Add to Watchlist

BAB0: A custom sample that bypassed cutting-edge APT attack detection tools


Citation of segment
Embed Code
Purchasing a DVD Cite video

Formal Metadata

Title BAB0: A custom sample that bypassed cutting-edge APT attack detection tools
Alternative Title BAB0: Egy speciális minta, amely megkerülte a legmodernebb APT támadáserzékelo eszközöket
Title of Series Hacktivity 2015
Part Number 28
Number of Parts 29
Author Bencsáth, Boldizsár
Buttyán, Levente
Ács-Kurucz, Gábor
Kamarás, Roland
Molnár, Gábor
Balázs, Zoltán
License CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
DOI 10.5446/18835
Publisher Hacktivity
Release Date 2015
Language English

Content Metadata

Subject Area Computer Science
Abstract In this talk, we present BAB0, a custom sample that we developed for testing purposes and that bypassed 5 cutting-edge APT attack detection tools. We explain why BAB0 escaped detection both in the phase of infecting the victim and later during continuous communications with a remote C&C server. We show the tricks that we designed and implemented in BAB0 and try to make some demonstrations as well. We also elaborate on the problems of testing anti-APT products in general, and give some hints on new testing methodologies that are currently emerging within the AV test community.

Related Material

of atomic radii and my name is bordered adventure time from the Budapest University of Technology and Economics from the trees this up and those that have to all of you were hard core activity visitors center stage here for the last presentation for this reason I I try to be a more funny and and a bit more interesting so only half of my presentation is about the suspected that the sample called bubble bubble this course corresponds to the oracle and GATT product test
and in the interest of the talk about some other interesting items you're going on so last year I just that they have to be to remade them on the PDT product as what was this all about uh you all know the year of normal regular and divide products and do not have to find all these kind of tricky stress like started that Baxter 0 they vulnerabilities and other stuff so therefore there is a range of new products provided by different from lost and all these vendors say that OK hello please by our product and you will be so the received and and all your threats view of the found them that your system you'd be safe again and that nobody can which is surely not true that and the least of the vendors is quite long and all these products has a fancy marketing material and so on but what is the truth if you really want would want to buy something for 1 thousand thousand dollars you expect that the product should do really what it is intended to do and and you you need some more information how good it is so it is quite problematic to evaluate what to buy and and say that OK if it were good or not of course at the end of my presentation be saved by all of these products by antivirus use all these other products but wanted wanted to show is that maybe the marketing material is not enough and we need much more sophisticated testing and understanding how how these products work and what are the problems they are protecting you against and what's not so there was also a controversial tests by assist less than that of an event or series varying the people were not really happy about the results I mean that of how did the test was performed and therefore the the move from the data to be a good idea last year to carry on a bit more advanced interesting test on these products as I mentioned just at the activity but at the end provided some feedback what happened but not details uh and this presentation of the 1st part is all about the details how what what is this the particle sample and how we treat products to to get direct attack going through so that would be carried out this test on yes it does and Greece together so
what we did is we developed for new custom samples call some Poseican cortical quantum mother about but it is not malicious I I mean that's what these malicious what this transmitting information can be malicious if it is transmitting stolen information and not malicious if it is not so it is not not just based on the fact what it is so that the official name is sampled but of course you can translate into to some kind of experiment mother or something like that because the functions are so we created for different samples and reduce the burden that only 4 to the 2 weeks with a limited number of people so we had no 1 million budget to be those that did not have a vote me stuff working on that all nite and the so the small small-scale at and of course we try to make different samples treated the different things in mind so we try to make something that is quite easy to be found and therefore we can test that all products really find the samples and he also made the final the biggest and most interesting sampled at an issue that Attleboro at all our tricks that we could define in these 2 weeks and then tried that this should be really undetected by the product and of course the for for this test to made real modern-looking samples I mean that if make a program that does not make any kind of malicious behavior or the that does not run programs it cannot be controlled remotely and so on pretty abuse that that nobody view detected uh so what we did is we realized that like the samples and what he did is destined these the samples on 5 different and the beauty products all these products are natural based products so like a proxy checking of what is the traffic and then doing something not endpoint detection standpoint option was all the more virus nothing at all this is important difference between
normal stuff and and real environment but our focus was to test these products alone and not on additional ones that can be combined with the soul and the result of which you ordered the present it is the result detailed on the slide and naming leaders of you have these for test samples and test for is called bubble and as you can see all the 5 products thereby test so and meaning that there was no report or is this like not the speech is not really an left message like you were infected and it's most important to test your system right now OK so
