Malware Freak Show 3: They're pwning er'bodey out there!

Video thumbnail (Frame 0) Video thumbnail (Frame 2012) Video thumbnail (Frame 3757) Video thumbnail (Frame 5224) Video thumbnail (Frame 9405) Video thumbnail (Frame 10774) Video thumbnail (Frame 14725) Video thumbnail (Frame 16779) Video thumbnail (Frame 17867) Video thumbnail (Frame 20971) Video thumbnail (Frame 21872) Video thumbnail (Frame 22980) Video thumbnail (Frame 24051) Video thumbnail (Frame 25357) Video thumbnail (Frame 26884) Video thumbnail (Frame 27685) Video thumbnail (Frame 29797) Video thumbnail (Frame 30673) Video thumbnail (Frame 31745) Video thumbnail (Frame 33217) Video thumbnail (Frame 34413) Video thumbnail (Frame 36554) Video thumbnail (Frame 40419) Video thumbnail (Frame 41217) Video thumbnail (Frame 42453) Video thumbnail (Frame 43359) Video thumbnail (Frame 44241) Video thumbnail (Frame 45214) Video thumbnail (Frame 46757) Video thumbnail (Frame 47768) Video thumbnail (Frame 48607) Video thumbnail (Frame 49787) Video thumbnail (Frame 50968) Video thumbnail (Frame 52268) Video thumbnail (Frame 53165) Video thumbnail (Frame 54104) Video thumbnail (Frame 54914) Video thumbnail (Frame 55869) Video thumbnail (Frame 57126) Video thumbnail (Frame 58360) Video thumbnail (Frame 59214) Video thumbnail (Frame 60167) Video thumbnail (Frame 61041) Video thumbnail (Frame 61840)
Video in TIB AV-Portal: Malware Freak Show 3: They're pwning er'bodey out there!

Formal Metadata

Title
Malware Freak Show 3: They're pwning er'bodey out there!
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2013
Language
English

Content Metadata

Subject Area
Abstract
Well There's malware on the interwebs. They're pwning all your systems, snatching your data up. So hide your cards, hide your docs, and hide your phone, 'cause they're pwning er'body out there! This may be the 3rd and final installment of the Malware Freak Show series, so we're pulling out all the stops. This year we'll highlight 4 new pieces of malware but the victims are you and the people you know. We will analyze and demo malware found in your place of employment, your watering hole, your friendly neighborhood grocer, and finally your mobile phone. The malware we are going to demo are very advanced pieces of software written by very skilled developers that are target your world's data. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic. Nicholas J. Percoco Senior Vice President and Head of SpiderLabs at Trustwave With more than 14 years of information security experience, Percoco is the lead security advisor to many of Trustwave?s premier clients and assists them in making strategic decisions around security compliance regimes. He leads the SpiderLabs team that has performed more than 1000 computer incident response and forensic investigations globally, run thousands of penetration and application security tests for clients, and conducted security research to improve Trustwave's products. Percoco and his research has been featured by many news organizations including: The Washington Post, eWeek, PC World, CNET, Wired, Hakin9, Network World, Dark Reading, Fox News, USA Today, Forbes, Computerworld, CSO Magazine, CNN, The Times of London, NPR and The Wall Street Journal. Jibran Ilyas is a Senior Forensic Investigator at Trustwave's SpiderLabs. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has investigated some of nation?s largest data breaches and is a regular contributor for published security alerts through his research. Jibran and his research has been featured by many news organizations including Dark Reading, Infoworld, Threatpost, IT World and SearchSecurity. He has 87 years of experience and has done security research in the area of computer memory artifacts. Jibran has presented talks at security conferences (DEF CON, Black Hat, SecTor, SOURCE Barcelona) in the area of Computer Forensics and Cyber Crime. Jibran is also a regular guest lecturer at DePaul and Northwestern University. Prior to joining SpiderLabs, Jibran was part of Trustwave's SOC where he helped Fortune 500 clients with their Security Architectures. and deployments. Jibran holds a Bachelors of Science degree from DepPaul University and Masters degree in Information Technology Management from Northwestern University.

