We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Balancing The Pwn Trade Deficit: APT Secrets in Asia

00:00
subtitles
off
playback rate
1
subtitles
off
English (auto-generated)
playback rate
0.25
0.5
0.75
1
1.25
1.5
1.75
2
quality
576p
4
 Cite
 Share
 Related Material
 Download Purchase
No logo availableDEF CON
 Lai, Anthony Wu, Benson Chiu, Jeremy

Formal Metadata

Title
Balancing The Pwn Trade Deficit: APT Secrets in Asia
Title of Series
Number of Parts
122
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
In last year, we have given a talk over China-made malware in both Blackhat and DEFCON, which is appreciated by various parties and we would like to continue this effort and discuss over APT attacks in Asia this year. However, case studies are not just our main dish this time, we will carry out technical analysis over the samples. I have worked with 2 Taiwanese researchers and would like to talk about how to automate the APT attack analysis with our analysis engine, Xecure, and give comparison between samples from various Asian countries, giving similarity and difference analysis among them, which could be insightful to the audience. Finally, we will talk about our contribution to the rule and signature to detect APT attack. Anthony Lai (aka Darkfloyd) has worked on code audit, penetration test, crime investigation and threat analysis and acted as security consultant in various MNCs. Anthony has worked with researchers to convey talks about Chinese malware and Internet Censorship in Blackhat 2010 and DEFCON 18. His interest falls on studying exploit, reverse engineering, analyse threat and join CTFs, it would be nice to keep going and boost this China-made security wind in malware analysis and advanced persistent threat areas. He has found VXRL (Valkyrie-X Security Research Group) in Hong Kong and keep themselves to connect to and work with various prominent and respectable hackers and researchers. Benson Wu focuses research on detect and counter advanced persistent threat, code review, secure coding and SDLC process implementation. He graduated from National Taiwan University with PhD in Electrical Engineering and National Chiao-Tung University with MS in Computer Science; and held ECSP, CEI, CSSLP certifications. Currently, he is with Xecure Lab as Lead Security Researcher, and Research Center for Information Technology Innovation, Academia Sinica as Postdoctoral. He had spoken at NIST SATE 2009, DEFCON 18 (with Birdman), OWASP China 2010, BoT (Botnets in Taiwan) 2011, HIT (Hacks in Taiwan) 2011, and wrote the "Web Application Security Guideline" for the Taiwan government since year 2007. Jeremy Chiu (aka Birdman) has more than ten years of experience with host-based security, focusing on kernel technologies for both the Win32 and Linux platforms. In early 2001 he was created Taiwan's first widespread trojan BirdSPY. The court dropped charges after Jeremy committed to allocate part of his future time to assist Taiwan law enforcement in digital forensics and incidence response. Jeremy specializes in rootkit/backdoor design. Jeremy also specializes in reverse engineering and malware analysis, and has been contracted by law enforcements to assist in forensics operations. Jeremy is a sought-after speaker for topics related to security, kernel programming, and object-oriented design; in addition to frequently speaking at security conferences, Jeremy is also a contract trainer for law enforcements, intelligence organizations, and conferences such as DEFCON 18, SySCAN (09 08), Hacks in Taiwan (07 06 05), HTICA(06 08) and OWASP Asia (08 07). In 2005, Jeremy founded X-Solve Inc. and successfully developed forensics and anti-malware products. In July 2007, X-Solve was acquired by Armorize Technologies. In Oct 2010, he left Armorize and created a new research team, Xecure-Lab. Peikan (aka PK) has intensive computer forensic, malware and exploit analysis and reverse engineering experience. He has been the speaker in Syscan and HIT (Hack In Taiwan) and convey various training and workshop for practitioners.
00:00
Information securityInformation securitySurfaceRight angleMetropolitan area networkCASE <Informatik>PurchasingReading (process)Independence (probability theory)Multiplication signSystem callLevel (video gaming)AliasingObservational studyMenu (computing)Group actionSlide ruleProgram slicing
02:01
Hacker (term)Observational studyInformation securityLocal GroupRootFocus (optics)Scale (map)Game theoryUniform resource locatorWechselseitige InformationDirection (geometry)Inclusion mapWeb applicationFacebookSmith chartMalwareBlogMathematical analysisPresentation of a groupPersonal digital assistantExploit (computer security)Probability density functionReverse engineeringCodeImplementationProcess (computing)Forschungszentrum RossendorfRootkitKernel (computing)Dependent and independent variablesBackdoor (computing)Digital signalGroup actionInformation securitySelf-organizationHacker (term)Observational studyExploit (computer security)ArmWeb applicationFacebookRootString (computer science)Virtual machineOverhead (computing)Computing platformServer (computing)Metropolitan area networkWebsiteMathematical analysisTrojanisches Pferd <Informatik>Sampling (statistics)Core dumpGame theoryInformation technology consultingLink (knot theory)Universe (mathematics)Scaling (geometry)CybersexMultiplication signDifferent (Kate Ryan album)Computer programmingProbability density functionInterpreter (computing)Focus (optics)Software testingWindowService (economics)Goodness of fitCASE <Informatik>Product (business)Source codeDisk read-and-write headPrisoner's dilemmaConnected spaceRoutingPhysical lawDemosceneWhiteboardSineWeb 2.0Simultaneous localization and mappingPoint (geometry)CAN busSurfaceHecke operatorLattice (order)Right angleComputer animation
09:20
Commutative propertyDean numberDigital signalIncidence algebraInformation securityInclusion mapDependent and independent variablesTrojanisches Pferd <Informatik>Kernel (computing)Data integritySpeciesColor managementMathematical analysisClique-widthExecution unitTwin primeRootConvex hullNormed vector spaceoutputChemical equationRootkitFocus (optics)Backdoor (computing)MalwareForm (programming)Operations researchDrum memoryInformationObservational studyPort scannerReverse engineeringComputer networkWebsiteComputerPersonal digital assistantEmailSelf-organizationLocal GroupCross-correlationSample (statistics)Exploit (computer security)Type theoryScripting languageInstallation artPasswordIntegrated development environmentIntrusion detection systemFirewall (computing)AreaKeyboard shortcutMaxima and minimaEmailTask (computing)Instance (computer science)Theory of relativityObservational studyMultiplication signLattice (order)FrequencyCASE <Informatik>Latent heatMathematical analysisSoftwareWebsiteVirtual machineGroup actionCodeBit rateProcess (computing)ArmType theoryKey (cryptography)System callDifferent (Kate Ryan album)Antivirus softwareData structureForcing (mathematics)Incidence algebraGoodness of fitIndependence (probability theory)Perspective (visual)Dependent and independent variablesFile formatOnline helpMereologyScripting languageReverse engineeringRootkitWave packetTable (information)Computer fileSpeciesPort scannerWindowServer (computing)PasswordPhysical systemGame theorySelf-organizationDistribution (mathematics)Session Initiation ProtocolInformation securityDigitizingMetropolitan area networkRight angleMalwareDrop (liquid)Sound effectGene clusterTerm (mathematics)System programmingFreewareComputer animation
16:09
Chi-squared distributionExecution unitDialectExplosionMultiplication signTraffic reportingMathematical analysis2 (number)Server (computing)Right angleCore dumpGenderSampling (statistics)Limit (category theory)Process (computing)Slide ruleResultantComputer animation
18:05
Address spaceInformation securityMaxima and minimaComputer fileMenu (computing)Mathematical analysisSimulationExecution unitMathematicsDecision tree learningWechselseitige InformationRule of inferenceEmailoutputComputer virusSineExclusive orComputer networkServer (computing)InformationData compressionBinary fileMalwareExtension (kinesiology)SequenceVirtual machineWindows RegistryPhysical systemData storage devicePasswordMiniDiscTask (computing)Virtual realitySummierbarkeitData miningSupersonic speedUniform resource nameRankingAiry functionQuantumAnnulus (mathematics)Meta elementNormed vector spaceMountain passComputer programMotion captureAdditionTouchscreenComputer-generated imageryMathematical analysisServer (computing)Level (video gaming)InformationBinary codeFamilySampling (statistics)WahrscheinlichkeitsfunktionNumbering schemeComputer fileFluid staticsField (computer science)TwitterMereologyType theoryProgrammer (hardware)ProgrammschleifeCuboidEncryptionFunktionalanalysisRemote procedure callMachine codePasswordSoftwareSoftware testingFocus (optics)Different (Kate Ryan album)Instant MessagingStatisticsRemote administrationVirtual machineHoaxPhysical systemCartesian coordinate systemGreatest elementState of matterNeuroinformatikImplementationParsingResultantString (computer science)InjektivitätDemo (music)Natural languageUniform resource locatorAddress spaceMotion captureTouchscreenEmailBoundary value problemGastropod shellMalwareSpherical capMetropolitan area networkRight angleMixed reality2 (number)Diallyl disulfideFile formatExpert systemKey (cryptography)Game controllerPower (physics)SequenceNumberHookingComputer programmingForcing (mathematics)Data structureNachlauf <Strömungsmechanik>WeightWindows RegistryBoss CorporationSurfaceCASE <Informatik>Data compressionMultiplicationWindowDynamical systemAttribute grammarPoint (geometry)WordGoodness of fitMultiplication signIntegrated development environmentHard disk driveSupport vector machineService (economics)Thread (computing)Codierung <Programmierung>Dot productProcess (computing)Message passingObservational studyMultilaterationExclusive orComputer animation