what they did is they later shared the the particle our sample the mother a malicious party executable part of of the uh bubble sample um did vative some 2 months to people being prepared for introduction in introducting it and he did not publish this here the code therefore it cannot be used for malicious activities except if somebody CNC server but to bit those who can make such kind of activity they can actually make another mother and it's not a big deal of course it is because researchers some of the fancy site and we don't want to help others how to add vectors systems just open the BDI and show that the the other honorable to similar text so with the setting was true or blog site you can find steel death and all of the sample but how would these really looked at how it worked and what was the tree combined and no product detected didn't accept quite easy and and not so sophisticated uh in advance you received by yourself and it doesn't take hours to do to do is give you the details about that shows that even this this light easy tricks you can bypass these products than those guys who have a lot more time to to design and you look mom budget to design direct that it is surely not be due to find similar ideas
uh doing their activities so 1st of all I have recording and how I installed this sample on on the computer and also part of it is how a home or dashboard or control panel look like then we can control the the uh infected computer about this is the stuff of working so if you open up a this of that page which is the infection 1st move the mouse just showing that the more miles icon is moving and if I click here and there there and nothing happens and if even if I click on the the downloaded the icon nothing happens so idea that explain it lies about what what is the reason behind OK I reloaded the page and click on the download button and of course as I mentioned there is no checks and the users crazy and accepts this was the start of the run on the computer and now on sample is running of course we have found the note is that this is not the source of the they use estimate is that you have something
a problem here so this is the command and control server does support for for any of you have to go on the data here so you read initialized database and so we have to wait a bit uglier or client is reporting so I just to change the system the idea for the computer I want to control and sound impact task that please print to our of the actual working directory if you click on onto you respond and on the response you can see it's in my home directory actually so I can even change directory for let's say it is bubble so just put change directory that that is the commonest you wouldn't be completely cannot even under additional comments so it is not like the use of the battle on the control panels and this is in sense including the contrapuntal for our test so you can check the directory there is a secret book the extended file in inside this directory so now we can click on download file of a tree of a new task again already completed the modified downloaded is renamed to find . and so I I I save 1st to into a
directory called stolen and various showing in farm manager what is the constant so
this is the director stolen in the 5 contains the text actually because it was a text file very secreted distorts here so the successfully stored information from the target so this is a demonstration that the sample was really of doing malicious stuff in that
sense that it is a lot of it has all the functions of about a traditional remote access Trojans generally fields we have other commands like execution commands and things like that but it's not really interesting of course we can add new functionality or
upload knew what it was but it is not interesting from or point of view as long as the
natural traffic is really doing is looking like a normal to that can do this demonstration both defined has shown that it is really looking like that so if you go notifies and land-use in things that it is really close to what the normal used to OK so this is how it works and and noise explain why this happens during the yet so
1st of all there is no download link on this webpage at all so this for appear that page is the sink seemed to a single image of PNG file that come with that has these download text and that into the picture so it is made by Photoshop or whatever and the the download icon is just a part of the picture in my fingers so if you click on any other place than the download link on the border of world drowning the picture than or JavaScript that recognizes that some somehow the the user clicked on that point on the vector is not intended to pick their so maybe you you have something like an analysis frame framework running and clicking on different parts of the web page and that disables all the further activities so if you click the other places on the web page down the download link than the do functionalities blocked and nothing will happen so therefore I have to reload the page after the clicking several times poor mostly really really have no exact data how these things on test how these products tested or or solution so we don't know if the streak was important or not at but this is just a good idea to do so then I moved to the of the icon the moles of a pointer to the download link then we have this new icon the hand icon assigned and assay mentioned there is no link on this page applaud and how it can be it can be possible it is emulated by JavaScript whenever you move your icon to the the the target area then the show you the hand icon instant of in in instead of being normal like 0 so sold the