Related Material

Video is accompanying material for the following resource
Aliasing Multiplication sign Mathematical analysis Shareware Semiconductor memory Magnetic stripe card Malware Authorization Software testing Information security Traffic reporting Directed graph Physical system Mobile Web Disk read-and-write head Degree (graph theory) Wave Explosion Malware Sample (statistics) Time evolution System programming Information security Physical system Reading (process) Directed graph
Point (geometry) State of matter Exploit (computer security) Client (computing) Plastikkarte Login Bookmark (World Wide Web) Revision control Latent heat Malware Iteration Videoconferencing Semiconductor memory Software developer Data storage device Client (computing) Basis <Mathematik> Bit Exploit (computer security) Shareware Malware Integrated development environment Software Iteration Smartphone Quicksort Videoconferencing Probability density function
Computer file Software developer System administrator Water vapor Mathematical analysis Data storage device Function (mathematics) Malware Mathematics Root Single-precision floating-point format Authorization Encryption Process (computing) MiniDisc Task (computing) Physical system Email Semiconductor memory Key (cryptography) Software developer Computer file Data storage device Bit Basis <Mathematik> Directory service Evolute Latent heat Data management Process (computing) Malware Software Integrated development environment Function (mathematics) Time evolution Hard disk drive Self-organization MiniDisc Encryption Quicksort Physical system Task (computing) Window
Multiplication sign Real-time operating system Function (mathematics) Magnetic stripe card Malware Spherical cap Buffer solution Kernel (computing) Encryption Information security Physical system Semiconductor memory Real number Computer file Binary code Staff (military) Malware Time evolution Buffer solution Self-organization MiniDisc Right angle Encryption Physical system Computer forensics Computer file Codierung <Programmierung> Password Semiconductor memory Twitter Latent heat String (computer science) Rootkit MiniDisc Computer forensics Software development kit Key (cryptography) Mathematical analysis Computer network Directory service Evolute Cartesian coordinate system File Transfer Protocol Shareware File Transfer Protocol Dressing (medical) Software Rootkit Function (mathematics) Password Routing Window Extension (kinesiology)
Point (geometry) Server (computing) Decision tree learning Algorithm Code Connectivity (graph theory) Multiplication sign Computer-generated imagery Real-time operating system Mereology Magnetic stripe card Neuroinformatik Revision control Malware Encryption Cuboid Process (computing) Information security Arc (geometry) Physical system Demo (music) Data storage device Code Range (statistics) Database Basis <Mathematik> Instance (computer science) Shareware Data management Malware Integrated development environment Software Time evolution Website Encryption Automation Hacker (term) Computer forensics Window
Demo (music) Lace Mereology Shareware God
Web crawler Demo (music) Multiplication sign God Annulus (mathematics)
Graph (mathematics) Code Binary code Data storage device Right angle Cartesian coordinate system Computer forensics Product (business)
Type theory Malware Service (economics) Directory service Window Physical system
Point (geometry) Execution unit Malware Process (computing) Software Data storage device MiniDisc Right angle
Computer file Server (computing) Interface (computing) Quark Virtual machine Code Computer network Data storage device Windows Registry Thread (computing) Magnetic stripe card Magnetic stripe card Malware Malware Quilt Computing platform Right angle MiniDisc Hacker (term) Hydraulic jump Data buffer Data type
Point (geometry) Trail Server (computing) Touchscreen Computer file Plasma display Data storage device Maxima and minima Magnetic stripe card Demoscene File Transfer Protocol Radical (chemistry) Malware Centralizer and normalizer Process (computing) Software Computer hardware Physical law Right angle
Server (computing) Demo (music) Hill differential equation Streaming media Software testing Right angle Streaming media Function (mathematics) IP address God
Scripting language Malware Information Computer file Function (mathematics) Right angle Function (mathematics) Directory service Statistics
Malware Function (mathematics) Buffer solution Data storage device MiniDisc Right angle Magnetic stripe card Directed graph 2 (number) Number
Presentation of a group Installation art Divisor Data storage device Disk read-and-write head Coprocessor Semiconductor memory Magnetic stripe card Magnetic stripe card Malware Damping Process (computing) MiniDisc Physical system Data type Semiconductor memory Demo (music) Information Server (computing) Data storage device Shared memory Code Core dump Bit Windows Registry Thread (computing) Type theory Malware Sample (statistics) Software Integrated development environment Function (mathematics) Computing platform MiniDisc Quicksort Hacker (term)
Point (geometry) Game controller Service (economics) Multiplication sign 1 (number) Heat transfer Semiconductor memory Magnetic stripe card Stiff equation Neuroinformatik Malware Core dump Booting God Graph (mathematics) Physical system Noise (electronics) Support vector machine Semiconductor memory Demo (music) Binary code Data storage device Electronic mailing list Cartesian coordinate system Band matrix Message passing Process (computing) Software Window
Installation art Goodness of fit Malware Computer file Code Booting Window
Malware Service (economics) Code Hill differential equation Right angle Booting Window Stiff equation Physical system
Support vector machine Process (computing) Code Right angle Semiconductor memory Asynchronous Transfer Mode Physical system
Malware State of matter Function (mathematics) Semiconductor memory Wave packet
Graphics tablet Slide rule Process (computing) Online help Cartesian coordinate system Magnetic stripe card Physical system
Trail Malware Computer file Key (cryptography) Information Multiplication sign Core dump Principle of maximum entropy Right angle Function (mathematics) Semiconductor memory
Scripting language Mathematics Computer file Twin prime Spiral Right angle Semiconductor memory Physical system
Scripting language Web crawler Semiconductor memory Information Computer file Weight Theorem Function (mathematics)
Scripting language Trail Malware Process (computing) Hacker (term) View (database) Core dump Principle of maximum entropy Function (mathematics) Magnetic stripe card
