
this is bad. Uh and you know

00:42:50.401,00:42:53.571
again you know a lot of people
talk about the security property

00:42:53.571,00:42:56.774
line and and that's true to some
extent but there are a lot of

00:42:56.774,00:43:00.178
great open-source tool uh you
know you don't have to uh to

00:43:00.178,00:43:03.047
break an arm and a leg to get
your hands on and this is a

00:43:03.047,00:43:05.349
great example because you know
by fingerprinting the known

00:43:05.349,00:43:09.053
malware um you know you can
introduce you know kind of a‚ a

00:43:09.053,00:43:12.824
very good signal, signal to
noise ratio and basically

00:43:12.824,00:43:17.595
identify the known bad. Now SSL
is you know again it is kind of

00:43:17.595,00:43:20.198
a mixed blessing right uh
because there's just a lot of

00:43:20.198,00:43:24.535
blind spots nowadays, especially
if you're off of an SSL tap. Um

00:43:24.535,00:43:27.972
and so there's a few different
things that you can do um when

00:43:27.972,00:43:30.842
it comes to SSL. Um you know a
lot of there's a lot of new

00:43:30.842,00:43:33.778
systems that are supporting SSL
man in the middle. Again,

00:43:33.778,00:43:37.715
there's you know controversy
there uh you can't always use it

00:43:37.715,00:43:41.819
uh you know and for good reason
but um you know in in if your

00:43:41.819,00:43:45.790
situation dictates and you can
break it open for some traffic,

00:43:45.790,00:43:49.360
uh for instance let's say any
SSL site that you know that that

00:43:49.360,00:43:52.096
isn't categorized by say like a
web filter or something like

00:43:52.096,00:43:54.966
that, you could break it open
and inspect it. You'd be able to

00:43:54.966,00:43:58.603
identify you know potential uh
you know command and control

00:43:58.603,00:44:02.673
infections and so on and so
forth within the SSL stream. But

00:44:02.673,00:44:05.576
the good news is actually you
don't have to do that in all

00:44:05.576,00:44:10.448
cases. Uh and again you know uh
the ET Open dot abuse dot CH is

00:44:10.448,00:44:15.286
another great uh source. Um you
know have uh not only signatures

00:44:15.286,00:44:18.890
but published blacklists,
certificate blacklists. So just

00:44:18.890,00:44:22.593
by you know you can actually
just view what is a known bad

00:44:22.593,00:44:25.029
certificate you never have to
crack open the stream. You can

00:44:25.029,00:44:27.899
just fingerprint and say okay,
you know this machine it popped

00:44:27.899,00:44:30.902
because it's reaching back you
know using a, let's say Dridex

00:44:30.902,00:44:35.106
uh uh known bad SSL cert, going
to a known bad site. Um so it

00:44:35.106,00:44:38.109
doesn't require you to actually
crack open the stream to figure

00:44:38.109,00:44:42.280
that out. Heuristics and Anomaly
Detection. You know normally

00:44:42.280,00:44:45.149
these things drives us all crazy
because they're so chatty and so

00:44:45.149,00:44:48.386
kind of unreliable but as you
probably saw in a bunch of the

00:44:48.386,00:44:51.422
samples, especially on some of
the target attacks, um you know

00:44:51.422,00:44:56.394
basically if uh you know if uh
you um you know it it it when

00:44:56.394,00:44:59.964
leveraged in the right context
they can really light up like a

00:44:59.964,00:45:04.101
Christmas tree because you will
find uh you know uh uh some of

00:45:04.101,00:45:05.970
the different types of
techniques in these layered

00:45:05.970,00:45:08.973
evasion techniques. And it's a
great way to defeat it again

00:45:08.973,00:45:11.909
doesn't require commercial
solution, there's tons of off

00:45:11.909,00:45:15.313
the shelf stuff that you can do
and leverage uh to be able to

00:45:15.313,00:45:18.983
detect these types of
techniques. And really it's you

00:45:18.983,00:45:21.852
know, at the end of the day just
giving a shit right? Um you know

00:45:21.852,00:45:24.755
a lot of people um they just
don't right? [Laughter] And

00:45:24.755,00:45:27.825
they're they're they're just
kind of like uh uh um you know I

00:45:27.825,00:45:30.861
was told there's kind of three
types of organizations right you

00:45:30.861,00:45:33.831
have like the compliant, you
have security conscious and you

00:45:33.831,00:45:39.904
have the um‚ and you have the
um uh security sensitive. So the

00:45:39.904,00:45:43.040
compliant is just like, I don't
care I just need to buy this so

