Balancing The Pwn Trade Deficit: APT Secrets in Asia

Video thumbnail (Frame 0) Video thumbnail (Frame 2064) Video thumbnail (Frame 3769) Video thumbnail (Frame 6168) Video thumbnail (Frame 8234) Video thumbnail (Frame 13482) Video thumbnail (Frame 15125) Video thumbnail (Frame 17566) Video thumbnail (Frame 20204) Video thumbnail (Frame 22578) Video thumbnail (Frame 24221) Video thumbnail (Frame 25895) Video thumbnail (Frame 27521) Video thumbnail (Frame 29215) Video thumbnail (Frame 30868) Video thumbnail (Frame 32690) Video thumbnail (Frame 35007) Video thumbnail (Frame 36912) Video thumbnail (Frame 39448) Video thumbnail (Frame 41180) Video thumbnail (Frame 42920) Video thumbnail (Frame 45326) Video thumbnail (Frame 46966) Video thumbnail (Frame 48601) Video thumbnail (Frame 50826) Video thumbnail (Frame 52453) Video thumbnail (Frame 54855) Video thumbnail (Frame 57344) Video thumbnail (Frame 59054) Video thumbnail (Frame 61984) Video thumbnail (Frame 63659) Video thumbnail (Frame 65724) Video thumbnail (Frame 68269) Video thumbnail (Frame 70002) Video thumbnail (Frame 72449) Video thumbnail (Frame 74250) Video thumbnail (Frame 76528) Video thumbnail (Frame 78245) Video thumbnail (Frame 81335) Video thumbnail (Frame 84179) Video thumbnail (Frame 85985) Video thumbnail (Frame 89039) Video thumbnail (Frame 91010) Video thumbnail (Frame 94458) Video thumbnail (Frame 97171) Video thumbnail (Frame 99823) Video thumbnail (Frame 101722) Video thumbnail (Frame 103959) Video thumbnail (Frame 106435) Video thumbnail (Frame 108856) Video thumbnail (Frame 110623) Video thumbnail (Frame 115097) Video thumbnail (Frame 116795) Video thumbnail (Frame 118422) Video thumbnail (Frame 120125) Video thumbnail (Frame 122923) Video thumbnail (Frame 125769)
Video in TIB AV-Portal: Balancing The Pwn Trade Deficit: APT Secrets in Asia

Formal Metadata

Title
Balancing The Pwn Trade Deficit: APT Secrets in Asia
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
In last year, we have given a talk over China-made malware in both Blackhat and DEFCON, which is appreciated by various parties and we would like to continue this effort and discuss over APT attacks in Asia this year. However, case studies are not just our main dish this time, we will carry out technical analysis over the samples. I have worked with 2 Taiwanese researchers and would like to talk about how to automate the APT attack analysis with our analysis engine, Xecure, and give comparison between samples from various Asian countries, giving similarity and difference analysis among them, which could be insightful to the audience. Finally, we will talk about our contribution to the rule and signature to detect APT attack. Anthony Lai (aka Darkfloyd) has worked on code audit, penetration test, crime investigation and threat analysis and acted as security consultant in various MNCs. Anthony has worked with researchers to convey talks about Chinese malware and Internet Censorship in Blackhat 2010 and DEFCON 18. His interest falls on studying exploit, reverse engineering, analyse threat and join CTFs, it would be nice to keep going and boost this China-made security wind in malware analysis and advanced persistent threat areas. He has found VXRL (Valkyrie-X Security Research Group) in Hong Kong and keep themselves to connect to and work with various prominent and respectable hackers and researchers. Benson Wu focuses research on detect and counter advanced persistent threat, code review, secure coding and SDLC process implementation. He graduated from National Taiwan University with PhD in Electrical Engineering and National Chiao-Tung University with MS in Computer Science; and held ECSP, CEI, CSSLP certifications. Currently, he is with Xecure Lab as Lead Security Researcher, and Research Center for Information Technology Innovation, Academia Sinica as Postdoctoral. He had spoken at NIST SATE 2009, DEFCON 18 (with Birdman), OWASP China 2010, BoT (Botnets in Taiwan) 2011, HIT (Hacks in Taiwan) 2011, and wrote the "Web Application Security Guideline" for the Taiwan government since year 2007. Jeremy Chiu (aka Birdman) has more than ten years of experience with host-based security, focusing on kernel technologies for both the Win32 and Linux platforms. In early 2001 he was created Taiwan's first widespread trojan BirdSPY. The court dropped charges after Jeremy committed to allocate part of his future time to assist Taiwan law enforcement in digital forensics and incidence response. Jeremy specializes in rootkit/backdoor design. Jeremy also specializes in reverse engineering and malware analysis, and has been contracted by law enforcements to assist in forensics operations. Jeremy is a sought-after speaker for topics related to security, kernel programming, and object-oriented design; in addition to frequently speaking at security conferences, Jeremy is also a contract trainer for law enforcements, intelligence organizations, and conferences such as DEFCON 18, SySCAN (09 08), Hacks in Taiwan (07 06 05), HTICA(06 08) and OWASP Asia (08 07). In 2005, Jeremy founded X-Solve Inc. and successfully developed forensics and anti-malware products. In July 2007, X-Solve was acquired by Armorize Technologies. In Oct 2010, he left Armorize and created a new research team, Xecure-Lab. Peikan (aka PK) has intensive computer forensic, malware and exploit analysis and reverse engineering experience. He has been the speaker in Syscan and HIT (Hack In Taiwan) and convey various training and workshop for practitioners.