Installation art Demo (music) Computer file Digitizing Multiplication sign Code Core dump System call Semiconductor memory File Transfer Protocol Magnetic stripe card Shareware Web 2.0 Duality (mathematics) Latent heat Malware Malware Sample (statistics) Function (mathematics) Computing platform Process (computing) Maß <Mathematik> Data type Extension (kinesiology)
Web 2.0 Windows Registry Execution unit Malware Demo (music) Computer file Installable File System
Web 2.0 Windows Registry Malware Software Computer file Structural load Virtual machine Hidden Markov model Local ring Window
Web 2.0 Computer file Multiplication sign Structural load Icosahedron Window Physical system
Web 2.0 Root Structural load Data storage device Task (computing) Window Attribute grammar Physical system
Web page Addition Semiconductor memory Computer file Twin prime Virtual machine Content (media) Coma Berenices Web browser Type theory Duality (mathematics) Malware Internetworking Password Right angle Local ring Window
Web page Execution unit Web crawler Information Computer file Multiplication sign Web browser 2 (number) File Transfer Protocol Malware Process (computing) Right angle Local ring
Web page Execution unit Computer file
Scripting language Scripting language Computer file Encryption Convex hull Drop (liquid) Binary file
Scripting language Metropolitan area network Computer file Codierung <Programmierung> Cohen's kappa Area Intranet CAN bus Word Malware Schmelze <Betrieb> Arrow of time Information
Graphics tablet Execution unit Code Web browser File Transfer Protocol Latent heat Malware Malware Sample (statistics) String (computer science) Encryption Computing platform Process (computing) Quicksort Extension (kinesiology) Data type
Mobile Web Malware Presentation of a group Malware Demo (music) Prediction Closed set Multiplication sign Mobile Web Parameter (computer programming) Area Number
so this is malware freak show 3 and I'm Nick and this is Gibran so let's just let's just jump right in so instead of
you know spending time on the on the agenda we'll just skip right past that
the inspiration for this talk is basically something called system intruder if those usual familiar with bedroom intruder and there was a parody created by own this guy guy we know named Zack and we were going to play the song right now but since we're a little short on time we're going to save it to the animal we'll play it for you guys so
brief introduction knew who we are i'm nick / coco i run the spiderlabs team at trustwave i started my career in the 90s doing InfoSec start out really doing penetration testing back then this is my fourth DEFCON talk and i have two more this weekend one tomorrow and one on sunday was a droid talk in a mobile SSL talk as well I'm also the primary author of trust waves global security report so if those are familiar with that it's a city interesting read okay and I am Gibran alias I am the senior forensic investigator at spiderlabs Trustwave I've about nine years of experience and this is my only talk at Def Con this year speak I've spoken at black hat sector war and source Barcelona before and I happen to have a master's degree from Northwestern so just wanted to brag about that so really want to talk about
you know why give a freak show so what does this talk all about well we we perform a lot of investigations on annual basis we go into a lot of environments where there's targeted malware male well that's not you know taking off any any bells and whistles from there from the AV engines that are installed in those environments and we really wanted to be able to bring this to you bring live demos to you guys and be able to show you what sort of the state of the industry from a male where development standpoint looks like and what the real criminals are using to do exfiltrate valuable data out of out of corporations corporations and and other environments basically the real big takeaway here that we see is you know the exploit world is is basically commoditized you know the criminals are going after they want to buy exploits they want to be able to use those to get into environments but they're really putting a lot of efforts a lot of development resources into developing malware it's become it's become a rather big business they they will put money into those into those into that industry they will hire really highly skilled developers to make the smell or for them and just as if you have if you have a business and you want to create a business piece of software you may outsource it to some developers and build it to your specifications they're doing the exact same thing so
really what does this talk about well we've this is the third iteration of this talk so has anybody seen any of the other malware freak shows before no so we got a handful of folks we got we got frequent freak show points for you at the end so just to see us the ohm we this is a third iteration this talk you know 2009 we demo day on a keystroke logger a custom keystroke logger a memory dumper an early early version of a memory dumper and a video poker piece of malware and then a network sniffer last year we demoed another memory dump er when they get a little bit more advanced so with login credentials Steelers a network sniffer again and then a client side piece of malware that basically targeted PDFs it was a PDF attack so this year we wanted to bring it a little bit more personal you know bring it really home to the to ourselves and the people who are in the audience and so we're really talking about some new targets or this year we're talking about your grocery store you know places you shop every day I'm your favorite bar places where you like to get drunk and your work and then of course your smartphone so this is all about you in this iteration of network freak show so
when we talk about sort of the evolution so what are we even see now when you talk about evolution you typically to talk about you know fifty a hundred thousands of years but we're talking about here is just three and we've seen a dramatic change in the piece of malware we've been following the malware authors the men were that's being used in the various targets they were talking about over the last just three years it's when we first started following this in putting together this freak show we saw sloppy mail where developers we saw it what's up people that were you know just literally testing the waters trying to basically find find ways to exfiltrate data try to automate things that they were trying to do on a manual basis but it was very very um it was very very early on they were also not being covert so they were being blatant weed seed things like network sniffer exe installed in environments or you know memory dump er exe and they were very very early early on and then also a lot of noisy output files they would create these files