Comparing the incomparables

Video thumbnail (Frame 0) Video thumbnail (Frame 11791) Video thumbnail (Frame 20372) Video thumbnail (Frame 28953) Video thumbnail (Frame 30714) Video thumbnail (Frame 40322) Video thumbnail (Frame 45323) Video thumbnail (Frame 48287) Video thumbnail (Frame 49665) Video thumbnail (Frame 54559) Video thumbnail (Frame 65758) Video thumbnail (Frame 70083) Video thumbnail (Frame 75921) Video thumbnail (Frame 77096)
Video in TIB AV-Portal: Comparing the incomparables

Formal Metadata

Comparing the incomparables
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
It is common belief that APT groups are masters of exploitation. If anyone, they should know everything about it, right? Our research into the real world uses of the CVE-2014-1761 vulnerability shows that it is far from being true. It is a common practice in the anti-malware world that the security products are compared to each other in comparative tests. Even the tests themselves can be evaluated by the criteria of the Anti-Malware Testing Standards Organization. The only players, who are not rated, are the malware authors. This is for a good reason: their activities cover a wide range of operations, that don’t fully match and can’t be exactly measured. The deep analysis of the samples using the CVE-2014-1761 vulnerability gave us a rare opportunity to compare the skills of a few different malware author groups. This is not a full and comprehensive test, but given the complexity of the exploit we could estimate the skills only in a very narrow slice of the full set: the understanding of the exploit. But the situation is the same as with any other test: if you know exactly what you are measuring, you can make valid conclusions. The presentation will detail the exploitation process, explaining the role and implementation of the RTF elements used in the process, the ROP chain and the shellcodes. We will investigate the different malware families that were using this vulnerability, and discuss the depth of modification into the exploit. This will give us a chance to rate the understanding and exploiting skill of the authors behind these malware families. The comparative analysis gave an opportunity to draw a relationship chart between the different malware families, showing strong correlation with previously known intelligence, and adding a couple of new relations. The final purpose of the comparative analysis is to understand the strengths and weaknesses of our enemies in the cyber warfare. The more we know about them, the greater our chances are for successful defense.

Related Material

Statistical hypothesis testing Group action State of matter View (database) Range (statistics) Source code Complete metric space Computer programming Different (Kate Ryan album) Computer configuration Relief Area Enterprise architecture Email Sound effect Measurement Statistical hypothesis testing P-group Computer crime Renormalization group Self-organization Quicksort Freeware Resultant Point (geometry) Metre Perfect group Presentation of a group Student's t-test Distance Rule of inference Event horizon Statistical hypothesis testing Product (business) Number Revision control Population density Well-formed formula Internetworking Operator (mathematics) Energy level Form (programming) Task (computing) Standard deviation Information Neighbourhood (graph theory) Physical law Voting Commitment scheme Visualization (computer graphics) Blog Solvable group Window
Statistical hypothesis testing Group action Randomization Service Pack Range (statistics) Water vapor Computer programming Different (Kate Ryan album) Single-precision floating-point format Office suite Descriptive statistics Physical system Social class Metropolitan area network Mapping Structural load Interior (topology) Electronic mailing list Sound effect Bit Maxima and minima Complete metric space Demoscene Process (computing) Order (biology) Buffer solution Summierbarkeit Quicksort Arithmetic progression Wide area network Web page Slide rule Connectivity (graph theory) 3 (number) Student's t-test Number Product (business) Goodness of fit File viewer Boundary value problem Data structure Booting World Wide Web Consortium Default (computer science) Information management Stapeldatei Standard deviation Information Server (computing) Code Coma Berenices Basis <Mathematik> System call Exploit (computer security) Uniform resource locator Personal digital assistant Revision control Office suite Table (information) Family Library (computing) Musical ensemble Code Multiplication sign ACID Parameter (computer programming) Mereology Bulletin board system Subset Word Mathematics Semiconductor memory Process (computing) Vulnerability (computing) Area Service (economics) Repetition Point (geometry) Determinism Flow separation Entire function Sparse matrix Information security Resultant Asynchronous Transfer Mode Markov chain Implementation Functional (mathematics) Graphics tablet Service (economics) Presentation of a group Image resolution Bit Theory Statistical hypothesis testing Revision control Operator (mathematics) Gastropod shell Summierbarkeit Absolute value Task (computing) Trojanisches Pferd <Informatik> CAN bus Particle system Pointer (computer programming) Formal grammar Computer worm
Point (geometry) Raw image format Functional (mathematics) System call Code System call Value-added network Number Uniform resource locator Process (computing) Computer animation Computer cluster Fiber bundle Table (information) Absolute value Speicheradresse Address space Metropolitan area network Surjective function