others case there is no executable try transfer on the the virus so the products could not see any executable downloaded from lost our servers because there is no executable at all then be clicked on the download icon basically what happened is that we had some javascript code that actually extracted of steganographic early encoded information from this picture which was the mother itself the executable and the JavaScript was able to emulate you know that when you click on that it is exactly looking like the a largest so you know that on the right-hand side you can see that OK do you want to run this program is that if you favor so from the user perspective which is the roots of like not downloading and executable but from the at point of view it was just a picture that was loaded already that the starting of the small stuff so it and there was no transmission during you click on on the download button and so on and on and on below you can see the actual contents of the directory so what we had this duty just a picture and H T M L 5 and so to JavaScript libraries and find a statute stuff so all that that's all of on the server side the distance Holly static fall the
of victory checks so what happened to in the now as you understand divorce stuff so then I moved amongst them nothing can justify I move it over to the download link then you can see that the most likely in making a difference if I click here and there and then we have a problem because due the novel is deactivated so we can you have to download the lord of scaffolding to the to click on the download like history does not mean anything you can see the executable file do you want to run it is in in the Hungarian nobody knows the the vendor of these little softer so I'm sure you want to run this I
want and then this the samples downloaded and is running in any of these so we know that it's works solve the yesterday I tested it again it works on the internet explorer and then also in Chrome so it is not a very specific feature of a brother but so that on the client
side there was no 1 . protectionists I mentioned there for all these malicious activities that can be found by anomaly detection or any of the traditional and the let's say traditional means like finding out that there strange behavior because somebody is running executive because there is no new process running the process lists 5 3 respice executes the commands and generates natural traffic this is simply not or whoever it extends the functionality of the protection of course maybe can be detected but of course realized that the curse can do other tricks and to avoid this kind of like a will give the stuff for a zero-day exploit whatever uh the next to the question is then OK installation is very hard to detect by these products but what about the network connectivity so how can we put all this information to commands we sent to the victims and the information that we'll be downloaded from the victims into a network traffic that review be analyzed by these devices and maybe you need to show that the these are suspicious and today we already had a presentation about finding out of strange stuff in natural traffic that actually Sebastian also shown that the behavior of detected bubble alter competition traffic at some sort of about this also check check the presentations from us so what we did is we created the smallest proxy server in PHP that basically passes for all the request that comes to a particular dialect accords for foreign to where you remote server containing 3 of 4 and discuss slope of all the different topics local of fusers banners whatever registration and feedback form of I don't know what so we just put all the correct decrease coming to us to to be so the land point and we're just a proxy of course we modify the labial debates just to 1st of all if event ever be demonstrated that do not show the actual the company who has this form which was the norm of the Hungarian verbs side column containing a forum and also if any of these products check something or any human checks this foreigners volleyed various you see that OK there are a lot of messages insights looks legally valid but there are no big title that the defect pages actually not here but there's still no hint that this is a the correct page in along so even if there is that human using involving the checking the all the validity of the that the biggest C or it's strange form never heard about that but it contains a lot of time thousands and millions of all 4 messages so it might be OK so widely created these proxies because we put all the communication been into the the downloading of different messages from this for the for the for the for for it not to be suspicious so much the view of of dividing bigger commands big transfers into fragments and then at then of you try to recover from all these fragment of all commander of all data that was submitted before it was even more signing a big fight was transferred from from the the client it could you also use the trip to and that that that the stolen information into a picture which is uploaded to some website and forceful on the form which is again not that suspicious everybody approach pictures the about cats 2 forms and so on so that basically that is 1 way or the other of you just as at the design of the small items like an addition of Cauchy like review use the piece that is the session ID conclude that used to store a particularity identifier of most likely to cannot be seen this is an opportune log about the order the the activity of a lot of our clients made so basically what a bubble these that taking Q taking their clicking the moving from 1 form to the other around only downloading and only small SME class so the information is embedded into cookies and sometimes because if more data is that is transferred than we downloaded by picture uploaded by a picture or something like that so all it of course this can be found the by the number of means like who is clicking 24 hours a day on forum messages and not reading at a single meaning so it was an old man of course suspicious but we expected that these products get most likely I am unable to differentiate between an automated process like Skype to talking with hundreds of different parties and and uh and then somebody who is using a form they are not concentrating so finding anomalies by like like that but it is not impossible to do something when it sold again and this is