that would be I ganic especially we're talking about the memory dump her world they would dump you know two gig files to the drives and de little just fill up the hard drives on the systems and then they're easily detected news looking task manager in windows and you can see them they were blatant I'm in front of you in 2010 they started to get tricky with with her file names it wasn't anything that was super complex but they were trying to change things to make it a little more difficult for administrators you got to think of the blood of the targets to wear these criminals are going after we talked about your grocery store your favorite bar these aren't sophisticated IT environments and so all they have to do is fly under the radar of the people who they're targeting and they're doing a pretty good job of that they were doing a pretty good job of that in 2010 um they were also placing things inside system folders to make it a little bit more obscure you know if you play something in the root directory of a drive and it's you build up and you fill it up with a bunch of files someone's may find that I'm they the attackers found if they put in the system32 directory it's going to be a little bit more obscure not it not for most people in this room but for the people that are trying to target the victims of the criminals who are targeting these or targeting people and of course the output was mainly in plain text we will you'll see some things in 2011 and in the supper going to demo now but mainly they're just putting plain text files the data they're trying to exfiltrate was just written a disk no no major issues there the advanced tools that they were using basically advanced tools that we would use can easily detect their activity they were being a little bit more obscure they may not show up in task manager but we can detect them and then automated exploration that's sort of the key if you're a criminal and you want to you want to attack say 25 30 100 organizations you're not going to manually connect to those organizations every single day and download the data you want it to be automated you want it to send the data to you just sit back relax watch TV and collect all the data you can out of these out of these victim organizations so when we talk about 2011
so this is a little bit little preview so I'm not gonna go into much detail but we talked about 2011 the mail or developers have grown up either that or they or the criminals have decided to pay more money and hire better developers could we saw some really really really interesting techniques this year some zero storage so we're talking about them writing files to disc and we're going to show you some examples where there's literally the only footprint that's on this is the piece of malware there's no evidence of the data that are actually handling and exfiltrating out of the system and then more data is stored there using encryption to store that data on the system and they're using more efficient methods so you hire better developers you can go what you stop having 500k executables and you get them down to just a few k which makes things much more efficient and much easier to place on systems and then of course automation so automations everywhere today we just started seeing you know Inklings of it in 2010 but now today it's it's basically automated everyone in the system so it's a problem
you want to take some specific pieces of malware some of the evolution we've been seen so you know there are some folks that came to our 2009 and 2010 talks and you guys might realize the notable features so like Nick mentioned earlier 2009 it was just really basic you know we were seeing keylogger exe networks NEFAR dxc so they just didn't care that they knew that once they got into their organizations they knew that organizations didn't have enough ID staff to even look at those executables the the ftp credentials were not packed in the binary so we could just do strings and we could see all of the malware features like okay what it does where's the ftp what is ftp username and the password so lots of sloppy work output was just plain tax cap files so that kind of tells you that they really didn't care much then in 2010 they actually did one better they they started matching like a you know svchost.exe anybody knows what that is okay so basically they started naming their malware applications like legitimate windows names and then output was compressed and password protected but again the password was right in the binary you know you would see something like rawr HP and then the password so that was still pretty easy a night nightly auto exfiltration appeared for the first time I think one of the malware that we demoed last year had that but the 2011 which I cannot wait to show you guys it's it's you're going to have a ball watching these demos so there's no output on the disc like some of the malware sniffers that you're going to see is that there's you know malware takes the data in one hand sends it out from the other it basically has two buffers it takes the data steals the data and sends it out and basically it's a real time X filtration and the acceleration is no longer on like ftp ports or SMB ports exfiltration is on port 80 which you know in a lot of even mature organizations port 80 and 443 are allowed outbound so the malware writers have realized that and they they fully you know take advantage of that encryption and encoding output data that is like a really really key feature trend in 2011 you know before you know assets for rinsing investigators we would do disc analysis and we would search for you know social security data or credit card data and we would you know just find it in the disk you know there would be a file and then we would track backwards so now when they're encrypting the data those disks hands are useless because all the data that's stored on the disk is it's basically encrypted or encoded so that was for the
sniffers the memory dumper you know in 2009 we demoed the three executable files and there was basically no anti forensic capabilities plain text output right on the route you know system 32 directory 2010 single executable it was a colonel rootkit so they did get a little smarter but the output was still in plain text so and you know the output was if you have to sort the files you would actually see the latest date on that output file so you'd still it's pretty easy to talk still now 2011 you know it's it's the return of the three executable file so it's like a full malware kit you know one binary does something the other binary just the second thing in the third binary basically completes the package and we're going to actually see that and then everything is time stone so if you're looking for files in like system 32 the most recently access or most recently modified you won't get to see it's because the malware writers first time stump the binaries and they match it with the system installation date so you know system 32 directory has a lot of dll's right so if if they match those dates you're you're probably not going to doubt those faults and last but not the least that that output I n is encrypted so you have to actually crack the encryption to figure out what kind of data there they're exfiltrating