Email Complex (psychology) Building Group action Context awareness System call Multiplication sign Direction (geometry) View (database) Cloud computing Set (mathematics) Shape (magazine) Special unitary group Perspective (visual) Expected value Group representation Mathematics Different (Kate Ryan album) Semiconductor memory Hypermedia Cuboid Office suite Family Area Covering space Computer icon Metropolitan area network 12 (number) Texture mapping Structural load Software developer Binary code Electronic mailing list Sampling (statistics) Shared memory Sound effect Bit Numbering scheme Complete metric space Flow separation Markov chain Category of being Arithmetic mean Sample (statistics) Buffer solution Order (biology) Octave Volumenvisualisierung Quicksort Figurate number Simulation Speicheradresse Spacetime Wide area network Point (geometry) Markov chain Histogram Game controller Maxima and minima Heat transfer Theory Value-added network Number Product (business) Statistical hypothesis testing Revision control Arithmetic mean Energy level Data structure Gamma function Task (computing) Scale (map) Pairwise comparison Information management Execution unit Information Military base Content (media) Usability Basis <Mathematik> Cartesian coordinate system Exploit (computer security) Personal digital assistant Logic Table (information) Linear subspace Family Computer worm Library (computing)
Markov chain Musical ensemble Computer file INTEGRAL Direction (geometry) WebDAV Source code Maxima and minima Special unitary group Arm 2 (number) Mathematics Read-only memory Cuboid Computer worm Summierbarkeit Form (programming) Metropolitan area network Computer font Zoom lens Scaling (geometry) Software developer Binary code Sampling (statistics) Expert system Menu (computing) Uniform resource locator Arithmetic mean Computer animation Uniform resource name Object (grammar) Speicheradresse Address space
Statistical hypothesis testing Group action WebDAV Archaeological field survey Open set Special unitary group Computer programming Videoconferencing Physical law Physical system Social class Exception handling Flux Metropolitan area network Computer icon Block (periodic table) Software developer Sampling (statistics) Shared memory Port scanner Sample (statistics) Oval Dew point Mathematical singularity Summierbarkeit Quicksort Reading (process) Wide area network Addition Disintegration Characteristic polynomial 3 (number) Maxima and minima Family of sets Perturbation theory Online help Code Product (business) Number Energy level Data structure Form (programming) Information management Information Surface Expert system Code Coma Berenices Ultraviolet photoelectron spectroscopy Binary file Exploit (computer security) Digital watermarking Mathematics Personal digital assistant Video game Gastropod shell Game theory Family Musical ensemble Building INTEGRAL Multiplication sign Sheaf (mathematics) ACID Set (mathematics) Function (mathematics) Ordinary differential equation Mereology Word Programmer (hardware) Mathematics Drum memory Sample (statistics) Vulnerability (computing) Family Boss Corporation Data storage device Menu (computing) Markov chain Exterior algebra Normal (geometry) Encryption Block (periodic table) Data structure Markov chain MUD Presentation of a group Artificial neural network Exploit (computer security) Equivalence relation Revision control Read-only memory Operator (mathematics) Summierbarkeit Task (computing) Software development kit Condition number Module (mathematics) Domain name Robot Dialect Sine Database Trojanisches Pferd <Informatik> CAN bus Voting Physicist Computer worm
Point (geometry) Group action Musical ensemble Presentation of a group Multiplication sign Mereology Special unitary group Product (business) Power (physics) Number Statistical hypothesis testing Revision control Performance appraisal Selectivity (electronic) Address space Metropolitan area network Fiber (mathematics) Family Area Dependent and independent variables Electric generator Graph (mathematics) Sampling (statistics) Sound effect Evolute Uniform resource locator Personal digital assistant Computer cluster Universe (mathematics) Speech synthesis Cuboid Table (information) Family
Statistical hypothesis testing Group action Execution unit Mereology Programmer (hardware) Personal digital assistant Electronic visual display Process (computing) Stability theory Electric generator Correspondence (mathematics) File format Block (periodic table) Point (geometry) Sampling (statistics) Stress (mechanics) Sound effect Maxima and minima Statistical hypothesis testing Statistical hypothesis testing Product (business) Markov chain Degree (graph theory) Malware Sample (statistics) Computer crime Self-organization Personal area network Point (geometry) Markov chain Slide rule Exploit (computer security) Rule of inference Number Product (business) Statistical hypothesis testing Revision control Performance appraisal Profil (magazine) Energy level Summierbarkeit Execution unit Information Physical law Skewness Line (geometry) Incidence algebra Group action Evolute Exploit (computer security) Computer animation Personal digital assistant Revision control Formal grammar Office suite Object (grammar) Table (information) Computer worm
Point (geometry) Context awareness Presentation of a group Coma Berenices
now I could ask you how the party last the density of the casualties so I could be gentle you and needs presentation light and entertaining for you but I'm not a nice person so I will make even an easier than sort of just jump right into this but I'm I'm going to do what is incompatible in the landscape areas that we are moving meaning the mother of course smaller groups writing groups and mother protection program especially the protection program so every major constituent is thoroughly tested and their qualities are measure and the Internet is for the protection of the products of the melodic tested by Ontotext and even the the Special EPP protection devices each other as claimed that themselves to be untestable knowledge and can be tested because you hear about it from yesterday presentation by FIL tumble actually today by what they have to be more detail about how all the test is the answers even the best answer some