a TCP dump like all this stuff about how the the identifier was transmitted so that's all basically not nobody treats all small items combined together and that the product was bypassed are no executable you steganographic multiple times uh only activated the this stuff or if the user is that a bad enough I mean that the retreat to run the the program from vendor or that is not known but that it is hard to detect the installation assignments and because of the lack of off any executable and then traces that this is something tricky and the communication is also problematic to to be found to the militias because it is like a normal looking traffic and so uh and that of course I have to add that this was a test was done on 1 of 4 that sites which has a good reputation so nobody can say OK this is the head that's either on or off websites number and then we already know about that so therefore I I think that these products has had a really slow chance to catch catch this type of attacks and if they is indicated that the success pieces that you feel this surely gets hundreds or hundreds of thousands of of a left messages daily and the because of normal traffic you can be such that suspicious as sort traffic and their hands so we did the product would be just impossible to use solve this is about double or and I knew that I have more than 20 minutes left and what I expect of authority by that I made these slides I expected that I can finish it so shortly and that that that means that I don't want to be slowed down and tell you all the way to the and on which is not quite interesting rather than
I could add some other information or other things I can talk about it and belongs to work for the 1st time in the recent months or 1 year and not particularly interesting thing was due to I was talking about that that I beyond but I could be on presentation was in Hungarian support or the torso the others were checking later on youtube my presentation that it's easier to them to to to get it in in English and but I deviation it's shorter so as you know the view the client active in the field of of uncovering the or difficulty analyzing their targeted that that's like that to do could be a mother of that is found in 2011 and at which is most likely them by the same guys who created stocks that and I don't have to introduce the static right now and then enslavement you can buy and several others are more or less but 1 interesting question what happened in the last year a lot of other than the other pieces of model for uncovers like the undersea what's called the creation group already in view of the order that had the presentation about the some of it and so on so lots of new uh discoveries for sure but the other interesting fact is that this is the European BCE the ordered uncovered emissions to continue their over their efforts so nobody knew what you happen after via find do cool find flame whatever but now you see something singular other than about the next steps like for due to the was active again as to good to go to 0 I did talk about the flame might be extinct but flame infected 10 thousands of course in the Middle East mainly and 1 1 reason behind that evil possi ble who knows that the at the ClA already knew knew that to some other stakeholders knew about the attacks so it was already found that it is no good anymore and the effectiveness of last available that the cost something considering that OK somebody viewfinders at that but what we want to use it anymore so most most but we also may be extinct maybe become of forming you got the curse there continued direct accent and of secure published quite interesting paper about all the of the activity that can belong to deduce family because it is not just a minute you but on you and you will cause a all the other objects together so check check to was that the report and also want to inspire you can check at the dam body board because the at the costs are still active so even after they of the odd they have been detected and they have been analyzed and shown that these are targeted at the groups because some of the samples all this happened to be detected on virustotal but they're not necessarily means that there is a report that there is these active group doing at pixel after this type of report they still active so of course that that's not not something you really surprising but nobody knew how we you have to learn about what be the next step for for for these guys sold for due to the the last 40 to no due to sample of was in February 2012 uh not only a few months after 2 ground and then we saw no real so no sample that was really belonging to the graph that but Kaspersky this year in the early summer of review the information that they have been attacked by by the due to so that the victim with the Kaspersky Lab itself which is of course as you know 1 of the biggest anti-virus members which is quite frustrating because the most likely to the case is not that this company is absolutely has no idea about security of the cases that even be companies like Kaspersky cannot protect themselves and we have to say that all and I admit that yes the at the cursor water is inside the perimeter of difference does not occur so uh across the can be happy that he would be the very able to find the optical traces for the aspect is possibly months later but but still being able to recover it some sense and the over all of the official statement was that they use the prototype and the APT system inside 1st can be found at traces by by these new product including interested of what can be that this property stuff yet key you've was important enough mean somebody reactor kingdom anti-virus companies is taking a big a big risks so it's easy to to get cold so it's not not not easy but then again like just like in the original article carries of you have something to say that