28:09
AdditionEmailInformationData compressionPasswordComputer-generated imageryEvent horizonMiniDiscMotion captureCompilation albumTouchscreenExecution unitSanitary sewerServer (computing)Physical systemDressing (medical)CoroutineProgrammer (hardware)Sample (statistics)Sampling (statistics)Information systemsCASE <Informatik>Exploit (computer security)CoroutineSet (mathematics)MathematicsEmailAttribute grammarFormal languageWindowMobile appSupport vector machineGene clusterDirectory serviceForcing (mathematics)Different (Kate Ryan album)Type theoryInformationBoss CorporationComputer fileCartesian coordinate systemComputer programmingPasswordWeb 2.0Binary codeCoefficientError messageTask (computing)Optical disc driveServer (computing)MalwareMultiplication signSystem callFrequencyWell-formed formulaTwitterData conversionWebsiteProgrammer (hardware)Connected spaceRight angleComputer animation
30:13
Execution unitTwin primeACIDConvex hullPointer (computer programming)Gamma function19 (number)Computer-generated imageryFunction (mathematics)DatabaseMultitier architectureTouchscreenComputer filePasswordSpherical capWindowEscape characterLevel (video gaming)Beat (acoustics)Extension (kinesiology)Visualization (computer graphics)Multiplication signSoftwareIntegrated development environmentDifferent (Kate Ryan album)CoroutineConnected spaceMotion captureTask (computing)Graph (mathematics)MereologyBit rateFingerprintRight angleInformation privacySampling (statistics)Point (geometry)19 (number)Electronic signatureServer (computing)Forcing (mathematics)Shared memoryBasis <Mathematik>Error messageAntivirus softwareRaster graphicsWebsiteFreewareComputer animation
33:07
Annulus (mathematics)Ultimatum gameEncryptionExclusive orComputer wormSequenceGroup actionExtension (kinesiology)CoroutineServer (computing)Intrusion detection systemData structureSample (statistics)Motion bluroutputPersonal area networkExecution unitGraphic designInformationMathematical analysisMaxima and minimaMultiplication signSampling (statistics)Graph coloringGroup actionForm (programming)Task (computing)SequenceResultantServer (computing)Presentation of a groupArithmetic meanDifferent (Kate Ryan album)EmailComputer fileForcing (mathematics)CASE <Informatik>IP addressFrequencyRight anglePhishingSheaf (mathematics)MathematicsGraph (mathematics)Uniform resource locatorFile formatLibrary (computing)EncryptionLevel (video gaming)Extension (kinesiology)BuildingIntrusion detection systemComputer wormExclusive or
35:14
Mathematical analysisVideo trackingInformationUsabilityStaff (military)Computer virusElectronic mailing listSampling (statistics)Server (computing)Traffic reportingCASE <Informatik>Task (computing)Reverse engineeringRow (database)Information privacyExploit (computer security)Graph (mathematics)BitElectronic mailing listEmailTrailBoss CorporationWeightOffice suiteMalwareGroup actionProcess (computing)Forcing (mathematics)Virtual machineSystem callMathematical analysisSoftware testingComputer fileInternetworkingArmExtension (kinesiology)File formatRight angleSingle-precision floating-point formatComputer animation
37:19
Graph (mathematics)MalwareGroup actionServer (computing)Mathematical analysisGrass (card game)Formal languageSampling (statistics)MereologyIdentifiabilityInternetworkingSample (statistics)Task (computing)Multiplication signDemo (music)Profil (magazine)Forcing (mathematics)Centralizer and normalizerCore dumpRevision controlPoint (geometry)Antivirus softwareCircleDifferent (Kate Ryan album)Graph coloringComputer animation
39:31
Execution unitGraph (mathematics)Plot (narrative)Online helpComputer-generated imageryServer (computing)MalwarePurchasingProbability density functionExploit (computer security)RootSample (statistics)Mathematical analysisServer (computing)Exploit (computer security)EmailMalwareRemote procedure callCentralizer and normalizerGroup actionState of matterInstance (computer science)Uniform resource locatorPoint (geometry)Sampling (statistics)Task (computing)Probability density functionReverse engineeringRootComputer fileMedical imagingProgrammable read-only memoryRight angleSpherical capMultiplication signTracing (software)Forcing (mathematics)Personal area networkMathematical analysis1 (number)CASE <Informatik>Attribute grammarSoftware testingOrder (biology)Computer virusData miningPublic key certificateFormal languageType theoryWeb 2.0Graph (mathematics)Computer animation
42:26
Sample (statistics)InfinityMathematical analysisUniqueness quantificationMalwareMoment of inertiaSampling (statistics)Group actionMetreGraph coloringMultiplication signProcess (computing)CASE <Informatik>EmailMassMalwareNeuroinformatikBasis <Mathematik>Computer virusWordMereologyAntivirus softwareProduct (business)Category of beingMathematical analysisInformation securityComputer animation
44:37
SpreadsheetGame theoryGoogolRSA (algorithm)Flash memoryGamma functionMaß <Mathematik>Moment of inertiaAmsterdam Ordnance DatumSimulationSineConvex hullStatisticsMaxima and minimaPauli exclusion principleHost Identity ProtocolEmailGUI widgetInformation securityTerm (mathematics)Computer virusGroup actionSample (statistics)MalwareTask (computing)ForceSoftwareWeb browserTask (computing)Forcing (mathematics)MereologyTaylor seriesArithmetic meanPlanningFreewareOrder (biology)Group actionTerm (mathematics)Social engineering (security)Goodness of fitProjective planeReal numberHacker (term)Enterprise architectureProbability density functionBasis <Mathematik>Incidence algebraEmailAntivirus softwareInformation securitySampling (statistics)Game controllerBuildingArrow of timeSubsetSystem callCuboidPublic key certificateCASE <Informatik>WeightSpeech synthesisMalwareCross-correlationDirection (geometry)Sign (mathematics)WindowNumberTwitterDevice driverStatisticsExploit (computer security)Physical systemWage labourRight angleProcess (computing)State of matterOnline helpInsertion lossMembrane keyboardSoftware testingSlide ruleHydraulic motorAssociative propertyGoogle Street ViewView (database)Graph (mathematics)Exception handlingIntegrated development environmentMultiplication signSatelliteMenu (computing)Table (information)Real-time operating systemIP addressFirewall (computing)Address spaceMessage passingDifferent (Kate Ryan album)Level (video gaming)Boss CorporationMathematical analysisStack (abstract data type)Point (geometry)Power (physics)
55:22
Characteristic polynomialEmailMalwareExploit (computer security)Computer networkMathematical analysisData miningTheorySet (mathematics)Sample (statistics)InformationAttribute grammarElectronic signatureStandard deviationAerodynamicsFluid staticsFunction (mathematics)File formatIntegrated development environmentMotion captureControl flowProcess (computing)Data structureRead-only memoryInjektivitätMachine codeRootkitPasswordVector spaceMultiplicationBasis <Mathematik>CodeGastropod shellObject (grammar)Physical systemInstallation artAddress spaceUniform resource locatorString (computer science)Time domainCAN busMaizeInformation managementTwitterLine (geometry)Gamma functionCorrelation and dependenceMultiplication signWorkstation <Musikinstrument>Lattice (order)AverageData miningEmailSoftwareMalwareCASE <Informatik>Profil (magazine)Attribute grammarIntegrated development environmentGroup actionPattern languageInformationMatching (graph theory)Set (mathematics)Set theorySeries (mathematics)TheoryError messageSampling (statistics)Electronic signatureFluid staticsDynamical systemSocial engineering (security)Antivirus softwareNumberCybersexSpacetimeParameter (computer programming)Fuzzy logicExploit (computer security)MathematicsRun time (program lifecycle phase)HookingObservational studyGene clusterWindows RegistryString (computer science)Different (Kate Ryan album)Data conversionTwitterMathematical analysisFormal languageBinary codeWeb 2.0CAN busKey (cryptography)CodeGastropod shellDomain nameNeuroinformatik2 (number)Demo (music)MereologyComputer fileMachine codeCyberspaceData structureComputer animation
01:05:14