Related Material

Video is accompanying material for the following resource
Observational study Personal digital assistant Multiplication sign Independence (probability theory) Right angle Information security System call Information security Reading (process) Metropolitan area network
Aliasing Purchasing Group action Observational study Arm Observational study Surface Menu (computing) Focus (optics) Exploit (computer security) Local Group Root Hacker (term) Self-organization Information security Hacker (term) Information security
Point (geometry) Wechselseitige Information Group action Link (knot theory) Observational study Multiplication sign Uniform resource locator Facebook Goodness of fit Hacker (term) Core dump Web application Information security Game theory Metropolitan area network Scale (map) Observational study Scaling (geometry) Simultaneous localization and mapping Direction (geometry) Hecke operator Demoscene Inclusion map Web application Facebook Personal digital assistant Interpreter (computing) Game theory Information security Hacker (term)
Presentation of a group Observational study Arm Source code Mathematical analysis Mathematical analysis Lattice (order) Disk read-and-write head Focus (optics) Smith chart Web 2.0 Malware Blog Personal digital assistant Right angle Whiteboard Metropolitan area network
Server (computing) Group action Sine Exploit (computer security) Mathematical analysis Product (business) CAN bus Different (Kate Ryan album) Forschungszentrum Rossendorf Software testing Process (computing) Implementation Reverse engineering Information security Metropolitan area network Cybersex Probability density function Focus (optics) Prisoner's dilemma Surface Physical law Sampling (statistics) Code Exploit (computer security) Connected space Malware Universe (mathematics) Hacker (term) Information security Routing Probability density function
Commutative property Dependent and independent variables Chemical equation Trojanisches Pferd <Informatik> Mathematical analysis Focus (optics) Computer programming Wave packet Goodness of fit Incidence algebra Kernel (computing) Rootkit Species output Dean number Data integrity Operations research Execution unit Dependent and independent variables Clique-width Twin prime Digital signal Color management Trojanisches Pferd <Informatik> Instance (computer science) Inclusion map Root Malware Rootkit Normed vector space Convex hull Information security Backdoor (computing) Form (programming) Window
Email Group action Observational study Exploit (computer security) Port scanner Mathematical analysis Local Group Latent heat Different (Kate Ryan album) Kernel (computing) Personal digital assistant Information Data structure Drum memory Website Reverse engineering Information security Physical system Task (computing) Self-organization Email Observational study Forcing (mathematics) Computer Independence (probability theory) Computer network Port scanner Malware Sample (statistics) Software Personal digital assistant Cross-correlation Website Self-organization Window Reverse engineering
Email Server (computing) Group action Scripting language Installation art Multiplication sign Virtual machine Exploit (computer security) Password Mereology Perspective (visual) Area Frequency Latent heat Type theory Bit rate Different (Kate Ryan album) Integrated development environment Scripting language Email Distribution (mathematics) Firewall (computing) File format Type theory Antivirus software Process (computing) Malware Intrusion detection system Password Game theory Table (information)
Email Email Theory of relativity Arm Observational study Key (cryptography) Computer file Online help Lattice (order) Incidence algebra Instance (computer science) System call Session Initiation Protocol Personal digital assistant Species Self-organization
Keyboard shortcut Server (computing) Arm Computer file Software Code Different (Kate Ryan album) Mathematical analysis Maxima and minima Mathematical analysis
Dialect Execution unit Server (computing) Explosion Multiplication sign Gender Limit (category theory) Traffic reporting Chi-squared distribution
Process (computing) Multiplication sign Core dump Mathematical analysis Sampling (statistics) Right angle 2 (number)
Server (computing) Uniform resource locator Email Computer file Personal digital assistant Mathematical analysis Motion capture Right angle Metropolitan area network Resultant Address space
Execution unit Server (computing) Computer file Computer file Encryption Maxima and minima Menu (computing) Mathematical analysis Diallyl disulfide Information security Simulation Physical system
Game controller Email Focus (optics) Touchscreen Remote administration Computer file Surface Forcing (mathematics) Instant Messaging Maxima and minima Neuroinformatik Goodness of fit Software Mixed reality Right angle Remote procedure call
Injektivität Rule of inference Email Execution unit Wechselseitige Information Decision tree learning Computer virus Computer file Sine Sampling (statistics) Cartesian coordinate system Field (computer science) Computer programming Mathematics Programmer (hardware) Word Software Different (Kate Ryan album) Software testing output Family Wahrscheinlichkeitsfunktion
Point (geometry) Exclusive or Touchscreen Programmschleife Software Multiplication sign Encryption Numbering scheme Mathematical analysis
Server (computing) Computer file Motion capture Numbering scheme Spherical cap Energy level Boundary value problem Information Boss Corporation Email Touchscreen Information File format Server (computing) Mathematical analysis Expert system Computer network Binary file Cartesian coordinate system Type theory Malware Software Right angle Window Data compression Extension (kinesiology)
Windows Registry Email Wechselseitige Information Server (computing) Computer file Virtual machine Password Maxima and minima Data storage device Number Sequence Supersonic speed Virtual reality Spherical cap Different (Kate Ryan album) Data mining Boundary value problem Ranking Information MiniDisc Summierbarkeit Data compression Physical system Execution unit Information Server (computing) Menu (computing) Sequence Windows Registry Virtual machine Uniform resource name Physical system Task (computing) Extension (kinesiology) Data compression
Meta element Email Touchscreen Hoax Addition Mountain pass Multiplication sign Computer-generated imagery Password Ext functor Frequency Virtual reality Boundary value problem Software testing Information Quantum MiniDisc Address space Execution unit Email Support vector machine File format Server (computing) Computer program Mathematical analysis Menu (computing) Airy function Motion capture System call Annulus (mathematics) Event horizon Password Normed vector space Physical system Window Data compression
Email Touchscreen Mobile app Server (computing) Addition Computer file Computer-generated imagery Information systems Coroutine Password Computer programming Optical disc drive Information MiniDisc Error message Sanitary sewer Boss Corporation Execution unit Email Information Server (computing) Binary code Sampling (statistics) Motion capture Coroutine Directory service Dressing (medical) Programmer (hardware) Sample (statistics) Personal digital assistant Password Compilation album Physical system Window Data compression
Execution unit Touchscreen Computer file Twin prime Multiplication sign ACID Integrated development environment Spherical cap Password Convex hull Extension (kinesiology) Error message Window
Execution unit Touchscreen Coroutine Motion capture 19 (number) Pointer (computer programming) Software Spherical cap Visualization (computer graphics) Different (Kate Ryan album) Password Convex hull Right angle Gamma function
Multitier architecture Server (computing) Computer file Computer-generated imagery Motion capture Database Raster graphics Sequence Ultimatum game Different (Kate Ryan album) Encryption Computer worm Extension (kinesiology) File format Server (computing) Coroutine Group action Sequence Annulus (mathematics) Exclusive or Intrusion detection system Function (mathematics) Convex hull Right angle Encryption Library (computing) Extension (kinesiology)
Execution unit Presentation of a group Multiplication sign Sampling (statistics) Sheaf (mathematics) Maxima and minima Graphic design Mathematical analysis Sample (statistics) Object-oriented programming Personal digital assistant Motion blur Personal area network Information output Data structure Form (programming)
Trail Multiplication sign Mathematical analysis Frequency Malware Internetworking Single-precision floating-point format Software testing Information Office suite Traffic reporting Task (computing) Boss Corporation Email Arm Weight Forcing (mathematics) Video tracking Mathematical analysis Sampling (statistics) Usability Bit Process (computing) Personal digital assistant Right angle Reverse engineering Row (database)
Email Computer virus Computer file File format Internetworking Electronic mailing list Electronic mailing list Extension (kinesiology) Grass (card game) Staff (military) System call Traffic reporting
Point (geometry) Revision control Centralizer and normalizer Group action Different (Kate Ryan album) Multiplication sign Core dump Sampling (statistics) Mathematical analysis Circle Graph coloring
Execution unit Group action Uniform resource locator Server (computing) Centralizer and normalizer Malware Online help Graph (mathematics) Sampling (statistics) Mathematical analysis Software testing Plot (narrative)
Probability density function Email Server (computing) Purchasing Computer file Server (computing) Forcing (mathematics) Computer-generated imagery Exploit (computer security) Web 2.0 Data mining Medical imaging Root Malware Spherical cap Root Order (biology) Programmable read-only memory Right angle Task (computing)
Sample (statistics) Sampling (statistics) Mathematical analysis Reverse engineering
Email Group action Multiplication sign Mathematical analysis Sampling (statistics) Basis <Mathematik> Mathematical analysis Mass Infinity Mereology Product (business) Category of being Malware Word Process (computing) Malware Moment of inertia Personal digital assistant Uniqueness quantification
Arithmetic mean Software Term (mathematics) Order (biology) Projective plane Hydraulic motor Web browser Mereology Exploit (computer security) Physical system
Building Game controller State of matter Multiplication sign Device driver Stack (abstract data type) Public key certificate Goodness of fit Sign (mathematics) Malware Googol Arrow of time Gamma function Information security Game theory Maß <Mathematik> Exception handling Task (computing) Email Flash memory Forcing (mathematics) Social engineering (security) Spreadsheet Moment of inertia Order (biology) Window RSA (algorithm)