measure of against the the objective criteria by the end of the distance that nest organization there is 1 single immediately and was never tested and those of the other articles and that's not fair should be aware of their capabilities and not only but but also because actually there is an actual war going on between them and us and the 1st rule of law is that you have to know your enemy if you go on your on your enemy your defends his view that you know that if you underestimate them we are going to to get to if you all that estimated capabilities down your efforts in protection you be misplaced and the rule-based your efforts in areas that you shouldn't based on the use should not concentrate efforts as just as an example if you have a house which is full each variable stuff and getting and the you want to protect it and you're afraid of tuberculosis in the neighborhood there are a couple of options you can choose so you can view the ball all around the house of the meter rival of let the electric fence on the people that would effectively the just let as we all know only 2 . 5 meter but that's to be expected because of lost with your for the outside it has also illustrating the effects on the vegetation brand of all soul if you happen to know that they become blogger in your neighborhood of of just covered school they're not the that became because this is the standard operating version here and then you would know that the all these use less is not necessary you should strengthen your locks and the windows and doors that would be another measure for you much cheaper and would be still protected now if still wouldn't defend you against missions states forms or the press MSE and the lights but chances are before MSE with that that you there will be about 5 sessions side the primary groups so the Chinese in APT groups maybe 1 Israeli and France the people at that so you have to prepare for the vast majority of explored that you have to know all the capabilities of the other tests and that's the point of evaluating the all these model of course of the APT groups and the command cyber crime and as the point of my presentation not how do you Emily these groups held the measure of the spheres of of them there are a couple of problems with the testing in the 1st of all the subjects in these mother not all groups of commitment principles and they have different purposes some of them wanted your uh banking and access information so that it was still your money from the others want someone says that these documents from your heart like this 1 to 1 just the story wouldn't their facilities physically so they have different purposes they have different targets some of the getting formulas others are large corporations get the the uh groups of target non-governmental organizations the target range is also like and because of that they have to the different defenses for home users there is only problem of free enterprise solutions for for large corporate users was also in that the differences in place events from the advanced protection devices and for that the and that the classrooms a very different approaches and the was some already had the just 7 efficient e-mail the backstage is some nice complex click here and you'll be fine on the other side using common explicitly the last using his your that exploits from there is a wide range of tools but they are using test so that the task is how to measure and and qualified players who were on a very wide range of activities and that the solution is something like this uh professor source on doing in university classes they have right do they have the local students with a wide range of capabilities they are going to give them a problem to solve and based on that the level of the understanding of the problem and the skill visual in the solution and they're going to to raise the students that's what I'm going to do i'm impersonating at teacher other people are going to be the students not for that that's were the problem has to be solvable if is not solvable it's not there's no point in the text it also has to be difficult enough so if anyone's course perfect from the past that it is not a comparative tests also is that that's the problem has to to be good enough to differentiate between a wide range of skills and lastly every student in the classroom has to be motivated to solve the problem if this problem that the only that attempts and of them is interested in solving them the best results we would not be usable for our purposes and measuring a large number of these models sold what is going to be the test problem
that this problem is going to be all over Europe 1 it's it was discovered last year is that each that's for about 5 former vulnerability and at least 1 memory what action now did you know and the yesterday so doesn't of the the determinants and methods I'm going to talk about should be family stories that was very expensive and would overview of the generic principles and this is the this is going to be a practical implementation and this is no but I referred to in the introduction that I'm going to to be tough review because in order to understand the results of the best you have to understand the methodology of the tests and the methodology of the tests relies on you understanding cults exploitation products now use all of the it is the has the onset the name the the 2 thousand 65 I'm going to refer to this other disciplines 1609 estimated using certify acceptance of presentation anyhow this is the new version of the of the uh and that exploit and every possible model for group is just very happy to get their hands about and you know that 1 of the key and export so they are very much what motivated in using 2 because it is a powerful tool in effect and users so if you need the original unicursal description all this exploit it will be sort of a DVD to say that it fx all possible but good very good versions that