Attribute grammarOnline chatDatabaseMathematical analysisSample (statistics)Computer fileWindowMalware9 (number)Convex hullGroup actionMenu (computing)Time domainNumberGraph (mathematics)Data typeFunction (mathematics)Moment of inertiaComputer virusTotal S.A.Game theoryLocal GroupStatisticsAttribute grammarOnline helpInformation privacyGroup actionMathematicsAntivirus softwareWell-formed formulaForcing (mathematics)Bit rateGraph (mathematics)CoefficientResultantMultiplication signServer (computing)Gene clusterMalwareSampling (statistics)MereologyElectronic signatureTask (computing)Formal languageBasis <Mathematik>Set (mathematics)Band matrixGraph coloringFingerprintShared memoryPublic key certificateRobotVirtual machineIn-System-ProgrammierungWebsiteCore dump
01:14:32
Total S.A.Computer virusSample (statistics)Task (computing)ForceExploit (computer security)MalwareServer (computing)Attribute grammarFormal languageRankingSystem identificationMathematical analysisPythagorean tripleProbability density functionPairwise comparisonFile formatUsabilityComputer iconElectronic data interchangeSimulationWechselseitige InformationInclusion mapIdentity managementLocal GroupDigital photographyCommutative propertyGraphical user interfaceProgrammable read-only memoryTelephone number mappingElectric currentMessage passingView (database)Information securityMaxima and minimaSynchronizationExecution unitMenu (computing)InformationLabour Party (Malta)MalwareForcing (mathematics)Graph (mathematics)Normal (geometry)Task (computing)Remote administrationComputer virusDemo (music)Different (Kate Ryan album)Formal languageAntivirus softwareView (database)Google Street ViewServer (computing)Incidence algebraMultiplication signMereologyReal-time operating system1 (number)Computer fileEmailUtility softwareTwitterGame controllerGroup actionSlide ruleSampling (statistics)Probability density functionHacker (term)Meta elementProfil (magazine)Exploit (computer security)Graph coloringPlanningPublic key certificateLevel (video gaming)Information securityProcess (computing)Mathematical analysis
01:23:51
Information securityHacker (term)Mathematical analysisSample (statistics)Message passingLocal GroupEmailBlogWhiteboardWindowIntegrated development environmentBlogState observerFamilyWhiteboardWordOnline helpAddress spaceMessage passingEmailInformation securityGroup actionSampling (statistics)Mathematical analysisComputer animation
Transcript: English(auto-generated)
00:00
I would like to introduce actually from your from your from the bonjour then You just found four people per persons, but you'll find just two person here Why why there's a just two person because one of the one of speakers? Batman is just her wife. His wife is just a call baby and also ended up speaker PK simply
00:23
His girlfriend is just back to Taiwan. So both of them use The reason cannot to come here is because of woman So, um, so it's a very happy moment, right? So anyway This this time I am Benson will take over two hours, but you know
00:43
We cannot spend two hours because we are not the style reading the slides you would go for some kind of reading slice Just we will not be on the stage. So we have some demonstration Okay, and also some tools for you to to pray it pay with okay and some case studies to for you to use to take a
01:02
Look, okay Maybe let's start First of all, I'm Anthony It's Benson boo Then also our our research founders is Jeremy Jeremy chill is our Batman his alias is Batman and also another independent secretary researcher PK
01:21
Okay We need to a disclaimer there's no national secrets here Okay, we welcome spice secret surface intelligence for instructions, thank you, thank you. Thank you No, no any Taiwanese spy or a Chinese spy
01:43
Russian spinal no, no, where's your hand? No, I give a cake. Okay a pony. Okay. Okay. There's a cake for you then Okay, thank you very much. Thank you. I'll your daughter Advertise my time. It's always you've got a movie you have advertisement unite, right?
02:01
Okay, I need to advertise our troops group members Actually, so Taiwanese very famous security and hacking groups He starts from 204 and focus on security and hacking studies and he's just the sponsor or just supporting organization this year for Brad had, you know, USA 201 one and also
02:21
Have two speakers speaking two days ago on about exploitation on the document document malicious document Also, there's our and a conference is a hack in Taiwan conference. Then is a larger scale of the hacking conference in Taiwan Actually talks war game and food. Come on. Come here, right?
02:42
Even I'm come from Hong Kong man, but it's good eyes. I go there for I went there for two times But the atmosphere on professionalism everything is good and got some kind of English interpretation Then happened on every July. Okay, and there's a link for you for reference
03:02
My founder group seems to online since actually I find that this group because I'm inspired by Def Con because Def Con is really a core conference with contest with many talks and With many people's to meet up. You're nice and also with strings So there's really good conference. I could say it's an international conference
03:23
So I back to Hong Kong and then hold it a group to to more to organize more hacking security research studies and we have just published a paper some papers like for our Facebook forensics and Kinds of web app security feng shui for Macau and Hong Kong, you know feng shui
03:41
Do you know feng shui? Okay, no feng shui I'll push it like put a stone in the in the door something like you make you wealthy something like Okay, don't just I don't know And also there's a case studies about I investigate into a case about The lost money for the bank children got a title is million dollars lost in a minute
04:03
so just feel free to to visit our sites them and Also able to promote on the well Smith because he partners with me and colony aims Last year to give this kind of talk about the China make me aware Thank you very much and they have a sprop in a tech research calm then I suppose is a very insightful prop
04:23
That's enough Anthony, right? That's done. Okay Last year well Smith Conan Ames and I work together and I like and I sing China made me aware We would like this year continues to ask this effort This year then we deal with many Target attacks actually they are Benson Batman and PK comes from comes from Taiwan for me comes from Hong Kong
04:47
In Hong Kong, there are also some kind of target attack not just Taiwan. Okay, we are not alone man Taiwan is a it's also the major and Hong Kong is also a major Being that target being attacked then we would like to be happy to be present here
05:02
And we were we are selected in the first one in the Defcon, but we are rejected and perhaps Their reason is we are curious about your automatic analysis Any any we will come a teapot in overhead from here? because Jeff told me there's a
05:21
400 and 500 we will board members. Okay, I give the kick to him. Okay, I just just just a lazy kick And reference talk is a TT and also Nannikar present yes two days ago about our weapons weapons of target attack modern document exploit techniques and also the next session is on my root about sneaky PDF so it is
05:44
More than that's like a collection. So I would like you do you have kinds of put it all together to a different focus Okay, Oh Introduce myself myself. You call me Anthony or you call me daphoid because just kind of handle and worse on coke audit
06:03
penetration test crime investigation and Being consultant anything and teaching something teaching like in the Polytechnic University in Hong Kong and spoken in last year and being guest instructor in the technical exploitation in the Brad had your USA course
06:27
Yeah, I left I left to Benson to introduce himself Yeah, my name is Benson Burman and NPK and I are we all from Taiwan and we are from the same lab called secure lab
06:41
Well, the truth that they couldn't come actually is because it's really expensive to come over to Las Vegas It causes like, you know more than 2,000 bucks just for the air flight So well, we can only afford one of us to come over and We we study a lot about a PT since starting this year
07:03
Before that we actually do a lot of our commercial products But then we feel that our APD is so serious that we want to really focus on APD starting this year So beginning this year, you will see more and more stuff that we will develop and then we would like to share with the community
07:21
so The tool that we we cannot disclose here is is freely available Online and if you guys receive any sample that you think that is from APD group Then you can just scan online is totally free I also like to mention that
07:41
I'm from academic background and even though I have some diploma before but that doesn't stop me from being hacked I Remember that when I was in in the university doing my master and my friends in in the in National Security Agency told me that hey Benson
08:01