Enterprise architecture Statistics Wage labour Sine Hacker (term) State of matter Amsterdam Ordnance Datum Maxima and minima Convex hull Insertion loss Simulation Statistics
Email Real number Forcing (mathematics) Sampling (statistics) Basis <Mathematik> System call Host Identity Protocol Subset Antivirus software Goodness of fit Personal digital assistant Pauli exclusion principle Speech synthesis Task (computing) Probability density function
Email Email Game controller Computer virus Weight GUI widget Sampling (statistics) Basis <Mathematik> Online help Incidence algebra Term (mathematics) Number Antivirus software Cuboid Software testing Information security Table (information) Information security
Email Group action Multiplication sign Direction (geometry) Workstation <Musikinstrument> Exploit (computer security) Twitter Attribute grammar Number Cross-correlation Average Task (computing) Cybersex Email Characteristic polynomial Forcing (mathematics) Sampling (statistics) Planning Computer network Lattice (order) Group action Exploit (computer security) Social engineering (security) Antivirus software Sample (statistics) Malware Software Task (computing) Force Spacetime
Standard deviation Group action Dynamical system Server (computing) Multiplication sign File format Set (mathematics) Mathematical analysis Parameter (computer programming) Electronic signature Theory Attribute grammar Fluid statics Malware Mathematics Profil (magazine) Data mining Set (mathematics) Encryption Cuboid Integrated development environment Information Aerodynamics Series (mathematics) Error message Set theory Multiplication Matching (graph theory) Information Mathematical analysis Theory Attribute grammar Motion capture Funktionalanalysis Control flow Electronic signature Data mining Malware Sample (statistics) Fluid statics Integrated development environment Personal digital assistant Function (mathematics) Fuzzy logic Pattern language
Injektivität Installation art Parsing Computer file Multiplication sign Password Mathematical analysis Mereology Code Neuroinformatik 2 (number) Number Attribute grammar Power (physics) Time domain Uniform resource locator Fluid statics Malware Hooking Read-only memory Object (grammar) Vector space Rootkit Gastropod shell Process (computing) Aerodynamics Maize Data structure Multiplication Information management Demo (music) Key (cryptography) Weight Mathematical analysis Sampling (statistics) Code Attribute grammar CAN bus Nachlauf <Strömungsmechanik> Fluid statics Integrated development environment Basis <Mathematik> String (computer science) Gastropod shell Data structure Physical system Address space
Email Statistics Greatest element Information State of matter Line (geometry) Binary code Sampling (statistics) Correlation and dependence Twitter Twitter Formal language Personal digital assistant Different (Kate Ryan album) String (computer science) Natural language Right angle Data conversion Gamma function Physical system
Server (computing) Information Forcing (mathematics) Sampling (statistics) Gene cluster Set (mathematics) Attribute grammar Database Exploit (computer security) Twitter Attribute grammar Web application Type theory Malware Well-formed formula Website Coefficient Online chat Task (computing) Fingerprint
Point (geometry) Server (computing) Computer file Sampling (statistics) Basis <Mathematik> Mathematical analysis Information privacy Mereology 19 (number) Antivirus software Sample (statistics) Malware Bit rate Software Website Right angle 9 (number) Window
Group action Email Graph (mathematics) Multiplication sign Forcing (mathematics) Shared memory Sampling (statistics) Group action Mereology Graph coloring Electronic signature Mathematics Arithmetic mean Uniform resource locator Sample (statistics) Bit rate Convex hull Freeware Resultant Task (computing)
Number Group action Server (computing) Malware Virtual machine Menu (computing) Information privacy Exploit (computer security) Time domain
Group action Server (computing) Graph (mathematics) Malware Moment of inertia Graph (mathematics) Function (mathematics) Forcing (mathematics) Task (computing) Data type
Group action Computer virus Graph (mathematics) Sampling (statistics) Mereology Total S.A. Statistics Public key certificate Formal language Local Group Antivirus software Profil (magazine) Game theory
Group action Email Server (computing) Demo (music) Server (computing) Forcing (mathematics) 1 (number) Sampling (statistics) Exploit (computer security) Attribute grammar Instance (computer science) Exploit (computer security) Formal language Attribute grammar Formal language Type theory Malware Sample (statistics) Malware Ranking Sample (statistics) Task (computing) Force Task (computing)
Computer virus Probability density function Computer icon Wechselseitige Information Email Electronic data interchange Graph (mathematics) Pythagorean triple File format Exploit (computer security) Usability Mathematical analysis Public key certificate Sample (statistics) Malware Personal digital assistant System identification Pairwise comparison Simulation
Metre Commutative property Wechselseitige Information Group action Email Programmable read-only memory Sampling (statistics) Graph coloring Local Group Telephone number mapping Inclusion map Digital photography Graphical user interface Malware Message passing Identity management Electric current
Computer virus Slide rule Execution unit Group action Graph (mathematics) View (database) Forcing (mathematics) Maxima and minima Planning Mereology Neuroinformatik Antivirus software Order (biology) Synchronization Information security Freeware Message passing Information security Task (computing) Taylor series
Satellite Boss Corporation Game controller View (database) Firewall (computing) Forcing (mathematics) Multiplication sign Mathematical analysis Planning Menu (computing) Real-time operating system Menu (computing) Incidence algebra IP address Twitter Arithmetic mean Process (computing) Different (Kate Ryan album) Hacker (term) Labour Party (Malta) Energy level Google Street View Information Task (computing)
Point (geometry) Email Email Group action Mathematical analysis Mathematical analysis Power (physics) Local Group Membrane keyboard Message passing Sample (statistics) Integrated development environment Blog Right angle Information security Hacker (term) Message passing Information security Window Address space
Whiteboard
I would like to introduce actually from your from your under Bonjour then you just found four people per presence but you'll find just two person here why why there's just two person because one of the one of speakers Batman is just her what his wife is just a call a baby and also ended up speaker PK simply um his girlfriend is just back to Taiwan so both of them is the reason cannot become here is because of women so um so it's a very happy movement right so anyway yes this time I am Benson we will take over two hours but you know we cannot spend two hours because we are not the style reading this lies you could go for some kind of readings lies just we will not be on the stage so we have some kind of demonstration okay and also some tools for you two to pray it hey Rev okay and some case studies to for you to use to take a look okay maybe let's start first of all I'm Anthony it's Benson boo then also our our research funders miss Jeremy Jeremy she is our man is our latest experiment and also another independent security researcher PK okay
we need to add a screamer there's no national secrets here okay we welcomes buys secret surface intelligence for instructions thank you thank you thank you no no any Taiwan is by or Chinese spy Russian spy now ya know raise your hand I get of giving okay okay a pony okay okay there's a kick for you then okay thank you very much thank you alia daughter advertisement I'm it's always
you good a movie you have a purchase menu now right okay I need to advertise
our church group members um actually is or taiwanese very famous security and hacking groups it starts from 204 and focus on security and hacking studies and just the sponsor or just supporting organization this year for pre head unit USA 2011 and also arm you have two speakers speaking yeah two days ago on about exploitation on the document document malicious document also there's
our and the conference is a heck in taiwan conference then is a larger scale of the hacking conference in taiwan i trade talks war game and food come on come here right even I'm come from hong kong man but it's good I'd go there for I went there for two times but the atmosphere on professionalism everything is good and got some kind of English interpretation then happen on every July okay and there's a link for you for reference my final group scenes 209
since actually I find out this group because I'm inspired by Def Con because def con is really are a core conference with contest with many talks and with many peoples to meet up you're nice and also with drinks so this really good conference I could say such international conference so I back to Hong Kong and then ho it are a group to two more to organize more hacking security research studies and we have just published a paper some papers like for facebook forensics and kinds of web app security fence a for Macau and Hong Kong you know French I do know potentially okay no point moving che opposite like put a stone in the in the the door something like you make you wealthy something like that okay doc don't chassis I don't know and also there's a case studies about i investigate into a case about the lost money food bank children got the titleist million tourists lost in a minute shows just feel free to to visit our side slam and also our to promote it
on their web Smith because he partners with me and colony aims last year to give this kind of talk about the China meet mayor thank you very much and they have brought in attack research calm then I suppose it's a very insightful bra that's enough Anthony right that's
done last year wells me of Conan aims and I
work together in Iraq and analyzing China made me rare we would like this year continues to this effort this year then we did with many armed target attacks actuate the arm Benson Batman and PK comes from comes from Taiwan for me it comes from hong kong um in Hong Kong there are also some kind of attack attack not just Taiwan ok we are not unknown man taiwan user is also the major and ongoing source of a major being the target being attack then we would like to be happy to be pretty imprisoned here and we were we are selected in the first run in the DEF CON but we are we jetted and perhaps their reason is we are curious about your automatic analysis ne ne are we will come a teapot in pre head from here because my Jeff told me there's our 505 ensure we will board members ok I give the kid to him ok I just just just a lazy kick and weapons talk is our TT and