they're there at the time so all of them which are listed on this on this list are 1 honorable and possibly exploitable by the small number of the model that in theory there is no difference between theory and practice however in practice that is used in France so if you would guess but be a guess how many of these as well but good versions were actually affected have been dishonorably to know the silence I think it is 0 because a slightly more than that and actually 1 version was ever affected by this 1 and it follows of 2000 to the service but to exhibit the ocean and the reason is that and even though all of the other versions exploitable and could have been exploited successfully the practical implementation exploit heavily lied on absolute memory of steps taken from a particle over in those compliments must considerable sees a particle of information and that 1 was only by default installed by his Office 2010 tenants of respect to it would have been straight for tools to border so of it at all of the other disclosure of it didn't have why wide you knew probably understand around the middle of this presentation so let's talk about a bit about the exploration process itself from from of a very rapid overview there is a rich text format exploiting documents vulnerability trigger a shot would gets executed and at the the end of the year with is dropped in the system of some sort of Trojan mouse to that is based on scene of slight problem in this chain and that's like problem is called the entire execution progression which means that it is uh relatively easy to form to full of words into into writing shall called intra memory area on the it is quite easy also to convince to jump into that memory area harvested if you this is not a and not possible with that in presence to actually execute called to because these data in areas where there was a 2nd here are declared at the sum of contemporary was operating system as non-executable you can inject your code that you cannot execute so before you can execute your show that would drop and execute that the final solution to the system you will have to make sure that the the child called in these executable at its mode executable page so that would exploitation started there uh component that will work on command or look a new memory broke maybe that's an executable memory just copies the show for their and lexicons from that's pretty easy there's 1 slight problem in order to to make use of location you have to executable told what the problem executable call it
you cannot exist in the cold because of data execution prevention and he becomes the concept of the rope exploiting some it into programming and which means that you cannot execute the code of the 2 places in memory but you can execute calls that are already placed in the memory by the system at the bond explication heroes there are about the doesn't solve single system libraries already loaded into the memory for your convenience and this means that there is that I have uh than Bansal megabytes of laying the memory that you can use knowledge of that of that has to do is to be small snippets all of the schools and think about them as fossils uh get these fossils from the legal system libraries and just hold the chain them together so that they would have accomplished the functionality that you really during the exploitation and then the American Educational Resource you just diverse the normal execution to jump to the 1st fossil of your cold and it will just good guess and the the surrounded that you jump from positive possibility of the chain together but he fully had them they will complete the task you on the so the positive side are often very limited capabilities sets so you will need a lot of causes the completion of the of the smallest asked me that there's not another 1 of the problem which is a yes a the restlessly of randomization which means that if you want to use the sponsors you have to know that the are memory 99 % of the those libraries are placed randomly in the memory that are only a few of them which have the load and the users libraries of extreme values for to exploit from the test and has constant that is used by the woman with the spinal cord sold the exploitation sparsity confusing taking him making him uh at the TU Wien execution by him and then starts the integral chain which would look at memory for other executable memory for the show caught and executed diaries another slide problems in this particular case which means that the beach in which which means that benefit of 1st as diversity and it gives a diabetic with small memory feature map and the small number region cannot hold an entire structure that is another memory region that the upper classes can control which can cost a lot of the time but it is not their 1st gets diverted so the boot loader of this explanation process is further divided into 2 2 parts there a bootloader of the book that the initial change we should make sure that the execution is directed to the large that which already costing the entire chain that change in that and I will create an executable memory range copies the show what their mission was executed multiple stages locates the payload that takes you don't see it executed and the that that is the that the installed Trojan now is a good test problem for the model close because it is these grammars modifying the final payload is the FPT task for the smaller modifying the shell as this up every day but it is made with the molecular basis batch the rope changed now that's that's a highly skilled operation and not many of them that's the way to do that so here we have the other general problem for the mother so if you don't between between the 2 in into that's sport itself it is a mnemonic what action of honorable deviation and of the table of pointers to all function blue gets over time during the exploitation of debate happens and active documents can contain the school that i tables which have several different parameters for lists and that the name in the text of the local the document now the debate going this this that I've tables is stored in a buffer acid memory and the you mean structures of memory and the other the other this is of these structures are stored in a but I will be allocated memory region now believe that what happened to be a somewhat more of these and already I structures expects that it will be the 1st such over the boundary of the town located memory and the water right whatever comes after the and as the number of corruption of the student and the execution and in