I found one of your computer in in the enemies of CNC servers And I was really surprised because I thought that I can protect my machine well So that actually told me a lesson that our diploma doesn't give you anything when it it's on the cyber warfare So I really feel that well, you have to equip yourself with some hands-on when it's about our cyber warfare
08:26
that's why later on we we end up doing a lot of Commercial products and then a lot of research on these kind of stuff rather than you know simply publishing papers Okay, Thank You Benson
08:44
Actually, he has not introduced himself just academic background. Okay, but he is very good at we will threat analysis We are work out for the executed lab in Taiwan in between Hong Kong, Taiwan We like to contribute this kind of research and service But man, you can't see his face. It's always like that not really strange. I
09:06
Don't know how can't get his this kind of hat but anyway He were very expertise in the win32 and in this background platforms on the windows programming's here He's the first one in in Taiwan to spread not his spread out, but he produced kinds of Trojan or bird spy and
09:23
then and being manipulated by other people and spread out spread out in the wide and Taiwan Taiwanese police catching up catching up and After a while then the police said, okay, I will release you then, okay The ideas is peace being help us for investigation in the future. So fee members free employee. That's good
09:44
To do the forensics assist some kinds of digital forensics and an investigation on instance response And he's good for rookie better design He he's a he's a good man Okay, if even he's doing kinds of a lot of evil design, but he he do a lot of training, okay
10:05
PK and he's from law enforcement and also he is the independent Secret researchers. He's also good at system programming's windows programming forensics, and he have he has done Develop a software called MPA scan MPS kinds of a
10:25
Police force in Taiwan, so it could be download download both in the Taiwan Taiwan police Websites, but I know some some kinds of reason some people target this software for attack And but he's a very nice very expertise
10:41
reverse engineering and system programmers Okay, um start our agenda, I sorry then I spent five to ten minutes to about to introduce introduction then Um APT stuff is Think I actually I don't know the terms comes from but it is easy for people say it is a target attack
11:01
But everything attack every attack target person may be quite advanced, but it's specialized target for Specific company organization and also is from organized from a group organized attack parties I'm providing the case studies. I would like to present and analyze APT from malicious email documents throughout our
11:23
Automatic analysis. Okay, and later on Benson we present about the DNA clustering of different APT task force for example, you have some bad trial society like 14 K different K Okay, different trial society parties then it is the same ideas of this different APT task force here
11:43
We have observed there are three major types of the target attack email for example the phishing mails you get a username ID and password and also when you could get an email with that some malicious script in your when you open some emails, maybe execute some malicious script or even some documents and
12:04
you will deploy the malware and become a botnet and Contact the CNC server for further for further compromise. This is what we have observed The table is damn small here. But anyway, but we have got a difference here
12:24
This pen is very powerful. Okay, you can hear right? Right. This was APT. There's a this column. Okay, APT partner activities This column is our traditional botnet activities actually for distribution for the APT Talk about for example APT partners activities more organized run and
12:45
also not cause any damage if damage your machine, they have no no games to pay right and they of course target for a specific group and also for particular company and the infection effective duration of the attacker is very long is very long for long duration and
13:05
frequency Many times because they would like to launch it From different perspective, maybe the same dropper but in different email formats their reference is more than necessary days and some drop and dropping the embedded malware and
13:21
Finally the detection race in the antiribe software is simply is less than 10% Okay Exciting part is coming case studies against our political party in Hong Kong. Okay, we're calling from mr. X He always picked me up at 6 o'clock
13:41
I don't know why he wakes me up at 6 o'clock for calling me to for help like that. Okay, mr X is one of the key person key person from of our political party is like a democracy Party, he chopped us an email he feels suspicious like the attachment called meeting the sip and also minister sip something and
14:02
it contains two files when is the agenda doc doc and also mean it minister doc and Why he's feel suspicious because he just gave the meeting yesterday before he's received an email and And he got this Document is very I mean, it's very it is in coincidence
14:21
so he looks like a member meeting agenda, however, it targets all the committee's members in the meeting and Mr. X also said he got this kind of mails before 4 for June 1st of July and before any legislative Council member election, you know 4th of June is kinds of kinds of Tiananmen incident and first of June
14:45
I is kind of reach a day. We turn Hong Kong. We turn to China so it's very regular instead of some October because Those guys may be on vacation on holidays. So they did not launch any target attack because they need to on vacation as well
15:00
Okay so, um, I run to an very brief analysis in our Execute Secure analyzer engine but actually it is not a document is a PE file Okay, and also is a chopper files and it creates the minutes dot-dot is a document
15:21
Shocker file and which it gets to execute the agenda doc doc Okay, this is our engine one of the screenshots then you find that from the startup folder Okay, I point here stop a folder once you execute it creates another file i.e Check dot exe and then afterwards it generates the code
15:44
Generates the DLL ms VCR. It looks like where we legitimate DLL files but it isn't right and inject into the explorer dot exe for four kinds of Ingestion DLL ingestion Then it collects network different
16:02
CNC servers here So, let me show you Yeah Because of time there's no time limitation because yeah, then you'll find it here. This is our agenda doc. Okay
16:35
I want to Zoom it because I'm quite sure you can see it at the end in the back and it doc and I submit it
16:44
There's a yeah from Hong Kong the CNC server is from Hong Kong Hong Kong is other than shopping center. It's also a CNC heaven, okay Yeah, come to Hong Kong. Okay, deploy the CNC server and Then you'll find a report here. Okay, as what I captured in my slide. But anyway here
17:17
Is what we have shown and analyze because if every time you need to put up
17:23
The VM and get the analysis then it's very boring job Right every time you put up a VM every time you wonder when the executable and for every samples I don't think it's a fun right? So we do it on the automatic analysis, but have you seen it? Yeah. Thank you But this is where it's not that our core dish or main dishes. Okay, but just like that
17:50
What how long? How long maybe just 30 seconds to one minute? It's not bad then then Go for a couple of those then back and the results comes up. Okay back to the slide
18:12
Well here is quite very silent Yesterday I in my hotel room. There's a lot of rock music underground and the woman shout
18:21
man shouts Wow over the nights and It's amazing. I don't Shout from the other rooms. I Can't sleep actually So analyze analyze our Analysis study CNC location you find it from Hong Kong and there's a the post is 8080
18:45
Actually, the case is still alive They the CNC server is still here So I'm not a lancer here because we are writing a paper Then we'll submit to the forensics and some conference and malware conference then before the law enforcement just kick
19:04
just Join in to inference our resultant some traditional intelligence of analyzed malware like Use the capture bat what files is create what files is delete right and also like what can't yeah, it's
19:29
it's a possible what I've told you about our analyzer and what files is added by the but by the system after the mirror executed and You to prove it
19:42
D and also like a IP sec step dot deity is added to the explore that you see two kinds of Encryption for the IP sec channel to back to the CNC servers Okay, some files at it I don't go through it because but I would like to see that later. They simply generated
20:05
Ms VCR, but the file is not like that. It should be MSC VR, right? In the gift of the file is natural to meet and is approved by a Microsoft is signed up Microsoft. The name is quite confusing and different files are
20:20
added here So afterwards the agenda doc doc is create is deleted we have got some analysis Okay, he targets QQ anyone have QQ anyone have QQ?