also our Lineker prison just two days ago about a reference weapons of target attack modern document explore techniques and also the next session is on my route about sneaky PDF so it is more than less like a connection so I would like to do you have cans of put it all together two different focus ok Oh
introduce myself myself you call me Anthony or you call me da roi because just can't solve handle and west on audit penetration test crime investigation and being consulting anything and teaching something teaching like in the Polytechnic University in Hong Kong and spoken nasia and being guest instructor in a technical exploitation in the bright Hat USA course
oh yeah I left I left Benson to introduce himself yeah yeah my name is Benson are Berman and then PK and I are we all from Taiwan and now we are from the same lab coat secure lab well the true started couldn't come accurate because it's really expensive to come over to Las Vegas it causes like you know more than 2,000 bucks just for the air flight so well we can only afford one of us to come over and we we study a lot about apt our sins starting this year before that we actually don't do a lot of commercial products but then we feel that our apt so serious that we want to really focus on a PD starting this year so I'll beginning this year you will see more and more stuff that we were developing then we would like to share with the community so the two or that we we cannot disclose here is is freely available online and if you guys receive any sample that you think that it's fun APD group then you can just scan online is totally free I also like to mention that out I'm from academic background and even though i I've some diploma before but that doesn't stop me from being hacked thought I remember that when I was in University doing my master and my friends in in the in our national security agency told me that hey Benson I found one of your computer in in the enemies of CNC servers and I was really surprised because I thought that I can protect my mushroom well so that actually told me or less and data diploma doesn't give you anything we need it it's on the cyber warfare so I really feel that well you have to equip yourself with some hands-on when it's about our cyber warfare that's why later on we we end up doing a lot of out commercial products and then a lot of research on these kind of stuffs blood and you know simply publishing papers okay Thank You Benson actually he has not introduced himself just academic background okay but he is very good at cooking we will threaten arses will work out for the execute law lab in Taiwan in hop between Hong Kong and Taiwan would like to contribute this kind of research and surface but man you can see his face
is always like that not really strange but I don't know how can't get his this kind of hat but anyway he were expertise in the win32 and Nene spectra have performs on the windows programming's here he's the first one in Taiwan to spread not his spread out but he produced kinds of trojan or birth by and then and being manipulated by other
people and spread out spread out in the wide and taiwan taiwanese police catch up catching up and after world and the
police said okay i will release you then okay duh the idea is he's been helped us for investigation in the future Sophie members are free employee that's good to
do the forensics assist some kinds of
digital forensics and an investigation by own instance response and he's good for rootkit better design he he's a he's
a good man okay if even he's doing kinds of a lot of evo design but he he do a lot of training okay um PK and he's from
law enforcement and also he hits the independent security structures he's also could add a system programming's windows programming forensics and he have he has done um develop am a software co mm PA scan mpa scans of a police force in taiwan so it could be download valuable in the taiwan taiwan police websites but i know some some kinds of reason some people target this software for a second but he's a very nice very expertise or reverse engineering and system performance okay um start our agenda I'm sorry then
I spend five to ten minutes to about two inch introduction then apt stuff is P
think I actually I don't know the temps comes from but it is easy for people say it is a target attack but everything attack every attack target person may be quite advanced but is specialized target for specific company organization and also it's from organized from a group organized attack parties I am I then providing the case studies i would like to present and analyze the apt from malicious email documents flout our automatic analysis okay and later on Benson we present about the DNA considering of different apt task force for example you have the some petrol society like 14k different kok different child society parties then it is the same ideas of this different apt task force here we have observed there are
three major types of the target check email for example of the phishing emails you get a user name ID and password and also when you could get an email with some malicious script in your when you open some emails maybe execute some malicious script or even some documents and you deport the malware and become a botnet and contact a CNC server for further for further compromised this is what we have observed the table is dams
more here but anyway but we have got a difference here this pen is very powerful okay you could hear right right this ways we are maybe there's a this column okay APD partner activities this column is our traditional botnet activities actually for distribution for the apt or IO talk about for example APD botnets activities more organized run and also not cause any damage you've damaged your machine they have no no games to play right and they of course target for specific group and also for a particular company and the affection you effective duration of that attack group is very long it's very long for lingerie shin and frequency many times because they would like to launch it um from different perspective maybe the same chopper but in different email formats their reference is more than as in 20 days and some job and chopping the embattled mayor and finally the detection rates in the antivirus software is simply his nest in ten percent okay exciting part
is coming case studies against our political party in Hong Kong okay we
calling from mr. X he always picked me up XX okra I don't know why he likes me a pic 60 call for calling me to for help like that okay mr. X is one of the key person key person from of offer political party is like a democracy party he jump shot as an email he feels the species like the attachment called meeting gossip and also Minister sip something and it contains two files when's the agenda doc and also minute minute stuff doc and why he's feel suspicious because he just gave the meeting yesterday before his be sifting email and and he got this document is very I mean it's very is this in con instance so um he looks like a member meeting agenda however it targets all the committee's members in the meeting and mr. X also said because these kind of males before for fortune first of July and before any legislative council member relation you know for fortune it's kinds of kinds of tea Nahrmahn incident and first of June I is canceled breed a day return Hong Kong return to China so it's very regular instead of some October because those guys may be on vacation on holidays so they did not launch an attack attack because they need to on vacation as well okay so arm
I run and very brief analysis in our is xq accessor cure Liza engine but actually it is not a document is a PE file okay and also use a chocolate vows and it creates the minister is a document chaka file and which occurs to execute the agenda doc
okay this is our engine one of the screenshots then um you'll find that from the start up folder okay upon here stop a folder once you execute it creates another file IE check XE and then afterwards it generates the code generates the DRL ms vcr it looks like where we legitimate dll files but it isn't right and inject into the exploratory SE for four kinds of armed or ingestion DRL ingestion then it collects network different CNC servers here so let me show you
yeah because of time that's no time limitation because yeah then you'll find it here this is our gender doc okay oh I want to
swim it because I'm quite sure you can
see it at the end in the back and the dock and I've submitted these are ya
from hong kong the C&C server is from hong kong hong kong is other than shopping center is also a cnc heaven ok yeah come to Hong Kong ok Deportes NC server and then you will find a report
here
okay as well I capture in mind sly but
anyway here is what we have shown an
analyze because if every time you need to put up the vm and get it analysis then it's very boring job right every time you put up vm every time we run the one day executable ad for every samples I don't think it's a fun right so we do it on the automatic analysis / hey have you seen it yeah thank you but this is where is not that there are our core dish or main dishes okay but just like that well how long how long maybe just
30 seconds to 1 minute it's not bad then then go for a couple of those then back and the resource comes up ok back to the
sly
well here is quite very silent yesterday I in my hotel room there's a lot of rock music underground and the woman shouts
man shouts while over the nightstand is amazing I don't shout from the other rooms I can't sleep actually so ni
analyze our analysis that you see any location your funding from Hong Kong and the policies are 8080 actually the case is still alive um the the C&C server is still here so I'm not a Lancer here because we are writing a paper then we'll submit to the forensics and some conference and male rear conference then before before the law enforcement just kick down just join in too inference our result in some traditional intelligence
of analyzed mail we're like the use the
capture bat what files is create what files is delete right and also like what
can ya is it's a possible what I've told
you about our analyzer and what files is an added butter by the by the system after the mirror executed and you should prove it addy and also like a ipsec step dot dat is added to the explorer EXE to cancel our encryption for the ipsec channel to back to the CNC servers