that show was that it might be related to the review on talks about which which of the happens throughout the year and so on and also the 0 the exploits emphasizes that the the thing that these these guys sophisticated again but I meant I said that is due to 2 but provide should the that did not explain why should we think that it is related to the origin of the work that well maybe is sophisticated enough but made by other state and other the threat that was the question uh and I actually the have been contacted by Kaspersky under the the question was like 0 they think that the the data they found a more modular that is similar to the order to cool the simplest and what do you think and review the are frustrated because if you do review the details about this attack at the newspapers maybe the newspapers we also come to us and say well maybe it is not related to the duke worked so what about 4 decreases slept helping us in that manner so close look to doing some objective I mean not not to biased the analysis showing you if the example is related to work on the article uh affordable to they have new ideas it is highly modular modules are generally in demand memory and no hard presence so if you shut down the computer and take it to the home to you most likely you will be unable to find any traces on on the computer that these computers have had or used by the of uh that also means that if there even the main module is not installed on the computer and there is no other purposes at so if you turn the computer off and on again there have been no mother which is quite frustrating for those who will analyze this computer but with good for the occurs because if you realize life environment in a big company but most of the service running constantly 24 hours a day or something sometimes starting them but it is quite unusual to have all the computers turned off so even if only 1 computer even infected in the network may be can be can go back and in fact the other computers especially if they have yield a step that are compatible with the metrics that's all I can be more than that we want to know exploitation or something like that so it's tricky and risky and meets a lot of of work but it's really hard for 40 years guest of on the defense side 2 to 4 find the stuff and there was some discussion also in in India targeted prosperous to find something like 100 different modules and some of the modules will look like modules from other texts and that can be that OK the future on would do would we could say OK this is a Chinese that because this module is generally used in Chinese text but also involved in the most interesting part was these mean what you have due to what the analyzed to shoulder that it had the similarities so all of them I talk about the similarities and we find we found some into interesting similarities but there were also differences so at least you would like to do 2 main modules was redesigned in that sense that to remove all kind of possible detections from all the reports fortunately made so like a force Stuxnet and Duqu always there were a number of magic numbers inside and people who are you to talking about for example do you see this number like a key tool for 0 6 8 8 2 it can be a data and what what happened on that date maybe diversity of some developer maybe some other event in the Middle East who knows and and this was a world of course interesting to the press itself for the due to samples you don't see such magic strings which they look like a random so all kind of information like that was removed and those that over several others like about all the other things that was sort of this sort of supposed to to overcome to detect true origin of version is generally are generally not working against
the new 1 but there are also similarities and fun 1 important the C + + style language that they use so it is not C + + clusters commit a long discussion about that and it was even criticized because nobody exactly knows of all how do quiz program it looks like it is normal called but it is object-oriented and the but there are some differences on the binary quartic when you see a like of mutual function table started different position and so on and it remained the same for for the new to correct that of course along this is not the proof about the connection between these 2 2 things and of course they use the new girl compiler version centimeter versions sometimes and that that also makes difference is indeed the actual binary called but still there are similarities are just
some director of samples how uh what kind of similar to other similar we could from that there is a to include that can decrypt a routine which is normal for 1 of the mother I mean that they want to highlight some of the 1st things because it will be of use if somebody looks on the binary and it contains downloadable all 5 sensing something like that because money so they generally include the strings strings by not cryptographically because of the grade of encryption but something tricky X or something and for for the group with you can see this these entries routine on the strings which is a simple x or about 32 bits of each around uh and about the research to be but you see you have the repetition of of the actual magic number which is 8 6 1 8 6 F 1 if you look on the origin of the string description it is almost the same the court structure is a bit different but they also use this trick but with these 3 1 have these 3 reborn again this is not a proof I cannot prove a the relationship between 2 called who pieces of code because it is almost impossible but all this morning's together conclude the every bit of the fact that a lot of what was the target how it was that bad 0 and so on so altogether should show us that it is most likely the same guys 1 other interesting