particular uh at a certain memory addresses that is a point of people in the MS the all the EU so pretty meaningless but this for me as a function table and not to mention the fancy functions and of course in the process of passing the malformed out here the the man of the other this is all that is that i tables that at the allocative region and override this this function table so that's something unrelated point later in the code execution of called would be made to into this function table but instead of taking the appropriate function from muscles the of this call will be the the address for all the way from bundle the useful that I about and this and this would be an absolute number location and you inside the and misconceived there was
and the initial chain as I said does nothing but transfers the execution larger profit which is controlled by the I mean there is a deep inside the histogram structure that is this level text box there which don't was a large chunk of binary data as large chunk is going to be the main of chain and the shape of 1st work now and is for the right table contains the of the rest of this stuff so really the initial change has nothing to do but execute the single call into that that that is still there and into the level that often like I said that the role of the Baroque attention what the puzzles that the values from the from the middle loaded system libraries are very limited capabilities so the single single costing assembly instruction and you need 6 different models to we need to execute disco them and just as in the illustration of the complexity of the task the 1st of the rest of this of the 1st cognitive uh stored in money so that table but in the obvious fact about 5 it's actually is actually stored in 4 different bases that combine different 4 different things for example the 1st by the H is the value of the the and the level of an efficiency and the fact that they are the have at least city to this amount was to be a and hexadecimal so that the 1st byte 48 is it's actually a Pittsfield and several of the mediated texts included in the RTS combining for example is the largest in the world the GC and 0 and the lowest of the low and this that and world knowledge that he's setting forth the 2nd in Interspeech that that's how it is combined render and finally the last 2 white area in the level of numbers that the after 5 uh what this uh slash also 588 the notes the big hexadecimal value of 5 in the following a stroke is the best thing 27 which is follows the so in order to control 1 single addressed in in the Europe change you would have to modify list 4 different places for different and distinct basis at at the at at 5 uh use this expedition is an emerging requires an intimate knowledge of the octave structure uh and representation so that as in all other and the fact and this addressing them consider all 6 of you find the small world called fragment this is this is going to be the 1st puzzle in solving the and the court transfer after that the execution was on the larger the text of for Europe chain that is for the of the memorial location now that 1 is a bit longer and the and as the explosion that I mean that the applicants have no absolute control over the cold war between developed gadget so they do what they want and they do a bit more than that in some cases apart from doing whatever something to they perform light samples from the sets that which is not needed for the actual execution box because there is a bold and it is not avoidable that has to be something on the step that is spoken to register this is definitely there never use so it really developed change that a few unused bytes which has no significance for the exploitation they have to be there so that something could be meaningless support places so these fights are not used it could be any rate and think that the the mean of change and the very logic is very simple you know look it's a new memory copies the share their and Johnston and but because the people get limited capability acquires about 10 to the 12th building roles direct at completion this task so if you look from the the RTF perspective in place of the text with RDF 5 thoughts some sort of had followed by some sort of irrelevant information the exploit figure the initial Cheney scattered throughout the texture of the of the fire the 1st regional chain is stored in the in the lab text buffers uh uh along with the 1st patient was 2nd quality and the payload is usually up the this some binary time at the end of the of 5 amount from the at that point I mean from the test point of view because of that gene that's an additional hidden loaded into the test like every decent model for that would modify the random binary search for them the babies that small problem the 1st picture quality is easily recognizable in relatively easily recognizable in the latter is the effect on it looks like a buffer of bytes that a decent mother right there can can comprehend and and modify the initial change for that you have to move the really deeply understand the active structure so apart from the immediate and the granularity the exploitation itself there is a general at in understanding the RTF as structure itself so it is a very defined and granular test task for the project and don't going to do so