okay some files at it I don't go for it because but I would like to see that like that they simply generated the MS VCR but the file is not like that it should be MSC we are right in the gift of the fog is natural to mate and this approve data microsoft is signed up microsoft the name is quite confusing and different files are added here so afterwards the agenda doc doc is Cree is deleted we've got some analysis okay
heat a gas QQ anyone have q anyone have
q anyone no one all right to keep up the bake the cake I'll look you kill okay but if you go to China you need to mix friends in China you need a QQ okay the first thing is like I seek you like the instant messenger you near QQ + QQ can do anything including to remote controller software okay they have some capability to control remote software computer and also it could also to capture some screens or semi HSN file yeah and many children writers focus and take over take the advantage of the function of the QQ and also force mail for smell use also like here for smell is also like a child china on p wailing male surface of course we have the our good friends messenger yeah messenger is
also our good friends to attack the
attack target so also down is proved it
in jetta to to export or HD not a surprise but i would like to see d lol
you know this chinese word is kinds of dll ingestion failure is meeting in chinese that's good they make the programmers give the command in the Kiva comment to say the DLL injection field in Chinese I like it like to commence rail documentation and
also as you say you'll find it I got
right here is the exposure easy but besides this his brother as we see host why when I analyzed our sample I can't find any injection to the SBC host I would tell you later okay the agenda
talk is nothing special it's just a chopper okay create an ie I checked I Lexi copy the files WS to help top PMF to the application data folder changed and less less debt da txt and generate the msv crl malicious DRL and inject to the exploratory see and there's a create new test it's very strange know they would create new tests but it's common for a software to create different Fred different different threat when running programs and of course some traditional checking like check whether they have a car burski or have any lon 42 I don't want to show here but target the CEO at the msn Cena for smell and hotmail and
also they use X or and coding only they don't use very complicated and coding our encryption scheme because if you do some very complicated and coding scheme it will be detected most likely detected by the IPS or some are detached by the IPS or networks detection monitoring let
me check is here but you know it's quite difficult you know I'm here the screen is there like hands the point here but anyway show it like to wait I'm sorry
something that is encoded this XO is here Thanks oh well you need to have a terror scope have got a hair scope actually def con should supply it I know then there's an ankle here then duping you pain or looping and then you'll find
the worst is decoder here actually every time you send out traffic they were ankle to traffic and once they receive it they would equal it they don't they don't do any complicated encryption okay
once we have do the Pope we factor out the scheme then we find out they get a hostname and also the OS type and the patch level then there should be more information sense to the C&C server and
also this is what we are this is the most humble day most humble of my day because of the day because no we found a PM atop EMP vows compressed in the dark cap file under application folder however we are doing screen capture by wow shark but it is captured by the sister by software and sent back to the CNC server so this is the this is though screenshot we do those leaving the network use the raw shock but send back to the C&C server damn it okay taking
into the Tiger's mouth okay some more than s like um if you do the analysis most likely just analyze the chopper right you go to the like are different and frets expert or whatever different online send boss they just analyze the chopper files and they will not carry out further analysis so we carry at further analysis and try to install the QQ msn and see what's going on and we find that more boundaries we have have been downloaded to the windows debug folder and also mail really creates more files in the windows debug theta folders as well but those file when after both those file executed it will remove the shot Lee okay and also they sent back to the C&C server in different compressed format
so we find it does the NC server sent an instruction to the virtual machine to compress the files and send them back to the C&C server there's also quite interesting is that the traffic sequence number they set by the C&C server if you have been infected before you would like to UM to trial to analyze then the boundaries will not be download again but it is not surprised but they have the sequence number to control so we need to change the registry to bring out that sequence number is that in the registry so it is quite tricky and also they have put those Val in the cap compressed file but they put the dll dot dll files different dll files and compressing cap vows however after we decompress the cap file we got different Sam system information from the director machines from front from those DRL vows
okay Nancy like that we found this this
like a drive file in the dark hair file they capture everything or your vows the
path and also this yeah this password a
delusion is not all our member he's just as the chief executive of Hong Kong ok we just just take him as a fake email address okay then it's better right so you find it they put it in this kind of test format with the encryption after
carry out of dynamic analysis we got 3 more boundaries we got it with these free more dart wineries is one is
responsible for to collect old hotties drive is our FB Seawind ready to txt and create a vowel drive under see windows debug you have just seen it before right
and also in the vows call as we ABC
win32 exe after that after execute some
of our a short period of time it it is renamed it as SVC win32 EXT afterwards and they put it all of the
data to capture all the corner email accounts passwords like the files i show you and send information system
information to the app data temp
directory and also the windows debug
data directory under C Drive done and also one more one more binary is a AC we
win 32 DX is captured a screenshot for every 1000 milliseconds the injector as
ms as it should be app we see out the error keeps on monitoring the CD drive
windows directory this Deepak directory
if there's any files there they would send it out so on this is the summary
this summary then actually he targets to a political party in Hong Kong and the C&C server is in Hong Kong but this China made apt is I could came this case is done at once that persistent threat why not really but not very advanced because it contains some opaque routines win95 win 398 the program is simply just at the new features may be the boss ask him ok add one more features for windows 7 ok add one more routines the Aqua teens just left behind just neva sigh ok and also there's a the dropper is the same to enter another sample i I've gotta toss 6m sample and then the trouble is the same oh I forget to show you something like in my here um it's my
first time now first time is it's very rare to open the IDA eMac and also I've not renew the license yeah expired but anybody done see you always use either in the Windows environment this dr error is the is dom dom dot MSC MSC we are GRL
then we could find it
the pedophiles cap I don't have use this
one
put it at the cap file yeah and also
it's a very interesting they put some
different extension like dot v2 you never know what it's not we two years
another interesting stuff is the NOC
kept screen but carnet password can you
shut it off to this one um get password for example get msn messenger msn
password
also for outlook password yeah it did quite good for collating different
password from different software so if
you want to jump from IP apt simply lot try to use this one this software but
you can't do that right and yep to do the password and also let me check some very interesting yeah this is called a password and one more is the like a cap
screen I need to show it because it use
some o them screen capture routine in
the race visual basic so that's reason
why I say this not really with advanced
sorry that 92 here
you yep just see here right create some create dcs i
think is traditional but is very old some kinds of capture the screen or write writes the bitmap stuff it's
already very old okay
so this reason I I already show you about that ok let's continue and the
agenda doc the doc doc is just pack review pigs extra is is used instead of some complicated encryption then down the pillow in different stages the most important is they use some unpopular file extension like k 2 dot v2 you never know and as I put the IPS or ideas they don't recognize this kind of where we it format right and they simply peel in like a dependent on the bill in libraries and I finally use the proper sequence set up by the NC server to manage the victim this is the way we
could conclude I have got two samples and I find that their their choppers are the same you have fun here this is the
agenda to talk this another one is the
another executable form i collect a sample of da chom sample you find it
tell you the same except it's pork okay so i suppose they will just use the same
choppers four different teams or even the same team this is the timeline my
fellows are my fellow when to has promo drafted actually the green one is the
sample da CSF sample the wet one oops
sorry the wet one is the agenda to talk
i present here the case we have found that there r pu pu time of the dossier
section m sample and then we could find
a janitor dr. Peale time is near the same neil is around the time this April between april and july and we're finally also the fishing mayors and also the
phishing emails received and there are few time the mac time and also report time is around the time are under the same yeah thats period in july between july and it and a june and july yeah
this is my daughter
so arm so we we think this is from the