points was the AES encryption code that of them that it indeed indeed the courts in addition to I think the unit vector was modified by annex sort of the the magic things on the left-hand side you can see these that they'd be a heads of the think that was used in the original dual called and now we have quite similar implementation but and the same sort meet but the the the magic number is now seemingly random which is strange in that perspective I already mentioned you that there are a lot of things in the press and the reports that what kind of metrics have been put in in in indeed the do that but I found that these that the was never published slide the loop on the during our analysis on Google and the phone will do paper and explaining that at the there was a string like that but still the developers removed and changed it because it was like OK you have to change all these things and not just those who that that was already discussed on our finalized OK but again it is not true just slightly but what that was 1 of the problem so both into 1 and due to there was this is from using a special character which is not exactly CBC or something it is similar to some of the standard trick towards but not fully fully uh exactly the same as this others this is so low that depicted here also the thing is the how we find the packet is coming after the other but the question is how to define a package expected to be completed low because it is a yes is a block I and the problem is that my guys found in the decoded that if the message is that some of them are smaller than 1 block sold like smaller than 16 bytes than a buffer overflow cannot cure here some verse I don't even see my slides so much in detail but you can possibly find it so the trick is that these different messages to small than the slope of the blog before does not contain any data and therefore it is it would be better to use and maybe even the process crashes on this is quite unusual to have this kind of God because to use if it is is this a yes smoking is institution object library than anybody who use it all sort messages you instantly get some errors and and some of them having something notified he also wrote the library and be fixed but in this case it was to implemented only for the case of do then then you might never be tested in short messages because they use it in particular communication then the what basis and more information than than model only sold and and that of course in there remotely just about this problem for 4 to move on in interviews with former reports and that but now we see that the this implementation is quite similar to this is how it looks in in the style of there are some additional identifier so I don't waste time on that also
very interesting to is the locking routines they have a local voting magics putting the different parts of the courts like if I open a file then I call it the loca subroutine with special magic idea that it is a file with file happened and have this magic ID stored in their logs that well I don't know what what date 5 opening can starting but it was unsuccessful or something like that and this is again a comparison of the original article and the 2nd 1 from and the protocol to showing that how these log log of his art uh exactly called and even the number of all the different uh the new cost for diesel log entries staff are very similar to the the signature these magic numbers start exactly the same for for balls at for communication
and you also have some similarities but for example of the origin of the whoever was the uh J peg file uh for hiding information so there was a small tapered file and add additional encrypted information was transmitted after the HTTP transmission of the original 5 here they used to give for for transmission and for for deletion of on the use of PEP is the session ID for transmitting some identifier like this little bubble and all on of adjusting now they modify the data from a number of regions things and and they don't use PHP session ID instead of the user nuclear quot country uh for forties this transmission and the G 5 does not have a fixed name like for the Jeep finally to speech like BSE 0 0 0 1 voltage now that the file contains random numbers as well this is
the list in the cold multi-view agents springs and there's some like it used used yes you all from the do the original do cool stuff and now now we have the similar stuff in tool including the defining like season all the person the 0 5 people to do and a country called the and here the the origin of the containing the PhD session sold down and possibly a lot of other stuff you we had a reportable that and it is on the web so you can check it by yourself but just the the conclusion is that we are pretty confident that most likely that the guys behind it to work that's not the same as for the coupon and now you see why not a single fact alone but the long list of the similarities and the style and sophistication I mean that even if was not done by the same guys they usually have similar amount of money to to make all the environmental because you this and so on so it is usually not in some regards operation or something so it's a should a sophisticated attack but but most likely is done by the same price and the last topic
i want to talk about today is Israel's coordinate system which we presented for example recently last week at the virus balloting conference in Proc so it is called a representative sample to the importance of this is this is a quite interesting stuff and the novel thing is that now you can use it by yourself so registration these open and you can test if it helps your research in any kind of being enemies and you can send off roads and some feedback to us it's about how to improve the system so what is it all about some of the motivation is that digital signatures are more and more used to in our computing environment uh and therefore cares VAP genetic resources that should assigned they're called more and more like all these APK or and read the applications are generally assigned Windows binaries should be signed windows right should be signed and therefore in India because we also used digital signatures and and use digital signature scent and or the infrastructure so we already sold that this happens quite