going to rank there but there are some the light on the miscues so they are showing us so starting from from the ceiling knowledge the knowledge means that they're buying 1 in the underground market space is a generator and they're going to generate a sample of it is a basic skills that you've all replacing the very organized thing sampling that media knowledge and that just can modify or the the scheduled steel plants try to make some trivial modification in the chain itself uh advanced protesters and uh you can meet me significant modifications in the chain and or the exports again and and the you would once can control every single aspect of the expectation that is going to be the still the value placed the the uh it the office so that the 1st version of this research was published in February at the top of the uh I'm not going to touch on all of the families and the groups that are mentioned in that because that would be be the wrong representation uh and you can go there and and check that but I'm going to mention a few additional bonds between which were not known at the time of writing that so let's start feature subspaces you and the 1st thing ever sample that it identified using this where this is going to be the point of from back of comparison as it turned out that all of the for the samples that derived from this 1 that was more independent development going on in this but this was a destructive for German appeared last April and that it is stated according to some media partners seeking advertisement clearly in because of this kind of and destructive thing you know what it was not used in the targeted that as you would expect from from and the the the player who deployed as he had already I think it was deliberately it really is a leader before Microsoft the the basis for property that is an example and perhaps the name but that the cover extracts because if there is only 1 single entity who who knows and uses this 1 another the every every evidence pointing to the that election for their start using it it will get scattered anyway and in this case the documents thought to be a large chunks kilobytes of uh the John content context not users are not displayed but it is a very convenient for identifying everyone else will stop being based on the theory that is guided by the developed it was a highly
skilled uh there was some of but uh Monday after this so the initial sample was used as a couple of targeted at that so there are no more further using this form of uh mainly by the to do group that was recently ruled by bias if you look at it over remote and it was targeted against the diplomatic targets and they they made a very significant modifications to the expletive document for example they cut that all of the chinese that was at the beginning of the file and uh and they is down in merely to the meaning the the the article want that and also changed the memory location locations integral chain solve they made very significant changes in in the the export of documents I'm not saying it is not possible to do all that is not the answer but it's very alive to that some my guess would be that they have prior prior knowledge of this exploit before they started working it if I had to guess I would say that uh this is the group that is most closely connected to the source of the exports but now there that you would have the reputation of being supported by the Russian government government they have huge financial resources and they have a history of using 0 they export so it is not an unreasonable assumption that they were the 1st one to use the successful but there is no they're tested evidence pointing into that direction and all because of the the the changes they made to the rope chain in clearly uh dangerous and broke the women uh that is some died
descendants but they're using the what in our sample and they didn't do anything as a box of objects for the subject there with the binary that which and at the end that's to live in a very busy no modification of the samples of the development of pompeii after about 1 month after the you know originally duties and they are going to be used by the Party tied up in the book uh when I said then mean change anything that's not entirely true they change that also him from his mind is my at least my beach is something you could do it in 2 seconds in the text the so that doesn't constitute as a as a major scale anyway but this is his group showed that the basic skills of expert knowledge and
entrance interesting strain which is not destroyed and and that in this sentence from uh at the school it is a great tool for research form for penetration testing understanding the the explored and so it is also a great tool for model of our thoughts and they are using it extensively for generating samples which light uh indicates is I'm going to show you and the the Metasploit module appears about the laughter village another use of the players the command and the clearly of the what where they could that module and some of the the atop exploitation at least to the level that as I mentioned that in the game and made of chain that are some unused to the Lovebytes in each of their own and for that matter to people in meaningful and meaningless less than that it's not being used overview of endogenous sample the be forced upon hotspots now in the middle school booklet model today there are data from domains the use of these devices that could make best possible to identify whether the post reading Metasploit for samples and wait for the development of of the skills export as 1 of the dialects descendants from other storage room for was the the have X small which was my should also mention this presentation as part of being a magic except for an looking for industrial control systems but then I created the size and then know that this will be possible to look at the inside the another 1 and another