same chopper Sims generator and also mute s is mu test names also is good useful to identify the apt sample or Russian and this end case analysis simply supplements though the tracking ghost net reports and also the median report because they do some high-level just describe the process but we do the reverse engineering and the further analysis then it's much more good bit more details to you and afterwards as a malware analyst we will find that you Ed to analyze 10,000 samples from the single task force is too tight is too time-consuming can you back to the office and say boss I did I got the sample I need to close the door for three days and analyze the sample like that I suppose you are you should be fired right three days and analyze it no you should know that how how to respond what's the Calvinistic right and also to think about whether you get a sample and you think that you are already target no you then this is kinds of traditional thinking on internet row before because when we received mail where we don't think its target or not and the case two
years calling mr. X again he's very free and always check email and always get get this kind of target attack but I want I want to help and there's another file name call official report released from electrical Legislative Council news
um these are off issue email this is the party extension then the chinese is very official the format is craft and the
most important thing is if you're just email you sucks ok no problem this is the name is kind of official report a list of the alleged legislative cancer though you will open it however
I need to analyze right because he wakes me up in six o clock he needs to treat me drinks or dinner okay and also then
need to say crossville horston do you know it is too cute these two horse don't know anyone knows oh you know it yeah okay get it but but don't speak it to the to the Chinese okay i said okay i know it just come here yeah because I come through it yeah okay these tools lovely animals each other it's kind of mother okay okay but its pocket in the China internet because they use the grass with horse instead okay in Chinese and also English okay I I also fold this kind of doll last year you could be back to my video and after that
analysis we do the DNA analysis this is what we want to do I find the samples
the Excel samples i upload to our engine core ap he teaser we find that these samples it's belongs to hear you find this is an EVO central evil circle very evil you know if you find your target by this evil circle please take care extremely extreme care okay this from China okay this also from China ok but this samples is from here regroup the Custer in from here and the different
color means different years different kinds of VFX point of the pill time years okay the detail analysis will be
from Benson it would be much more cool this is all version then we got explain aim the pew time and group see ya and
this is the analysis you see the before
I don't want you to take over it up this
is about a group the apt group is about
Institute chopper always the chopper
analyze the chopper first and then inject the DRL inject the DRL to the injected exe to the judges and TRL to the xiii spotter you see and this is the
location of the CNC servers Chandi
eight-point-five percent C&C server are located in China for this sample for this group in Hong Kong as I said I always oppose honkin as a CNC central center in the Asia so they got 28.5 seven percent okay in Canada is not bad they're on the face so we will soon we
will soon review more about the analysis about our DNA testing for peace or war
for warfare pen one for peace I would
like to putting thousands of pounds images as a cap file and put a debug folder and show my sincere a nice peaceful mine to the CNC writer order other secrets on the right task force passport leader you know I'm very rarely a nice man okay okay to enjoy the pawns and find me fanny this is what's most important thing face bag okay set up a CNC server / trays mail web hack putting malicious PDF document excels in a cap file and steam US open it you if they must open it right they were with it right to see what's going on it could be fun excited but I've not tried yet so we
have the prom from Chinese cooking beans on a fire kindled between Beanstalk the beans whip another pot originally born from the self same roots why so eager to torture each other you know we can't do it the same against them but we would like to see what could help to analyze and to see what we could help to this community community special friends
to my VX perros is when two and the ddl and unless this samples for me and here i went to is very old guys that but he is very passionate to over the reverse engineering and an artist of example and white detail paper then please stay tuned i will propitiate and as you know okay Benson your turn
I prefer to use you yeah I'm sorry then I just defy whipped out to care about
my part will be another 30 minutes as you can see Anthony so he's personality so aggressive and I'm kind of the opposite that's why I when we work as a team is so fun to work together most of the time Antonia enjoy doing a lot of a manual analysis over these malware's and actually in Taiwan lots of researchers we have been receiving tons of mail where is a bday and then we do a lot of these manual work on daily basis but it this is really time consuming as you can
see male words are now in mass productions so if you are doing this manually then you are definitely falling behind so this is why we really want to come over automatic systems so that we can easily classify whether this is are met by automated tools or is actually met by human beings APD groups they are only been used once only an Android away they will never show up again if that's the case then how we can go beyond these situations and then try to understand who are behind these samples so we want to automate all these process rather than doing this manually and you guys
might recall our DS and slogan well this is not going in a bra goes in the browser well Google stays closed in a browser so they are good at goes in a browser but not goes in your networks and this is what we think APD's actually goes in a network once they gain to your network they try to stay there so they are not like you know fasting and pass out they actually i'll try to get into your network and then they try to stick there and then they never want to get out so they try to stay inside hide-and-seek and then try to steal everything they can steal and then try to escalate the privilege until they can still more sensitive more confidential data in Chinese that's how we returned it one lunatic way the term was our
first are defined by Allah by the US Air Force they call it an advanced persistent threats which we think is very appropriate because by being advanced it's actually now relatively compared to the victims so it's not necessary that I have to use that the most of non-cash zero-day exploit in order to invade your system as long as I know that are you haven't patched these exploits then I can invade you successfully so these advances motors are in a relative manner well are being persistent means that I am really determined because I'm being supported I'm being founded in order to invade your network it's actually part of my ear projects I really have to get into a network otherwise I will be I will not accomplish my missions so that's how determine I will be so are all these
victims victims we can see that often times they are they always have good security controls they have good sense of security and all these employees state they actually have good eyes you know they know how to see us arrows in these buildings arrows in these social engineering social engineering emails pastilles they still get apt attacked and then successfully because there's really nowhere you can get away when you are being targeted by these APD task force because they are so determined and the emails are written so well that they are they look just like exactly for a genuine person that's why you see Google of in own I say as well and then many more the reason we mentioned Stuxnet is because is in order to launch the stacks next except for today they actually are attack the several industrial several company in in the science park in Taiwan in order to get a certificate so that they can sign these drivers and then once they get each driver state they signed this malware so that when people get attacked the windows will not alert when they install these male where's and also Komodos they embed Komodos to get all these certificate so later on when we actually get these avd emails or out of this apt emails up in digital sign and also verify by Komodos so are we
well for these companies we never want to be they never want to be the headlines in these kind of situations and of course everyone knows this and
this chart is actually found a McKenzie they actually are analyzed are lots of data for an IDC and also our bureau of labor statistics from this shout out is actually telling you that a lot of these large enterprise lay the own loss of datas are so much data that they never knew that they have this amount of data for example large enterprise typically on modern terabytes of data so that's hundreds and thousands of enterprise in the states and in fact also hundreds of companies more owning a petabytes so you have so many data that is so juicy of these hackers they just want to target you and then try to see how they can do APD on you so if you have too much data
then you have to protect it well otherwise not what situation like Sony would happen again so this is some
samples that are we share here what we receive in Taiwan and this is our found real case for example are a lot of our professors in school they that they would play will receive these are annual basis for example I receive these kind of call for papers and also our acceptance notifications from people pretending from the National Science Council sending the malicious PDF to them and this is from genuine email accounts but that PDF its containing a male we're inside but that couldn't be identified by any antivirus tools on the market because definitely these are everyday task force they would do these QA before they they release are these are phishing emails so it's really hard to teach how these professors can get away from these are targeted emails because they Stefan in no way they can get away with Leah good eyes because that's a very genuine emails and also
these attackers they will send you our invitations asking you to give a speech asking you to give a talk and then these people are also real people some professions that really exist and then again you couldn't find all these malicious documents with existing antivirus tools
and these are the status numbers that we are receiving on daily basis in Taiwan roughly 20,000 suspicious emails are sent to govt twm per day basis and then out of these are every month about 4,000 to 500 our apt emails and these are current are been identified by any antivirus on the market so we can say that out every month we can collect this amount of our samples so this is our