so what we're talking about the malware landscape today so this is more continuing on from 2011's we're seeing some anti forensic features being built in the malware I think you just you just talked about the time stomping component but we see other features as well and then of course the stolen data is encrypted the encryption algorithms are getting more advanced I think some of the early versions we just saw when using like XOR and to basically you encode that data but we're seeing things you know more more more sophisticated there as well mainly because if you're if you're if you're an attacker you're going after a site in your heart in your harvesting a whole bunch of data even if you're storing it locally you'd want someone else to come along and grab it and steal it from you so might as well protect the data that you're stealing from those systems and then then of course malware as is it as a dll we started seeing we're going to demo one of those as well for you so now you like
we've seen in previous years we want to spend a great deal of time in this talk doing actual live demos for you so I'm going to introduce each of these demos and then Gibran is going to fire up and bring up the bring up his vm instance of each each environment and using the demo those live for you so basically we're talking about here this is your grocery store this is a place where all of us probably go to on a weekly basis by our milk buyer by our butter and I'm buy our beer and and basically on this environment this is where we see a piece of malware called cameo and we're not really sure why the attackers called a cameo we see that called cameo over and over again in a lot of environments but we coat give this get this guy the code named Best Supporting Actor I'm like Gibran talked about this is am this is a sniffer and this is something that has very little visibility on the system itself and so when you think about a grocery store environment it's this is actually pretty sophisticated for some of these environments that we've seen like the grocery stores and some of the retail environments this is something that you don't really need to be that sophisticated that's hargett a grocery short there's I don't haven't been to a grocery show it has an IT security person hanging out in the back room this is just you know check cashier's and then the store manager but we see environments where they this malware is placed on either a central system in the environment or on all the lanes so when you're checking you know you're buying your beer and they're scanning it and you hand them your credit card they're swiping that and literally in real time your data is going from that register across the network out to the attacker systems and their then archiving that into a database and sorting it out for sale almost instantaneously and and part of part of the things to know is that you know the grocery stores they don't you know sometimes you won't even see windows computers there you would see the ethernet you know point-of-sale swipes right so obviously they don't have them this malware is designed for windows box so basically all the data that's going across on Ethernet to a server you know in the managers room they want to place that malware there so this malware has to be at the aggregation point of the data so it's with that you want to bring up the demo yeah let's do it okay all
right so this is the exciting part of the talk and hoping I think you all will enjoy a great deal so so what we're going to do obviously you know we have for demos here and have you guys been to
a talk with demos before at Def Con we hear there's a very very low percentages with the with the success of the demo so you know we're going to do a collective prayer to the demo gods and we're gonna do it in you know before each demo so so
I'm gonna I have a so I'm enough them what when I say what time is it we all have to say demo time so that will please the demo gods right all right and in this room is packed so I better hear like a huge here and actually we have an incentive for you guys so whoever cheers
the loudest not only that we give a spider laughs t-shirt but also a past
war party that's right yep awesome so you're doing it the first time there's there four times so you better make sure or better be awake cuz um all right so are you guys ready all right what time is it you guys are good in the first time that's that's exciting I think we're gonna have a lot of fun
all right so as I said this is a grocery store right does it look like a grocery store do you see your common things that's awesome okay so first I want to show you the binary so the binary is
called cameo dot exe i'm gonna do i'm going to show you the size this is only a 24 kilobyte binary and if you mouse over this you know you see keywords never mfc applications that kind of tells me that this this is probably like off-the-shelf product but they modified the code and then they made it so that it's it has some anti forensic features so what I'm going to do is copy this
binary to the windows system32 folder
that's typically where a lot of the malware run from right so and then we're
going to start the command prompt and actually browse to that directory everyone following me so far awesome cool alright so I'm going to start so basically to run to install this malware you basically just type them our name the malware writers say they actually coated so that it's installed as a Windows service can anybody tell me what's the advantage of being installed as a Windows service yeah so when you reboot the system the malware comes back so there you go i'm going to start camion exe notice we didn't see anything the malware is running so what I want to do now is actually show you you guys
familiar with the pok?mon its assist internal tools that kind of monitors the activities of a process so I'm going to say that hey I only want to monitor whatever cameo at exe is doing apply and
so basically so right as you can see the malware is running but it's not it doesn't have any disk activity at this point so I also want to start my