example and that was the section group it was reported by blue called uh and later on my the policy of class and the dielectric connected to the building instead of over campaign anyhow but they they they generated a sample of blood Metasploit then stabbed share called and the payload and just replaced the glass additionally gives a few sections of a program with another exploit look at the beginning within the lower level of the however arguing that they messed up about the of some structure this is a very delicate her own ability and if you must have developed a structured break and that happened in the case of the section will be generated about 3 so that the government and with the sex with acid in 11 of them the expert was actually brought them so they generated a sample with Metasploit just who use this vulnerability and they brought it them in about 90 % of the cases that's really on 1 hand and their skills because they're ties to share the codes and the payload on the other hand it is scheduled a little by the fact that but about the created was not working any help there is a
few which a group of samples using exploit that they're using go some sort of generate got some generator and what they're good at matter support is also generally for but not here I'm talking about commercial was that releasing the underground and surface 1 of I don't know what the genetic to reside on the name for it because will be in in deported here we just see that hundreds of samples are generated by a lot of come on banking Trojan families of being distributed and decide how dominating the the exploitation singular so the largest chunk of text with the documents that just right on the databases are generated by this tool uh it has apart from the day and the main broke me level textbook that was the rope chain and called an additional of 2 additional blocks that have the same feeling where were over them it is not used it is pointless but it can use it can be used as the watermark to point out that all the samples that are created by the school anyhow because they the bachelor to beat all the video of the level of text structures and the exploitation stuff sort phonemic intermediates yourself with boss Weber was writing this this generates another from Microsoft loading through their In it was brought by the fire I think and later this year just a few weeks ago yeah of might be part of this 1 that's the other large chunk of her life with examples that using this vulnerability also hundreds of developments created with it and I suggest that indeed they are people because it's very interesting and I don't have the time to go into the include a candidate has had a very distinctive characteristics and it is 1 of the very very few cases than the the model of those actually but little change and the uh they use an alternative rock change in some of the origin of on so it is performing the same task it could be achieved finest moral building blocks it is about too but the men's generated by this tool kit explored see different 1 of is within the same archaeophytes and also uh doesn't sold mostly banking Trojans personal distributed by don't mention generated by the school and how they have these of skill sets that the output of this sold because the actually they have to touch the change history of someone who understands exploitation at a higher level a really interesting case was that of temperament OK so now I'm am I'm a physicist but by education and allows a programmer when I have to do programming I there was a physicist I taken example program modified to my needs and the 2 distinct continue to fix surprising to see that there may be people to Chinese repeated follow just about the same path of development except for the interludes work part so what they did is they wanted to do was this exploitation campaigns so the book a sample generated by building so that you should mention just 1 slide before and the the survey explored look at the end they just got sick of it perhaps it was too complicated to modify the information for them they have raised the 1st exploitable broke up and the data on payload and started to use it in a campaign now the problem with this picture is exposed to 1 the liberties if the 1st one is actually and the Trojan dated Trojan by restricting the sum of the products that is getting it takes a few in the first one is to and then the the origin of the what's sample from the orginal sample that the people from the audience through their gets executed so depending on the condition it so that we may be dealing with a problem southern front in the city and the number wanted situation for this group of almost because they have to give up the sample so that they could use to actually be explored so what they they get and others from various uh 761 exploits Europe and they cut out of the origin of for from building the opening weeks have from that other example and that it goes 1 problem now like I mentioned wanted it looks the voting through that has a slight problem at least a half of the samples that exploit doesn't work so these transit if you think didn't get lucky that the the sample that so that's what didn't work actually have a blast when they copied the brawl from this another example they all there are rigid override the norm work being exported working 1 and they broke it immediately because in this case the shared quality looks for the payload at the fixed fights because and then the copied into their own local and uh there was this and underneath encrypted as you but executable at the beginning of other exploitable so this text files that will shifted back into the that's fine by the Chinese the lowest number of directed to show that for this set of sets so they created samples and they use the knowledge that's this actually number of actually and they're using the 4 months in the different parts the text they started using a version of distributing the products and then they moved their operation against the Indian and Pakistani targets uh and how they should really be basic set of exploitation understanding and I'm I'm being very generous for them in it's classification and held there was 1 case of successful integration I don't think it was used by the same group it was deployed in uh in anatomy countries when they actually use the the sample set and it actually dropped the perceive what anyhow that's so switch to the the