research motivations in the past we see that these APD incidents happen again and again these really implies that we need a better security controls because this is out of control existing tools doesn't help that's why incidents happen again again so we have to turn the table around otherwise it's always the attacker in the dark and then the victims in a light and we have no ideas who are attacking us and then people also saying that APD's the new turn but all problems and yet inevitable then that's really a very ironic situations because if it's a no problem then we got to have a way to encounter it but then it seems so inevitable that we couldn't do anything with it so we are thinking that out actually we we have so much secure control out right now but none of these are designed to fight against our a PDR issues and then also because APD is highly targeted it's very hard to collect these samples for now the way how we collect our viral samples right now viral samples are being collected through on honey pot of honey nets but these APD samples will never reach out all the hunting nets that you employ so the only way you get BTS either through our intelligence II exchange or art by really deploying some devices on these are classified personnel email box otherwise you would never get these are APD samples so there is a Chinese saying that we must for shopping out tools otherwise you wouldn't see the test going on so our
research direction is that are we want we want to analyze these are samples so that we can see the group's behind these samples in the past it's always are receiving the viral samples and then we determining whether it's malicious or not then that's it we never we never try to see who are behind these viral samples so we stopped it determining whether it's malicious or not and that's pretty a PT and then from these APD samples we also want to see if we can find out what's their plane so what's the correlation between these samples and probably we can associate all these a very simple seeing that oh they are actually all targeting it this particular group so we can we can probably come out there your your plane on who are late targeting with and then also from a single one of attack we also want to see the trend because by seeing a trend you can see how advanced these apt task force are you can see what kind of weapons step in using because the weapons they use they have to spend money to buy it so you can see how well they are funded and also you can see how persistent they are how many years they have been in this cyber space and how active they are sometimes you see them are being so active maybe for one year but then they stay very silent for another year by laying of a sudden become so active this year so you can see all these friend very easy if you have automated tools but if you only have a antivirus on your hand then you can only see one of attack once at a time so we
try to do digital forensics on all these deputies samples and these are some of the attributes we try to get from these samples are just to name a few for example our mail well features what exploits are being used so usually we associate these exploits with cv numbers so that you know exactly what cv exploits are being used and also the CNC networks that have been the average because the CNC networks are they usually are imply the stations that they deploy in different countries and also are the emails who are they targeting who are like pretending they are and what's the content inside the emails and also the victims background and also the time of attack usually the time of attack would matter because they try to do social engineering so for example when they send the meeting notes the meeting notes will be associate with will be very close to the meeting time so the time of tag it also matters and
how are we different from male way started in the past studying the past they they they have an assumption that are all the information they analyze are very a hundred percent accurate for example if they do signature-based detection they do exact match so if you if you doesn't match the signature the pattern doesn't match the signature then they will say it's not malicious so that's how intervals does and for behavior based profiling if your behavior doesn't match the profile they did then they will say you are not exhibit a malicious behavior and if you are not exhibited your malicious behavior in a sandbox environmental or are you pretend not to exhibit the malicious behaviour then they cannot profile your behaviors at all so they have an assumption that they can they can see through you and they can observe the exact behavior you are a civilian but what we see is that malware doesn't behave that way because they are usually pack they are usually encrypted and they are designed in a way that they don't want you to be analyzed easily so you have to tolerate some errors inside and that's why some of the theories that we use they allow some errors and then allow some information being our dues for example we use some rough set theory so rough set series is almost like the opposite of fuzzy and then we also use data mining so that we can easily associate all these different attributes and then we also use clustering so the data and you can see how we cluster all these different apt groups and then etc so we use a lot of mathematics to help us analyze all datas
an end of course are we we not only use a static approach in case where static approach doesn't work we also use dynamic approach our background comes from dynamic approach so we know very well how to observe malware in a sandbox environment we know very well how to trigger them in a dynamic environment but we know that is very time consuming and you cannot replicate you cannot be play the required parameters to to trigger them so dynamic approach is really the last actions that we would do and so we will price take approach first so it's a multi layers of technology that we apply and some challenges are for dynamic analysis for example they they were to encryptions they were too enticing box they were too dolman functionalities so they will not exhibit the behavior they were sleep they were to take a few days a mouse movement over they will even try to communicate with the external networks and if they couldn't communicate with the CNC server then they will not do anything so in those case you have to definitely have to do static analysis and then under
static analysis part we we actually we also implement lots of parsers lots of lots of static analyzers on our end so we try to analyze all these PE codes all these shell codes and then oh these are non Packers so we implement all these well-known stuff and then we do the studying on us part by ourselves they don't you can see the demo are all performers are for analyzing one APD samples using one computer is like a five seconds 27 seconds and then we can finish the whole analysis
and the lomita power is the data we cannot extract it from these male where sample you can see that if we can identify what exploit are being used we will give you the name for example the cv number and then what she'll codes are being identified and then what kind of CNC net would have been used and then also are there any suspicious structures so we will also walk through the suspicious on file structures and then we also look try to locate any known malware is that are being used so for example the P and also these are called snippets and then if we try to run it in a dynamic environment we also try to say that well when it's been executed r where it would hook in the wrong time environment what we did Street key you will try to modify then if you are being compromised then how you can try to remediate yourself and then once we extract all these data from the samples we will try to normalize it into our apt at APD attributes because now we will try to do the caster in so we're doing to the normalized first and then this
screenshot is actually are to share out the blue beauty of extracting all these stuff on the binaries of course we can
easily get all these binary doing it a manually but with a system we can get these data very easily and some of the interesting stat we get from these are binary strings he's a new trend like
this anyone used plug before plug is very famous in Asia bottom I think our twitter is more famous here in the states oh can you guys are make a guess what
these are person is talking about here this is definitely not a human language right yeah this one has been encrypted but we actually found out all these conversation from the apt samples that we we thought we analyze we we notice that are found all these AV samples they tend to communicate we flip the plug so if it's in the u.s. case they will tend to communicate Twitter's and then they will communicate with our different Twitter accounts but they speak similar language a language that we couldn't understand but a language that they are encrypted with the same key and if you decrypted the text you will found out that it's actually a a C&C info so they
started not to put a CNC information inside the sample they put a CNC information on these are web applications web sites so that they can easily get it through po 80s and then they can easily are redirect all these poets activities are easily
once we get all these are normalized data we do the clustering and when we do a clustering are older mathematic mythology help us for example to to pick up the important attributes before we apply met for example people we applied offsets all these attributes are equal our significance but then after we apply rough sets rough sets will tell us that off for example malware type is more significant than exploit type and C&C server it's even more significant than the other attributes and what's the coefficients should be so we get a very nice formula for these attributes and then based on these are nice formulas we come up with a good clustering on these apt task force base on the samples and then we call that a fingerprints for these a PD task force so let us prove so much APD samples to all these victims but they have no ideas actually they also disclosed in their fingerprints so
on to to make a common basis when comparing all these data we actually use a common common samples so we use the sample from Mira it's it's a public data can tell Joe dump so they are about like 242 APD samples so if you guys are interested you can also download it from Amira's websites that's the simple that we use and we also compare our detection