20:40
Anyone no one I would like to give up the bake the cake although QQ Okay, but if you go to China, you need to make friends in China. You need a QQ Okay The first thing is like ICQ like the instant messenger You need a QQ and QQ can do anything including to remote control or software Okay, they have some capability to control remote software computer
21:03
And also it could also to capture some screens or same message same file. Yeah Many children writers focus and take over take the advantage of the function of the QQ and also Foxmail Foxmail is also like Here Foxmail. It's also like a child China on prevalent mail service. Of course
21:29
We have our good friends messenger Yeah messenger. It's also our good friends to attack attack target
21:41
So I'm also down it's proved it injected to explore.exe not a surprise, but I would like to see DLL You know this Chinese word. It's kind of DLL injection failure. It's written in Chinese. That's good They make the programmers give the comment
22:03
In the give a comment to say the DLL injection failed in Chinese. I Like it. I like the comments well documentation And also as you say you'll find it I got
22:21
Right here is the explore.exe but besides There's his brother SVC host why when I analyze the sample I can't find any Injection to the SVC host. I will tell you later Okay, the agenda doc doc is nothing special. It's just a chopper. Okay created IE
22:43
I checked out you see copy the files ws2 helped up PNF to the application data folder change the less less debt DLC and generates the msvcr dot DLL malicious DLL and you get to the explore.exe and there's a create a new test
23:00
It's very strange now They would create new tests But it's common for a software to create different thread different process different thread when running programs and of course some traditional Checking like check whether they have a kaparski or have any log32 I don't want to show here, but target the kiku, msn, cinna, force mail and hotmail and
23:22
Also, they use XOR encoding only they don't use very complicated encoding or encryption scheme because if you do some very Complicated encoding scheme it will be detected most likely detected by the IPS or some Detached by the IPS or network detection monitoring
23:43
Let me check it's here But you know, it's quite difficult, you know, I'm here the screen is there but it comes to point here, but anyway Show it like to wait. I'm sorry something that is encoded
24:08
This XOR is here takes all well, you need to have a telescope. Have you got a telescope? Actually Defcon should supply it I know Then there's an encoder here then looping looping or looping and then you'll find the verse is decoder here
24:25
Actually every time you send out traffic, they will encode traffic and once they receive it, they will decode it They don't they don't do any complicated encryption Okay Once we have do the book, we know in fact
24:41
You know the scheme then we find out they get a hostname and also the OS type and a patch level Then there should be more information sense to the CNC server and Also, this is what we are This is the most humble day most humble of my day because of the day because you know We find it be a dot BMP files compressed in a doc cap file under application folder
25:04
however We are still in screen capture by wild shark, but it is captured By the software and sent back to the CNC server So This is the this is the Screenshot we do the steven the network use the wild shark, but send back to the CNC server
25:27
Damn it Okay taking into the Tigers Oh, okay, some more than that's like if you do the analysis most likely you just analyze the chopper right you go to the like
25:41
Different and threats expert Whatever different online sandbox. They just analyze the chopper files and they will not carry out further analysis So we carry out further analysis and try to install the QQ MSN and see what's going on and we find it that more binaries we have have been downloaded to the windows debug folder and
26:02
Also malware creates more files in the windows debug data folders as well But those file went after the full those file executed it will be moved shortly Okay, and also they send back to the CNC server in different compressed format So we found it those CNC server sent an instruction to the rectum machine to compress the files and send them back to the CNC
26:26
Server there's also quite interesting Is that the traffic sequence number they set by the CNC server if you have been infected before? You would like to To try it out to analyze then the binaries will not be downloaded again But it is not surprised, but they have a sequence number to control
26:43
So we need to change the registry to blank out that sequence number. It sets in the registry so it is quite tricky and Also, they have put those file in the cap compressed file But they put the DLL dot DLL files different DLL files and compressed in cap files
27:02
However after we decompress the cap file we got different SAM system information from the rectum machines from the from those DLL files Okay, let's see like that We find this
27:22
This like a drive file in the dot cap file. They capture anything or your files The path and also this Ah Yeah, this password Donald Jern is not our our member. He's just the chief executive of Hong Kong
27:44
Okay, we just just take him as a fake email address. Okay, then It's better right so you find it. They have put it in this kind of test format without encryption After carry out of dynamic analysis we got three more
28:03
Binaries we got it with these three more binaries is One is responsible for to collect all hard disk drive is a FBC wins 32.exe and Create a file drive under C windows debug. You have just seen it before
28:20
Right and also enter files called as we a VZ win 32.exe after after execute some of Our short period of time it is renamed it as SVC win 32.exe afterwards and it put it all of the data to capture all the connect email accounts passwords like the files as I show you and Sam information system information
28:44
to the app data temp directory and also the windows debug data directory and the C drive them and Also one more one more binary is a as a CV win 32.exe is captured a screenshot for every 1000 milliseconds
29:01
The injected as Ms. Actually, it should be a VCR dot DLL keeps on monitoring The C drive windows directory this debug directory if there's any files there, they will send it out So this is the summary
29:21
this is summary then actually it targets a political party in Hong Kong and The CNC server is in Hong Kong But this China made APT is I could claim this case is long at once that persistent threat Why not very not very advanced because it contains some old bake
29:41
routines Win 95 win 98 the programmers simply just add the new features Maybe the boss asked him. Okay add one more features for Windows 7 Okay, add one more of routines to oak oak wood tins just left behind just left aside. Okay? and also there's a
30:01
The dropper is the same to to enter another sample. I I've got a dot CHM sample and then the chopper is the same. Oh I forget to show you something like in my Here It's my first time not first time it's very rare to open the IDA in Mac and
30:24
Also, I have not renewed a license. Yeah expired But anyway dance you always use either in the windows environment this DLL is the is dumbed on the MSC MSC VR dot DRL then we could find it the packet of our escape
30:49
Either to use this one put it at the cap file Yep, and also it's a very interesting. They put some different extension like dot v2. You never know what is dot v2 years
31:10
Another Interesting stuff is the not cap screen but connect password can you shut it off this one?
31:24
Get password for example to get MSN messenger MSN password also for outlook password
31:42
Yeah, they quite good for collecting different password from different software So if you want to jump from IPT Simply not try to use this one this software, but you can't do that, right? and Yep, they do a password and also let me check
32:02
Some very interesting. Yeah, this is called a password and one more is the like a cap screen. I Need to show it because it use some old damn screen capture routine in the race visual basic, so that's reason why I say it's not really
32:22
Really advanced. Sorry then I need to hear let's see here, right?
32:50
Create some Create DCs. I Think it's traditional but it's very old some kinds of Capture the screen or write writes to beat map stuff
33:03
It's already very old Okay, so that's reason I already show you about that Okay, let's continue and
33:22
Agenda doc the doc doc is just packed with upx XOR is used instead of some complicated encryption then download a payload in different stages The most important is they use some unpopular file extension like k2 dot v2 you never know and I suppose the IPS or I or IDS they don't recognize this kind of very weird format, right and
33:44
They simply build in like dependent on a bill in libraries and I find that they use the proper sequence set up by CNC Server to manage the victim This is the we could conclude I have got two samples and I find that they they are choppers are the same you find here
34:03
This is the agenda talk This another one is the another executable for my collector sample of dot CHM sample you find it Tell you the same Except this book, okay So I suppose they will just use the same choppers for different teams or even the same team
34:25
This is the timeline my fellows my fellow went to has promoted drafted Actually, the green one is the sample dot CHM sample the wet one. Oh, sorry The wet one is the agenda the doc. I present here the case
34:43
we have found that the PU build time of the dot CHM sample and Then we could find a generator doctor build time is near the same near is around the time it's April between April and July and we have found that also the fishing mails and also the
35:00
Fishing mails received and the build time the Mac time and also report time is around the time around the same Yeah, that's period in July between July and June and July Now, this is my doctor
35:21
so, um so we we think this is from the same chopper same generator and Also new test is new test name is also is good useful to identify the APT sample or Russian and This and case analysis simply supplements the tracking ghost net reports and also the median report Because they do some high-level just describe the process but we do the reverse engineering and the further analysis
35:44
then it's much more good be give more details to you and Afterwards as a malware analyst we will find that do we need to analyze 10,000 samples from the single task force is to talk is to time-consuming Can you back to the office and say boss? I got a sample
36:03
I need to close the door for three days and analyze the sample like that. I Suppose you are you should be fired right Three days and analyze it. No, you should know that how to how to respond What's the characteristic right? And also do you think about whether you you get a sample and you think that you are already target?