Wireshark because remember I told you that this malware actually sends the data outbound on port 80 so we want to see what data actually goes out of the network right okay so even at Wireshark I don't want to monitor the whole network the whole grocery store right so I want to just filter for everything that's going out on port 80 anybody know a filter that we can feed it to Wireshark that just gives us port 80 traffic tcp port yep equals 80 right so
that's what we're going to do we're going to say okay you know what you're
sniffing this is me sniffing the traffic to figure out what the malware actually sends out so I only have one interface so that's easy and then I'm going to say
tcp port equal 80 so now this neffer is only going to show us what goes out on port 80 all right so now that we have our sniffer set i'm gonna i'm going to
jump to my host machine and actually
show you a file with the credit card
data so that file is basically called check three txt so as you can see there's there's not only just credit card data but what we call credit card track data the magnetic stripe data on the back of your credit card so what what why this is useful is because if if if you steal someone's track data the magnetic stripe data what you can do is you can coat that on your credit card and then wherever you go let's say you go to a best buy or you know we're whatever expensive place you can buy like a five-thousand-dollar plasma TV and they'll ask you hey show me your ID so on the front of the card it's your name but behind the scenes this poor victim is going to get charged so this is the file that i'm going to send on the network and this is the file that the malware is going to intercept so i'm going to log into the ftp server there so i'm going to send the data on ftp server and we're going to see the data go out on port 80 all right so this is very similar to what you see in a grocery store when you when you swipe a card at Elaine in a hardware terminal it's sending that data to a central processing server so it's basically gibran is going to simulate here yep so I'm basically feeding the data to that aggregation point right and this happens for all of those you know grocery shop terminals so I'm gonna say check three dot txt a just just put it there and then we're going to go back to our
screen here and go back to Wireshark and
hola that worked so the demo gods have answered we so we have the severe looking traffic right it that some traffic is going to this fdfd m dot PHP so right now our attacker server is the internal IP because you know we don't want to send the data out even the test data so this is basically the packet that we're going to follow and see what the output looks like so I do a right click on it and I go follow TCP stream so this is basically the packet as you
can see it's a post and the user agent is kamia it's sending it to this IP address notice it's an internal IP but in the real world there would be an external IP like in some Eastern European country that I've should not name content-length and then this is the data that's going out so can you can you see anything can you make anything out of this data okay thankfully not all right so I'm going to copy this output this output so this is basically the data that's going to the attacker server so what we crack this so we basically add spiderlabs our researchers cracked the code and we're going to see how this data looks like so I'm going to go to my
cameo directory create a new file called malware output right and basically paste the information that I saw in the TCP
stream okay and what what I'm going to
do now is a basically copy a script it's
basically a perl script called cameo decoder put it here
and browse to this directory ok so the
way to run it is basically do cameo decoder RPL that's the perl script that we wrote to crack that data and i'm going to feed the malware output txt so that's the file that had been encoded data and then i'm going to say can you please put all that data in decrypted data txt ok so the script runs and it basically decrypts the data now we have this file that has the encoded data and
now we open the decrypted data and what
do you see here it's got an IP source port then it has that full credit card number actually magnetic stripe data that we saw earlier got it so that's that that's how sophisticated them hours are getting as you can see there there's no storage on the disk it basically takes the data on one on one buffer and then every every 30 seconds it sees hey is there data on my right hand if there is then I'm going to send it from my left hand so it's kind of like charity you know but yeah so that's it for the Cameo malware I'm going to turn it over to nick / coco and he's going to show you about the it's the second malware right so before we do that and i set up
my snapshot okay you bring it to
presentation yep
okay so let's go into the there we go
okay so the next piece of malware that we going to show you this is targeting your favorite bar so obviously i would think everybody shares been to a bar before you when you when you go and you buy a beer you start up a tab you hand your credit card to somebody and basically it your your card is being entered into a system and then it's being processed similar to what we saw in the grocery store but that's happening in a bar and so the type of malware here is different this is not a network sniffer this is a memory dumper and then this memory dumpers are designed to obtain data while it's in memory as the name sort of sort of tells you but the big key factor there is that we see this being used in environments where data is being encrypted to a system it's being encrypted while the sib all the data is on disk in the system by design and then it's being encrypted while it's being sent to say an upstream processor or upstream system so the so the criminals sort of scratch their heads for a little while and thought and how are we going to get access to this information and they started developing a memory dumper and so we call this this memory dumper the the son of brain drain because last year i think we demoed brain drain this one's a little bit more advanced yeah and so to not you know not steal any gibran stunner talking about the key features i think are you up and ready to go for the next demo yeah sure so you want to want to do your chance alright so the demo
gods were very very very happy I just got a message so we're gonna do this again but this time we're gonna do one better all right we're gonna raise our hands and say demo time when I can show what time is it you guys look fantastic thank you so much all right so all right
so we're going to start the same way i'm going to show you the binaries so this