rate with antivirus but before we we mentioned a detection rate let's see how the entire various perform when they are scanning against these are viral samples collected from honey pots as I mentioned earlier APD samples one network seldom reach these honey parts these are all made from automatic tools so as you can see all these antivirals perform very satisfactory right all almost like one to one hundred percent nineteen i point something and this is from shuttle server they update these on a monthly basis but then when
it's applied on a pd samples antivirus really doesn't work well because they never get a signature is easily from these are honey parts they deploy so these are samples hardy enter their laboratory so usually the time when they get the signatures takes much longer than usual so now these are data is what we test it out two weeks ago as you can see on most of the vendors they fail to qualify on more than sixty percent and the one that we're gonna share with you online apd deezer that you can try online and it's free available this one has a detection rate of more than 90 4.6 and of course it's not only i'll meet our samples once we announce this out so many people begin to upload their apt samples as well and you can see the graph becomes bigger and bigger the Camellia we contributed a lot and then the the overall apd task force graph becomes a much larger than the original 200 something
so this is the clustering results after we analyze all these samples we actually can see the task force behind these samples if you only analyze these samples individually you have no idea which groups are behind these samples but then when we use all the methodology that we mentioned we actually can see that they there is one group that is very big which we call group a of course we we also have the geographical location but it's too sensitive so we don't mention it here so you see Group A which is huge and then you also see a second small one is groupie na you see Group C so we will take the top three here and then give you more detail of data and the different color here are means that are when these APD emails of these APD samples have been collected all Hitler the victims so you can see are there active our time for example you look at the group a you see that on most of their active time is last year to add to our 2010 and then for this year they only have a few this is based on meet our simple so it's 242 but later on you will see that after the communities submit lot of simples you see the graph change dramatically you see new groups coming up so these are
the top three so for group a
you see they actually leverage cnc server like 23 and these are the weapons
they have been using repeatedly some are
pretty new for example this one this one is the one up la have been used to attack I say and then this one is group
2 and then this one is group 3 and if
you know the LA market price for all these exploits then you can see how well they are found it and this is the the
CNC servers they they try to abuse and you can see the countries are like Taiwan us Hong Kong so these three dominate more than 15 so I would say that the reason Taiwan is being abused allowed it because the bank with in Taiwan is very stable and reliable hey and geographical is very close in Asia and also Hong Kong Antone invention Hong Kong they they respect your privacy so much that when you do something evil they don't even try to disclose your privacy when you have a when you host a machine in isb so
and I'm more than that is now you can also see the attack graph for every male where that being used so you can see the
what happened when when when you double click the attachment and you can also see what happened when you got infected
and even the bad comments not involve
inside these are apt group and these bad comments are very helpful in identifying the apd task force as well and if we
only look at APD group a along you can see these group a highly rely on cnc server in taiwan so if we look at three groups together taiwan is only like no twenty percent or thirty percent but if you look at KU pay only more than fifty percent like fifty percent of player C&C are located in taiwan
and this one is interesting now this one is group e and this one we we also
identify it's actually from its run
career the reason that we can identify this is from the language the language they they actually compile it with and then the interesting part is that are
all the samples that we receive from these are have been signed by a komodo certificate and if we can when we
submitted virustotal art only one antivirus can detect that so it's a very low profile APD attack
so later on I will do a demo of the system so that you can never feel what you can expect when you do it online and also something that are we within we are still are working on so from the meet our sample sets are we we can easily identify the major task force behind these samples so the more simple you submit then you can easily identify how many different groups are actually behind all these samples and then you can easily identify how many weapons they have been purchased how many different exploits they have been using prepd utilize and then one interesting thing is that out they keep on changing the exploits they use but the embedded malware tend to stay the same so the other instance inside these exploits are the mail where they use what we call out remote and researching tools they tend to use the same IT tools so these are embedded may always limited to a few one so for example in in the States it will be probably like a poison ivy will be a very famous one and then we also found out out with these APD samples we actually not extract hundreds of attributes but among these attributes very very significant ones are CNC servers and mail will use and less than week on ones is the exploit type even though APD task force that we use are thousands of different exploit types and
if we look at the language used in these happy samples are one things that we can say is of like one force of the samples are from China and then some samples is from Korea and then we also have samples from Russia and friends and if you look at what our CNC servers have been abused the top one will be taiwan us and then hong kong and then
this one is a readily available online where you guys can try it's when you are upload a pine re it will give you a graph and then it will also tell you whether it's an APD fire or not oh it's only a normal virus so if it's only a normal virus then you will not you will not put you into a graph so this graph work will only draw f ed taskforce graph
and in this case you see that out
gradually we see more and more APD emails up in signed by Komodo certificate
so you see emails have been digitally
signed and then verify
and then this is from a very new group
previously we mentioned that green color indicates it's this year so this group starts being very active from this year and they don't exist in meters sample
they they just show up after the communities start to submit their apt samples
and then not so I will demo this one
here so this one is not is also an ipd email sent from someone I would trust because it's it's same from academic
institution and basically it's saying
that our greeting greeting something and it's also a PDF and as you can see that
Google doesn't alert me with a virus emails and also when I save as in my
computer the microsoft antivirus security also doesn't alert me as well
but they're not this is the ability so
that you guys can try I then can upload
this one
what's that okay he says that are us employees of ipd great so it's it's is a good quality means that it's not normal very simple and then it's from group a so it not only tell you that it's malicious remember that out when which when we try to open it inside Google Google doesn't tell us it's malicious and also our intervals to orders in Taylors is malicious so these free tool of first e-tailers is malicious and it also tell us that we are being targeted by the biggest APD task force so since we are part of their plane they will never give up until they they are successful and as you can see this crap is much much bigger compared to my previous slides because the more the community contributed the bigger the graph will be and then we we also have what we are still developing these are we try to put it together like a duck a dashboard so
that you can see a more holistic view to see the trend and then we also try to associate with google map which is very
fun for example we try to see Taipei and
then later on we try to make it together
with the street view so probably you can see a hacker is sitting there on the street yeah real time and it's something the u.s. can do easily right because you guys got our satellites okay yeah pretty cool right actually if you begin the CNC or at the poison sea or you locate it when actually it's my honor to work with pens and Batman PK to be a father xq are secure them than to give this research this like that actually for me you know as I espenson said be every time we do the menu menu analysis is quite very time-consuming and even from the same same generator we can expect respect what you start task force behind we need to identify the evils behind you know otherwise you never just every day you take a routine job to analyze his meanness we need to escalate the analyst and narcissus level one more level two so you can make your brain strategic plan on your how is how to respond to incidents and how to make a control instead of just buying different vents different bosses firewalls IPS and you say you have done the control this is not our story in the future oh oh yeah actually I should I simply get a
hug at the power point yeah I I have not
used a Windows environment for many years oh fun / Stan actually we could
reach us at our wwx secure hyvin lab calm and we keep collecting samples and enhance the capability to analyze and observe apt the nfm be more accurate manner this is what we want to done want to do and deep technical analysis of example is still needed right but he's helped about the na footprint analysis it's your anchor incremental efforts we wanted to mate and we would like to publish our we will publish our follow-up message at Def Con sticker for corner and together we make the homeland secured and also spend some special
friends to our members in and also like Benson PK and also Batman as other fellows in secure lab teams and ship group's members and VX our members and our membrane Pharaohs this is our email
address and also our broadness are brought
and one more thing is perhaps are you convinced yet thank you
Feedback