36:22
No, you said then this is kinds of traditional thinking or International before because when we receive the malware we don't think is target or not and the case 2 is calling. Mr X again, he's very free and always check email and always get get this kind of target attack
36:42
But I want I want to help and there's another file name called official reporter list from electrical legislative council news These are official email This is the party extension then the Chinese is very official the format is craft and
37:04
The most important thing is if you trust Gmail you you sucks Okay, no problem. This is the name is kind of official reporter list of the Legislative Council though you will open it
37:24
however, I Needs to treat me drinks or dinner. Okay, and Also then need to say cross with horse then, you know this to cute these two horse Don't know anyone knows Are you know it? Yeah. Okay get it
37:44
But don't speak it to the to the Chinese. Okay. Okay. I know you just come here. Yeah, because I come for it. Yeah Okay, these two Lovely animals is a this kind of motherfucker Okay Okay, but it's broken in the China Internet because they use the grassroot horse instead
38:05
Okay in Chinese and also English. Okay. I I also thought this kind of door last year. You could be back to my video And after the analysis we do the DNA analysis. This is what we want to do
38:21
I find the samples the Excel samples. I upload to our engine Callapd sir. We find that these samples is belongs to here You find this is a evil central evil circle Very evil, you know If you find your target by this evil circle, please take care
38:40
Extremely extreme care. Okay this from China Okay This also from China Okay, but these samples is from here We group the clustering from here and the different color means different years different kinds of the exploit of the build time years, okay
39:03
The detail analysis will be from Benson. It will be much more cool. This is an old version Then we got exploit name the build time and a group C Yeah, and this is the analysis You you see that before I don't want to to take over it. This is about a group the APT group
39:29
is about is it's a chopper always the chopper analyze the chopper first and then inject a DLL inject the DLL to the Inject a exe to the know
39:41
DLL to the exe I I sport or you see and this is the location of the CNC servers Twenty eight point five percent CNC server are located in China For this sample for this group and in Hong Kong as I said, I always support Hong Kong as a CNC central
40:02
Center in the Asia, so they got twenty eight point five seven percent Okay in Canada is not bad. They are on the third place So we will soon we will soon give you more about the analysis about our DNA clustering
40:21
for peace or warf-warfare Pan won for peace. I would like to Putting thousands of points images as a cap file and put a debug folder and show my sincere Nice peaceful mind to the CNC writer or the other secrets on on the
40:43
Right task force task force leader, you know, I'm very very nice man. Okay, okay Do enjoy the points and find me Fanny this is what's most important thing Vice back, okay set up a CNC server Per trace malware pack putting malicious PDF
41:03
Document excels in the cap file and they must open it you if you think must open it, right? They were with it right to see what's going on. It could be fun excited, but I've not tried yet So we have the prom from Chinese
41:23
Cooking beans on a fire kindled with beans beanstalk the beans whip in at a pot Originally born from the self same roots. Why so eager to torture each other, you know we can't do it the same against them, but we would like to see what could help to analyze and
41:41
To see what we could help to this community community Special thanks to my we expose is went to and the RTL And analyze the samples for me and here I went to his very old guys But he is very passionate to over the reverse engineering and analysis of sample and white detail paper then please stay tuned
42:01
I will publish it and as you know, okay Benson your time I'm sorry, then I just leave our without take care about
43:10
My part will be another 30 minutes as you can see Anthony so His personality is so aggressive And I'm kind of the opposite. That's why I are when when we work as a team is so fun to work together
43:28
Most of the time I don't enjoy doing a lot of our manual Analysis over these malwares and actually in Taiwan lots of researchers We have been receiving tons of malwares every day and then we do a lot of these manual
43:43
Work on daily basis, but this is really time-consuming As you can see Mail words are now in mass productions. So if you are doing this Manually, then you are definitely falling behind So this is why we really want to come over automatic systems so that we can easily classify
44:05
whether this is Made by automatic tools or is actually made by Human beings APD groups. They are only being used Once only and then throw it away. They will never show up again. If that's the case then how we can go beyond these
44:26
Situations and then try to understand who are behind these samples so we want to automate all these process rather than doing this manually and You guys might recall are these slogan
44:42
Well, this is not goes in a in a brow goes in a browser Well, Google says goes in a browser. So they are good at goes in a browser but not goes in the networks And this is what we think APD is actually goes in a network once they gain to your network They try to stay there. So they are not like, you know, a fast in and fast out
45:04
They actually try to get into your network and then they try to stick there and then they never want to get out so they try to stay inside hide and seek and then Try to steal everything they can steal and then try to Escalate the privilege until they can steal more sensitive more confidential data
45:24
In Chinese, that's how we return it one little great The term was first defined by the by the US Air Force They call it advanced persistent threats, which we think is very appropriate
45:45
Because By being advanced is it's actually now relatively Compared to the victims. So it's not necessary that I have to use the the most non-patch zero-day exploit in order to
46:01
Invade your system as long as I know that you haven't patched these exploits then I can invade you successfully So this advance is more or less in a relative manner While being persistent means that I'm really determined because I'm being supported I'm being funded
46:21
in order to Invade your network. It's actually part of my ear ear projects. I really have to get into a network. Otherwise, I Will be I will not accomplish my missions. So That's how determined I will be
46:40
So all these victims Victims we can see that are oftentimes they are they always have good security controls They have good sense of security and all these employees. They they actually have good eyes, you know, they know how to see Arrows in these buildings arrows in these social engineering social engineering emails, but still they still get APT
47:07
Attacked and then successfully because there's really no way you can get away when you are being targeted by these APT task force because they are so determined and the emails are Written so well that they are they do just like exactly for an adrenaline person
47:25
That's why you see Google are being owned. I Say as well and then many more The reason we mentioned stocks net is because in order to launch the stocks next accessibility day, they actually attacked
47:41
several industrial several company in in the science park in Taiwan you know to get a certificate so that they can sign these drivers and then Once they get these drivers, they sign these malware so that when people get Attacked the the windows will not alert when they install these
48:00
Mailwares And also comodos they invade comodos to get all these certificate So later on when we actually get these APT emails a lot of these APT emails are being digital sign and also verified by comodos So we well for these companies. We never want to be they never want to be the headlines
48:27
in these kind of situations and of course everyone knows this and This chart is actually from a McKinsey they actually
48:42
Analyze a lot of data from IDC and also Bureau of Labor Statistics From this shot out is actually telling you that a lot of these large enterprise. They they own lots of datas So much data that they never knew that They have least amount of data. For example large enterprise typically own more than a terabytes
49:07
of data, so that's hundreds and thousands of enterprise in the States and in fact also hundreds of companies more own than a petabytes So you have so many datas that is so juicy these hackers
49:23
They just want to target you and then try to see how they can do APT on you So if you have too much data, then you have to protect it well otherwise What situation like Sony would happen again
49:42
So this is some samples that are we share here what we receive in Taiwan And this is our from real case for example a lot of professors in school They they would they will receive these on annual basis
50:03
For example receive these kind of call for papers and also acceptance notifications from people pretending from the National Science Council Sending the malicious PDF to them and this is from genuine Email accounts, but that PDF it's containing a malware inside, but that couldn't be
50:26
identified by any antivirus tools on a market because Definitely these are ApD task force they would do these QA before they they release these
50:40
efficient emails so it's really hard to teach how these professors can get away from these are Targeted emails because there's definitely no way they can get away with their good eyes because that's a very genuine emails and also
51:03
These attackers they will send you invitations asking you to give a speech asking you to give a talk and Then these people are also real people some professions that really exist and then again you couldn't find all these malicious documents with existing antivirus tools and
51:30
These are the statistics numbers that we are Roughly 20,000 suspicious emails are sent to
51:43
gov.tw on per day basis and Then out of these are every month about 4,000 to 500 are APD emails and these are couldn't being identified by any antivirus on the market so
52:02
We can say that every month we can collect these amount of samples So this is our research motivations In the past we see that these APD incidents happen again and again these really implies that
52:21
We need a better security controls because this is out of control Existing tools doesn't help. That's why incidents happen again again so We have to Turn the table around. Otherwise, it's always the attacker in the dark and then the victims in the light
52:40
And we have no ideas who are attacking us and then people also saying that APD is the new term, but all problems and Yet inevitable then that's really a Very ironic situations because if it's an old problem, then we got to have a way to encounter it, but then
53:01
It seems so inevitable that we couldn't do anything with it So we are thinking that out actually we we have so much security control Right now, but none of these are designed to fight against APD issues and then also because APD is highly targeted it's very hard to collect these samples from
53:28
The way how we collect our viral samples right now viral samples are being collected through our honey pot or honey nets But these APD samples will never reach All the honey nets that you employ are deployed
53:41
So the only way you get APDs either through intelligence exchange or By really deploying some devices on these Classified personnel's email box. Otherwise, you would never get these
54:02
APD samples So there is a Chinese saying that we must first sharpen our tools. Otherwise, you wouldn't see the task going on So our research direction is that we want we want to analyze these samples so that we can see
54:21
The groups behind these samples in the past. It's always Receiving the viral samples and then we determine whether it's malicious or not. Then that's it. We never we never try to see Who are behind these viral samples? So we stop it determine whether it's malicious or not And that's really a pity and then from these APD samples
54:45
We also want to see if we can find out well, what's their plan? So what's the correlation between these samples and Probably we can Associate all these APD samples seeing that oh, they are actually all targeting at these particular group
55:01
So we can we can probably come up with their ear ear plan Who are they targeting with and then? Also from a single one of attack We also want to see the trend because by seeing a trend you can see how advanced these APD task force are
55:22
You can see what kind of weapons they have been using because the weapons they use they have to spend money to buy it So you can see how well they are funded and also you can see how persistent they are How many years they have been in this? Cyberspace and how active they are
55:41
Sometimes you see them being so active maybe for one year, but then they stay very silent for another year But then all of a sudden become so active this year So you can see all these trend very easily if you have automated tools, but if you only have one antivirus On your hand then you can only see
56:01
one of attack once at a time, so We try to do our digital forensics on all these APD samples and These are some of the attributes we try to get from these samples Just to name a few for example our malware features
56:23
What exploits are being used? So usually we associate these exploits with CV numbers so that you know exactly what CV Exploits are being used and also the CNC networks That are being leveraged because these CNC networks are they they usually
56:42
imply the the stations that they deploy in different countries and also the emails who are they targeting who are they pretending they are and What's the content inside the emails and also the victims background and also the time of attack?