is the memory dumper mal work it so as i mentioned that you know what they have multiple binaries doing the job so let's see what each of em looks like there's wind boot exe so this is basically the controller this is like the master malware I would like to call it so this is the one that gets installed it as a Windows service and we order to discuss what windows service does after the malware it comes back every time system boots up and when it runs basically the only job that this malware this piece of executable has is basically starting the two other binaries so this first binary that UCCS our SVC exe that has a list of executable names that are known executables that handle credit card data so it has the name of the most common point of sale applications so you know in it you know when you go to a restaurant you go to a hotel you go to a bar you know you see a typical kind of systems I don't want to name any of the software but the attackers know about all of them at least all the popular ones so they basically say hey you know what rather than dumping the memory of like a you know four gigabytes of the whole computer we don't want to create that much noise so what we're going to do is pick those processes and just dump the memory for those particular processes so the footprint is less and then they delete that dump to after they parse the data out of it so this the CSRs we see again it dumps the memory of a particular process this last piece I night MGR that is the piece that actually looks at the dump so if a dump is 500 megabyte attackers don't want to you know transfer 500 megabytes because you know guess what at a grocery store or a bar the bandwidth is not that awesome so don't want 500 megs of data coming for like four credit cards so what they do is they they write this application which is like a portal application they've converted it to a exe is with / to exe and this piece actually looks at the dump files and it parses the out only track data and then this is the piece that actually does the encryption and and some other features which I'm going to show in a minute so without further ado we're going to run this memory dump or malware okay so see
these files win boot exe so this is when Buddha exe so so basically the the malware writers they actually followed a lot of good coding skills so the install installation for this malware is basically an install switch when booty XE / install and guess what you see windows boot loader installed you know what I want to show you something really
cool which I love about these malware
writers they aim they try to freak you out so what
you're going to see when you see the service windows boot yeah so this is the one so as you can see the path to
executable is the path that we were in when booty XE and guess what it says it manages the loading all the microsoft windows operating system right and better yet if this service is disabled the microsoft windows operating system will fail to start so you know this is the first year that they've got all the Spelling's right they usually mess up on this valley school so it's a huge cheer for those riders you okay so now that this malware is installed as a service we have to run this as I said you know there they wrote the code brilliantly
they also have a debug feature to this so I think someone was queuing their their code all right so we're gonna run this in debug mode and what you're gonna
see here is basically you know these two pieces haven't started yet right so when I run it in debug mode there's gonna be
tuning in processes and you're gonna see that right on the system tray here
alright so when Buddha XE hey I want to see debug so now as you can see there's a new process CS our SVC and also the
inet MGR right so did I don't know if
you could see it that far it's saying basically it says state loading please wait state wanna train so the malware is kind of saying okay you know what I'm ready to do the dirty work but you got to do something for me to do anything so right now the malware's just sitting idle I mean it's monitoring but it's it's not showing any output because we haven't processed any of the sensitive data so as soon as we do that you should see something here okay so I need a volunteer here who's gonna come to our bar and as you can see we have a pretty cool bar the whiskey bar so who wants to
come to the whiskey bar there you go we got a brave soul here yeah come on up okay so while he's coming because this
is not a point-of-sale application we don't have a payment processing application here so we're gonna trick the system we're gonna say you know let textpad be our payment application so
instead of text pad exe i'm going to say become PBT SRV dot exe so text pad is our payment application I'm going to open this and now i'm going to ask our
volunteer to actually swipe a card actually what kind of beer would you like this is a bar so but so he wants bud light and sorry I couldn't provide a cuter bartender but okay slide the card there you go I'll help you out okay so i want to show you that this guy wants a lot of beer but a real no no no listen that gift cards they gave card ok ok go for it there you go all right there we go what does it say a gift for you a gift for you awesome ok there you go thank you very much we don't have bud light today but you know your brief so one here you go you get a teacher so you get the t-shirt thank you so much for watching ok so now so now so now we have got this data obviously PBT serve now
now if we watch these processes it says
hey can anybody read it it says hey in this mem dump folder there is a dump file and in that dump file I found track 1 data right so we're going to go to our folder which has so now notice there are
two new things here mem dumb and I net info see that ok so one thing i want to show you this is a really really key feature inet info is actually the malware output file but notice that the time on it is june first 2005 right and not only the modified time but the create time is also june first
and five so if you're looking for more recent changes to your system you know you're not going to detect this file right because this and basically we just wrote data to it so as we modified we do and we didn't see anything here so let's
actually check this out this the data in
this file I'm going to open it with notepad and guess what you see garbage
it's just you know that data is encrypted so what I'm going to do is go to my spiral s script files and
basically show the desktop so I'm going
to run the decryptor oh we've got them
all selected okay well there we go freak tools maybe yeah there you go spider loves are not decrypt and i'm gonna copy that to memory dumper all right so okay
so this is my script that's going to decrypt the data that we saw and let's say that I want to feed I net info THM file and then the output become you know output file the name i'm going to give it's decrypted data txt okay so let's see what decrypted data has so basically