a number of times the 1st movement this is very like stocks that and do 1 of the similarities was that for stocks and they use the uh economic driver was signed by the key of the Taiwanese hardware manufacturer there was another piece of all of these kernel driver that was also signed by other Taiwanese manufacturer and for a long time it was attributed to Stuxnet but now with view there was some of the information and debates about that that Boston possibly there was another step that attack against North Korea and for the it the different kernel driver might have been used in North Korea which was uploaded to 2 wires totally different from China but it might be the trees that they really had this attack against North Korea and people say that it was unsuccessful attack against them but who knows the truth but so that there was this 2 samples of digitally signed and abuse coding in a that's and then the phone to call it also abused the mediator signatures because another Taiwanese manufacturers he was used to sign the kernel driver of local and known for do good to we also have some digitally signed recording that so and of course later on we'll be that I don't say that we have hundreds of samples but possibly various hundreds of samples that in in those cases targeted at the cost to grow the private key of 1 and and that by other remember based on that your certificate they stole from from the uh former so idea was to use that to develop a large repositories signed objects or something like writers protocol containing all the the mother we're about to conduct all kind of information of all digital signatures mainly related to the cold but possibly also related to SSL communications like X 5 0 9 certificates with you all of of the of the view of Cost possibly not store the executive those themselves but at least we have information about the resource of the executable the hash of the executable and you also extend this this functionalities database to store information about a job off Iceland jostled APK Phys antidote to to provide basic services like you can check your information about a particular sample if anybody are each so we information was retrieved on need for other things and the possibility view of this system becoming more and things like that of adding other function set that for example a developer will be notified if any code is found on the internet that was signed by the user key and of which you can check if you is origin anything from him or somebody store the key and and using it for for malicious activities so all of this in mind we created a prototype system which is the gross school which is based on hard to halt the HPC databases of big data the thing because we need to store a lot of information and efficiently retrieved on then on the user needs of you also made use of the tangent and of everything Jefferson the graph you and other stuff how you can possibly do research on on different things like I found this what is the relationship with the standard and and the vendor or approval created a lot of the other vendors in the event or what other courts have been have so what other courts have been cited by the same vendor and the other type of stuff as I mentioned you will order the columns collected a lot of information but you should extend this if it is possible to be ordered the used up a lot of data that was available on the internet like yes also it on its 5 0 9 certificates but also added the results for the absconds on the internet have some problems are still to get information of executables and other sites to to show you why it is important to revise is it is usable and just the official US small example which is to quite tricky and really demonstrates the power behind the idea so we found that in some cases I don't know why they what and MAPK file that was signed by a so called a guy called Ivan so the certificate says that it is signed by Ivan mean we don't know exactly what I've and so the goal to Lyttleton conjecture about what the database knows about that's what other antivirus engine say using malicious or it is not and the result was at the time that under said that only volunteer hours takes a suspicious or malicious or the other on the right of the 46 others said that it is a clean 5 OK great than I can the little my form or wait a minute so what can we do what can we do so OK we know that is memory signed by Ivan or sample aside by Ivan so let's ask the Rothko databases do you do we have any information on any code that was signed by the same key not possibly the same name because i've and can have a lot of items can have different public keys but you can also extend the public key and look for that particular public key in our database and what we found is that we have information about the number of applications especially APK applications 100 applications so that that was signed by the same key by Ivan so let's go back to bicycle and off quite a total of about these and other pieces of code and what is the best test you OK and more than 20 different anti-virus member say that is suspicious for malicious and all only a half of the antivirus products say that it is not which is quite normal so I mean that the sum of the anti-virus products and not good enough to detect local kind of samples but that said that that releases so we know that this should be malicious I mean if all these called the malicious the most likely the what which we started the investigation it is also malicious and has of tradition anti-virus could not help you but the or a school system could help you to find out more about the thing and protect yourself as and basically I don't tell you this
1 of the causes of them had reached the end of my presentation in time so if you want to sign up this use called crisis what of crazy stuff to eat you for for finding and checking the system thank you very much
Computer animation
Computer animation
Computer animation
Computer animation
Computer animation


  479 ms - page object


AV-Portal 3.8.2 (0bb840d79881f4e1b2f2d6f66c37060441d4bb2e)