evolution part soul in this
table and I just blindly copy the all the the model families that I have seen created man and I have seen using this exploit and just by looking at the samples I was placing them in the into the submit power here comes the fun part 2 thirds university professor so you can domestic things are going address these things these to see if
they actually look like I said to you in many cases in fact in the in the case of defects with more people over the over half of the cases that exploit to work I mentioned at the very inception I mentioned it further into the than those generated or use samples and just contained no broken versions of this sport and these supposedly highly secured uh fiber remind human onstage just feel for your eyes this effect so that just dates back to value to from their location and the other thing is the the relations related to the bond of my university professor had this really bad habit after test is subject to create this intensity graphs who was copying from and modified the Marxist accordingly so I'm doing the same with the small but but for example a large chunk of samples in selection of 7 times groups although the samples they are using show a larger greater understanding of the exploit that's not they married is because they are using diverted into with that or some other generation generated so there that the skin the merit goes to whoever created the those was better than actual users of the exportable documents the excuse that extends only to the point of executing generative and using whatever is the speed of sold uh into speech and then identifying a couple of high-profile the groups for example depicted by their origin and educate your group which I mentioned a number on behalf of matching fund other people responsible for the sentiment of cases and Wallerstein and also hold a mark here in this in this table we call upon the and deduce agent mentioned area so
really this is the evolution part of the text and displays all the appropriate or the groups in their appropriate place so the here is the dividing line and the bottom left on the on the the table understands what what happens after the exploit and so they can be deployed a model that they can modify the payloads really don't understand the exploitation itself they don't have in-house expertise in explanation level on the right side in stable and those are the really dangerous for us laws of the once told understand exploits exploitations uh 5 formats and they have branching have in-house expertise about this stable doesn't show all of the number of the vast majority of the incidents that you can see 99 . 9 points but person belongs in this region very little used by the US will show this little non understanding of the exploitation and only a few incidents belong to the degree of danger of stress and even these are scheduled by the fact that there isn't going solving the problem the short high uh high skills but that would be created was not the so they may be the good programmers that they may seem to be be good at exploitation by but they do you have to be the case that led to the capabilities of determining the father the created was actually working on now so that the conclusion is that the model artist in general around the the the highest profile maybe your side the grammar rules up clearly lacking in uh in Q with they don't they're checking whether they are using the natural effects if uh they are working on it somewhat the exploits samples that every individual x what is the opinion of samples and that the common cybercrime groups who are deploying banking through just have a better supply chain because someone is doing the the generators for them and they are hiding uh but even though however these groups are they don't show enough knowledge and skills to support this 1 of ability to either of these versions so there is certainly needs in in their in their capabilities but they are very eager to use and you want ability that is available and the minute as they can get their hands on and they're willing to use it the unit so try to use it to but a final warning for you even though they are not her real name just you usual be afraid of just can't block once they get into your house they show very high capabilities and skewness in emptying out your house and cleaning out or or assets so the minimum and the good at exploiting but once they get had the they get their food in your organization they are very talented and resourceful so upper but the should know that if you keep up with uh the information the and not really much ahead of you and that all have from
final slide that it was going to be a best so let's see what is the best and the other the objective criteria by MDS was demanded it's the standard organization so I'm just going to some of the criteria I don't think that invention of the public by this I'm certainly not biased toward any of these groups in fact equally biased against all I think that that was she's not transport the testing methodology I mean I spent the 1st 25 minutes explaining the testing metallurgists I was pretty clear about that uh the end and the finally the test should have an active
contact point which in that this should be me ideas so that concludes my presentation I think that as a whole and uh tendency for many people sleeping so I guess I use my goal and that you're aware that they could of accomplishment thank you few