00:45:43.040,00:45:46.444
I can check off this PCI
checklist and you know just tell

00:45:46.444,00:45:49.180
me how much it is, go away. And
you know the security uh uh

00:45:49.180,00:45:52.049
con‚ uh you know conscious who
are like hey you know we wanna

00:45:52.049,00:45:53.918
do the right thing, we don't
have you know a whole team of

00:45:53.918,00:45:57.655
experts, um you know and and and
they're definitely a perfect

00:45:57.655,00:46:00.491
audience for this because again
you know you can get you know

00:46:00.491,00:46:03.394
even without having to spend an
arm and a leg you can get

00:46:03.394,00:46:06.697
solutions that help you if you
actually care. The security

00:46:06.697,00:46:09.567
sensitive you know they kind of
have uh you know uh uh a whole

00:46:09.567,00:46:12.036
practice going on and a lot less
worried about them, and they

00:46:12.036,00:46:16.440
kind of know what to do. Um uh
but you know perhaps and most

00:46:16.440,00:46:20.478
importantly is to get involved
right? Um so there's and I don't

00:46:20.478,00:46:23.547
mean like in a spend money,
donate, or anything kind of way,

00:46:23.547,00:46:26.817
like if you find uh you know
command and control channels,

00:46:26.817,00:46:30.321
interesting samples uh you know
in your own environment um you

00:46:30.321,00:46:33.658
know it's really easy to get
them into the broader community.

00:46:33.658,00:46:38.729
Uh ET Open's a great way, uh
Snort. You know VRT uh as well,

00:46:38.729,00:46:41.065
there's other foundations if
you're a coder you can develop

00:46:41.065,00:46:49.674
help develop the engines that
can detect this stuff. Uh you

00:46:49.674,00:46:51.308
know Suricata, Snort Bro, uh
Mallic. There's a whole bunch of

00:46:51.308,00:46:53.110
uh different ways that that you
can uh get involved so‚ just

00:46:53.110,00:46:55.846
to kind of wrap this up because
I know, it's beer o'clock and we

00:46:55.846,00:46:59.183
definitely uh definitely don't
wanna impose on that um. So so

00:46:59.183,00:47:03.020
basically, the trends speak for
themselves. You know, I don't

00:47:03.020,00:47:05.890
have to speak in hyperbole
everyone knows you know how

00:47:05.890,00:47:10.161
serious the the actual malware
and compromise problems are. Uh

00:47:10.161,00:47:13.731
you know and uh and uh it's only
getting worse it's really not

00:47:13.731,00:47:16.667
gotten to the point where it's
better. The attack surface is so

00:47:16.667,00:47:19.970
massive, there's so many
different ways that we could‚

00:47:19.970,00:47:22.907
we can get breached. But you
know we ca leverage our

00:47:22.907,00:47:25.876
strengths in this case
protecting command-and-control

00:47:25.876,00:47:31.215
channels which is our attackers
weakness in a lot of cases to be

00:47:31.215,00:47:34.085
able to you know to both prevent
infections and uh and to

00:47:34.085,00:47:37.555
counteract when they do happen
and respond quickly. And um you

00:47:37.555,00:47:40.357
know basically, we up our game
they're going to up their game.

00:47:40.357,00:47:42.893
We you know gotta have a line of
site to where things are going

00:47:42.893,00:47:46.063
in the future um but uh you know
but but as long as we kind of

00:47:46.063,00:47:50.668
stay in touch and tune, you know
review our you know, standing

00:47:50.668,00:47:53.137
with the community, reviewing
our our logs our information,

00:47:53.137,00:47:55.840
infrastructure, what it has to
tell us uh you know that's

00:47:55.840,00:47:58.008
really kind of the best shot
that we have at mitigating

00:47:58.008,00:48:02.713
stuff. Uh and um yeah basically
that's what I got and I want to

00:48:02.713,00:48:10.454
say a few thanks yous'.
[Applause] Thank you all Thanks

00:48:10.454,00:48:13.290
Defcon, you know for uh
accepting this talk. LEtting me

00:48:13.290,00:48:16.994
get up here, also Box and uh for
everyone for attending all the

00:48:16.994,00:48:20.164
way over here from Bally's,
missing out on Mr.Robot. I saw

00:48:20.164,00:48:22.166
them all in the green room it
was really funny I was like Oh

00:48:22.166,00:48:25.970
my God, it's like I'm not
worthy. But uh yeah basically

00:48:25.970,00:48:33.644
the whole emerging threats team,
ProofPoint. Ah, there's too many

00:48:33.644,00:00:00.000
people to name but uh thanks
everyone.