57:02
Usually the time of attack Would matter because they they try to do social engineering so for example that when they send the meeting notes The the meeting notes will be associated with we will be very close to the meeting time so the time of target also matters
57:22
and How how are we different from malware study in the past Study in the past. They they they have an assumption that all the information they analyze are very 100% accurate for example if they do signature based detection
57:41
They do exact match so if you if you doesn't match this signature the pattern doesn't match the signature Then they will say it's not malicious So that's how antivirus does and for behavior based profiling if your behavior doesn't match the profile They did then they will say you are not exhibit a malicious behavior and
58:02
If you are not exhibiting your malicious behavior in a sandbox environment or You pretend not to exhibit the malicious behaviors, then they cannot profile your behaviors at all so They they have an assumption that they can they can see through you and they can observe the exact behavior you are exhibiting
58:23
but What we see is that malware doesn't behave that way because they are usually packed They're usually encrypted and They are designed in a way that they don't want you to be analyzed easily, so you have to tolerate some errors inside and that's why
58:41
some of the Theories that we use they they allow some errors and then allow some Information being loose for example we use some Rough set theory so rough set series is almost like the opposite of fuzzy And then we also use data mining so that we can easily associate all these different attributes
59:05
and then we also use clustering so that later on you can see how we cluster all these different APD groups and Then etc so we use a lot of mathematics to help us Analyze our datas and then of course we
59:25
We not only use a static approach in case where static approach doesn't work. We also use dynamic approach Our background comes from dynamic approach, so we know very well how to observe Malware in a sandbox environment we know very well how to trigger them in a dynamic environment
59:45
But we know that it's very time-consuming and you cannot replicate you cannot replay the required Parameters to to to trigger them so dynamic approach is really the last actions that we will do
01:00:00
So we will apply stake approach first. So it's a multi-layer of technology that we will apply. And some challenges are for dynamic analysis, for example, they will do encryptions, they will do entice and box, they will do domain functionalities, so they will not exhibit a behavior, they will sleep,
01:00:22
they will detect if there's a mouse movements, or they will even try to communicate with the external networks. And if they couldn't communicate with the CNC server, then they will not do anything. So in those case, you definitely have to do static analysis.
01:00:44
And then on the static analysis part, we also implement lots of parsers, lots of static analyzers on our end. So we try to analyze all these PE codes, all these shell codes, and then all these known packers.
01:01:04
So we implement all these well-known stuff, and then we do the static analysis part by ourselves. Later on, you can see the demo. Our performance for analyzing one APD samples using one computer is like five seconds to seven seconds.
01:01:22
And then we can finish the whole analysis. And the middle part is the data we cannot extract it from these malware sample. You can see that if we can identify
01:01:41
what exploit are being used, we will give it a name. For example, the CV number. And then what shell codes are being identified. And then what kind of CNC network are being used. And then also, are there any suspicious structures? So we will also walk through
01:02:02
the suspicious file structures. And then we will also try to locate any known malwares that are being used. So for example, the PE and also these code snippets. And then if we try to run it in a dynamic environment,
01:02:21
we also try to say that, well, when it's being executed, where it would hook in the runtime environment, what registry key you will try to modify. Then if you are being compromised, then how you can try to remediate yourself. And then once we extract all this data from the samples,
01:02:43
we will try to normalize it into APD attributes. Because now we will try to do the clustering. So we will do the normalize first. And then this screenshot is actually to share
01:03:04
the beauty of extracting all these stuff from the binaries. Of course, we can easily get all these binary, doing it manually, but with a system, we can get this data very easily.
01:03:21
And some of the interesting stuff we get from these binary strings is a new trend like this. Anyone use PLUG before? PLUG is very famous in Asia, but I think Twitter is more famous here in the States.
01:03:48
Can you guys make a guess what this person is talking about here?
01:04:00
This is definitely not a human language, right? Yeah, this one is being encrypted, but we actually found out all these conversations from the APD samples that we analyzed. We noticed that from all these APD samples,
01:04:20
they tend to communicate with the PLUG. So if it's in the U.S. case, they will tend to communicate with Twitter. And then they will communicate with different Twitter accounts, but they speak similar language. A language that we couldn't understand, but a language that they all encrypted with the same key.
01:04:40
And if you decrypt the text, you will find out that it's actually a CNC info. So they started not to put a CNC information inside the sample. They put a CNC information on these web applications,
01:05:00
websites, so that they can easily get it through 480s. And then they can easily redirect all these bar nets activities easily. Once we get all these normalized data, we do the clustering.
01:05:22
And when we do the clustering, all the mathematic methodology help us, for example, to pick up the important attributes. Before we apply, for example, before we apply rough sets, all these attributes are equal significance.
01:05:43
But then after we apply rough sets, rough sets will tell us that, for example, malware type is more significant than exploit type. And CNC server is even more significant than the other attributes. And what's the coefficients should be.
01:06:00
So we get a very nice formula for these attributes. And then based on these nice formulas, we come up with a good clustering on these APD task force based on the samples. And then we call that fingerprints for these APD task force.
01:06:21
So they distribute so much APD samples to all these victims, but they have no ideas. Actually, they're also disclosing their fingerprints. So to make a common basis
01:06:40
when comparing all these data, we actually use common samples. So we use the sample from MIRA. It's a public data contagio dump. So there are about 242 APD samples. So if you guys are interested, you can also download it from the MIRA's websites.
01:07:02
That's the sample that we use. And we also compare our detection rate with antivirus. But before we mention the detection rate, let's see how the antivirus perform when they are scanning against these viral samples collected from honeypots.
01:07:22
As I mentioned earlier, APD samples will seldom reach these honeypots. These are all made from automatic tools. So as you can see, all these antivirus perform very satisfactory, almost like 100%, 99 point something.
01:07:43
And this is from Shadow Server. They update these on a monthly basis. But then when it's applied on APD samples, antivirus really doesn't work well because they never get the signatures easily from these honeypots they deploy.
01:08:03
So these samples hardly enter their laboratory. So usually the time when they get the signatures takes much longer than usual. So these data is what we tested two weeks ago.
01:08:23
As you can see, most of the vendors, they fail to qualify more than 60%. And the one that we're gonna share with you online, the APD Deezer, that you can try online. It's free, available.
01:08:41
This one has a detection rate of more than 94.6. And of course, it's not only on MiRA samples. Once we announced this, so many people began to upload their APD samples as well. And you can see the graph becomes bigger and bigger.
01:09:02
The community really contributed a lot. And then the overall APD task force graph becomes much larger than the original 200 something. So this is the clustering results.
01:09:24
After we analyze all these samples, we actually can see the task force behind these samples. If you only analyze these samples individually, you have no idea which groups are behind these samples. But then when we use all the methodology that we mentioned,
01:09:43
we actually can see that there is one group that is very big, which we call group A. Of course, we also have the geographical location, but it's too sensitive, so we don't mention it here. So you see group A, which is huge.
01:10:01
And then you also see a second small one is group B, and then you see group C. So we will take the top three here and then give you more detailed data. And the different color here means that when these APD emails or these APD samples are being collected or hit the victims,
01:10:23
so you can see their active time. For example, you look at the group A, you see that most of their active time is last year, 2010, and then for this year, they only have a few.
01:10:41
This is based on mid-last sample, so it's 242. But later on, you will see that after the communities submit lots of samples, you see the graph change dramatically. You see new groups coming up. So these are the top three.
01:11:03
So for group A, you see they actually leverage CNC server like 23, and these are the weapons they have been using repeatedly. Some are pretty new.
01:11:21
For example, this one, this one is the one that have been used to attack RSA. And then this one is group two, and then this one is group three. And then if you know the market price
01:11:41
for all these exploits, then you can see how well they are funded. And this is the CNC servers they try to abuse. And you can see the countries are like Taiwan, US, Hong Kong, so these three dominate more than 50.
01:12:03
So I will say that the reason Taiwan is being abused a lot is because the bandwidth in Taiwan is very stable and reliable, and geographically it's very close in Asia. And also Hong Kong, Anthony mentioned, Hong Kong, they respect your privacy so much
01:12:21
that when you do something evil, they don't even try to disclose your privacy when you host a machine in ISP. And then more than that is you can also see
01:12:41
the attack graph for every malware that have been used. So you can see what happened when you double-click the attachment. And you can also see what happened when you got infected.
01:13:04
And even the bot comments that are involved inside these APD group. And these bot comments are very helpful in identifying the APD task force as well.
01:13:21
And if we only look at APD group A alone, you can see these group A highly rely on CNC server in Taiwan. So if we look at three groups together, Taiwan is only like 20% to 30%, but if you look at group A only, more than 50%, like 50% of their CNC are located in Taiwan.
01:13:52
And this one is interesting. Now this one is group E. And this one, we also identify, it's actually from, it's from Korea.
01:14:04
The reason that we can identify this is from the language, the language they actually compile it with. And then the interesting part is that all the samples that we receive from these
01:14:25
are being signed by Commodore certificate. And when we submit to virus total, only one antivirus can detect that.
01:14:41
So it's a very low profile APD attack. So later on I will do a demo of the system so that you can have a feel what you can expect when you do it online.
01:15:01
And also something that we are still working on. So from the meta sample sets, we can easily identify the major task force behind these samples. So the more sample you submit, then you can easily identify how many different groups
01:15:22
are actually behind all these samples. And then you can easily identify how many weapons that have been purchased, how many different exploits they have been using repeatedly, utilize. And then one interesting thing is that they keep on changing the exploits they use,
01:15:44
but the embedded malware tend to stay the same. So inside these exploits, the malware they use, what we call remote administration tools, they tend to use the same IT tools.
01:16:02
So these embedded malware is limited to a few ones. So for example, in the States, it will be probably like a poison IV, will be a very famous one. And then we also found out with these APD samples,
01:16:20
we actually extract hundreds of attributes, but among these attributes, very, very significant ones are CNC servers and malware use and less significant ones is the exploit type. Even though APD task force, they will use dozens of different exploit types.
01:16:46
And if we look at the language used in these APD samples, one thing that we can say is like one fourth of the samples are from China. And then some samples is from Korea. And then we also have samples from Russia and France.
01:17:05
And then if you look at what CNC servers are being abused, the top one will be Taiwan, US, and then Hong Kong. And then this one is readily available online
01:17:21
where you guys can try. It's when you upload a binary, it will give you a graph and then it will also tell you whether it's an APD file or not, or it's only a normal virus. So if it's only a normal virus,
01:17:42
then it will not put you into a graph. So this graph will only draw APD task force graph. And in this case, you see that gradually we see more and more APD emails are being signed
01:18:03
by Komodo certificate. So you see emails have been digitally signed and then verified.
01:18:25
And then this is from a very new group. Previously we mentioned that green color indicates it's this year. So this group starts being very active from this year.
01:18:45
And they don't exist in mid-last sample. They just show up after the community start to submit their APD samples.
01:19:03
And then so I will demo this one here. So this one is also an APD email sent from someone I would trust because it's sent from academic institution.
01:19:22
And basically it's saying that greeting, greeting something and then it's also a PDF. And as you can see that Google doesn't alert me with a virus emails. And also when I save this in my computer,
01:19:43
the Microsoft antivirus secure essential also doesn't alert me as well. But then this is the APD diesel that you guys can try.
01:20:03
I then can upload this one.
01:20:34
Okay, it says that your sample is of APD grade. So it's a good quality, means that it's not a normal virus sample.
01:20:56
And then it's from group A. So it not only tell you that it's malicious.
01:21:03
Remember that when we try to open it inside Google, Google doesn't tell us it's malicious. And also our antivirus tool doesn't tell us it's malicious. So these three tool of first it tell us it's malicious. And it also tell us that we are being targeted by the biggest APD task force.
01:21:25
So since we are part of their plan, they will never give up until they are successful. And as you can see, this graph is much, much bigger compared to my previous slides because the more the community contribute,
01:21:42
the bigger the graph will be. And then we also have, what we are still developing is, we try to put this together with like a dashboard
01:22:00
so that you can see a more holistic view to see the trend. And then we also try to associate with Google Map, which is very fun. For example, we try to see Taipei. And then later on,
01:22:20
we try to make it together with the street view. So probably you can see a hacker is sitting there on the street, yeah, real time. And this is something the U.S. can do easily, right? Because you guys got a satellite. Okay, yeah.
01:22:43
Pretty cool, right? Actually, if you begin a CNC or a deploy CNC, or you're located then, actually it's my honor to work with Benson Batman PK to be from a secure lab and to give this research like that. Actually for me, as Benson said,
01:23:04
every time we do the manual analysis, it's quite very time consuming. And even from the same generator, we can't respect what is the task force behind. We need to identify the evils behind. Otherwise, every day you take a routine job to analyze.
01:23:21
It's meaningless. We need to escalate the analyst analysis level one more level so you can make your plans, strategic plan on how to respond to incidents and how to make the controls instead of just buying different boxes, firewalls, IPS, and you say you have done the control.
01:23:42
This is not our story in the future. Oh yeah, actually. Actually, I simply get a PowerPoint. Yeah, I have not used a Windows environment for many years.
01:24:03
Oh, final words then. Actually, we could reach us at www.secure-lab.com and we keep collecting samples and enhance the capability to analyze and observe APT DNA family in more accurate manner. This is what we want to do.
01:24:20
And deep technical analysis, of course, sample is still needed, right? But it's helpful for DNA footprint analysis. It's incremental efforts we wanted to make. And we would like to publish our, we will publish our follow-up message at DefCon speaker corner and together we make the homeland secure and also spend some special friends to our members
01:24:41
and also like Benson, PK, and also Batman and other fellows in secure lab teams and ship groups members and UXRL members and our family and fellows. This is our email address and also our blog mess, our blog. And one more thing is, perhaps we will, board members, are you convinced yet?
01:25:02
Thank you.