that's how neat the output is it
basically says mem dumb pbte SRV exe 29 and two that's the process ID and actually you know what I'm going to open it for a better viewing there you go
right so basically the you know it's
it's it's not the hacker saying crossref spiderlabs 2001 that's our script and mem dumb and then the pbt SRV txt 29 and to mr. John Smith's credit card is here not only track 1 data but track to data as well so that's about it for the memory dump or malware and we're going to move on to the next one okay
and we talked about you know these he's hitting you personally I'm actually once
got a call from Gibran who asked were you at this club in Las Vegas last July and is your credit card and in these four digits and I said well why he said
well you probably need to call your credit card company your credit card credit card was exposed in this breach so that does happen from time to time so um the next one we have here and I think
we're running a little short on time so we have we have two different demos on that are remaining we have this web check dll and this is this is basically targeting your work and this is where this is this is this is basically an example of how you hear about critical files being exposed when corporations are having you know data leakage problems this is a piece of piece of malware that actually will attack that and gain access to it so do we have that demo and then we also have a mobile demo
and I think the mobile one is pretty sure we can show you that demo in three
minutes but this this malware is pretty pretty Matt where because it only has a
dll file so notice when you mentioned that a dll can do a lot of damage you're
going to see that here so let me show you the the malware it's called the web
check yellow basically you can install this malware with a simple registry hack you can i'm going to show you what this
registry file has so this is basically the folder in the registry that is tries to modify and so i'm going to do it manually so you guys get to see it so
what i want to show you here is that the name of the malware is web check yellow which is also a legitimate microsoft files if you mouse over that you basically see website monitor and it's only 10 kb so hmm local machine software
gonna find this registry key okay so
basically the legitimate file you know windows explorer whenever it runs it basically loads this file web check dll but it loads it from system32 folder what our malware what we're going to do is we're going to paste you know copy
and paste this file in the windows folder and we're gonna tell the system to run this
file out of windows windows folder rather than windows system32 folder so it's a pretty simple hack I just placed
a file here and so this is the legitimate file so I'm gonna tell the system to basically do you know load the web check yellow but from the windows folder so obviously you know if you had time we would have restarted the system
and showed you but I think that quick hack I could show you is if we just
closed if we end Explorer and we load
explore it should work if it doesn't we have to cheer louder okay so basically now now when explored exe has started notice we did the the hack so now now explorer.exe has to load web check dll from windows folder so the malicious one
basically this Mauer stores the data in the root of the drive but it has the hidden attributes not just the hidden attributes but also the system attributes so we have to hide we have to
uncheck this button which again is the windows no no so notice you have this file page file that what's page file in
a window system virtual memory right so you're going to see an additional file if everything goes right so we're going to go to our company intranet right and
it says internet my company com so and we're going to try to log into this
folder john smith 1 and then i'm going to type in my password and it sends me
to the internet folder so in the confidential folder i'm going to upload a file and that file basically you do a lot of activity from your browser right so basically this malware is targeting your browser so anything that you're doing in the browser better watch out because it's it's trying to steal that so i'm gonna you know put this document there so let me show you the contents of this document is basically has some
confidential information says president arrives at DEFCON on august five will attend spiders party so we're going to
process that to the browser right i'm going to upload this file and then go back to my
see dr do you see page file they're basically 18k so right now it's not actual trading any data because the malware writers have coded in the malware itself the time to exfiltrate data so I'm running a local ftp server
we've kind of a past a malware so that
it sends the data to an ftp server but i'm running it on the local host so this is where you should see data around 2am so i'm going to change the time to 159 50 am so that we get 10 seconds to pray and basically the minute it hits two
o'clock we should see something okay it
works awesome okay so we so we have this file now you know the notice that page file disappeared now it's only page the page file is going to come back but in
the meantime there's a zip file here so
you should be able to extract this file here right so we say extract it says hey
know our guys found you know you're a sucker because this file is not a zip up right so basically what i'm going to do
is copy this file and I'm gonna go to my
Ruby folder because that's where we wrote the code okay and this is
basically the decryption script so I'm going to put it in the bin folder and
pretty quickly I am going to run this so you guys actually get to see the data before we have to leave alright so see
Ruby drop in so I'm gonna say Ruby decrypt this and the data is like I think it starts with the sea or something right open sea 29 okay there
we go and we're going to say decrypted data again decrypted txt ok so the script runs it tries to decrypt that data and then we go back to the same
folder to actually check that and here we go so what was what was the key word
in that file that we can look for so basically here you see a file upload
but you know all that data malware basically captured and you know you can't open this file even if you wanted
to open this in text pad you would see garbage so you basically have to write a
decrypter to actually see any any sort of data so just just imagine like what what we get what we do in our browsers we pretty much do everything in our browser and if that malware is only 10 kb and can take stuff from the browser it's pretty cool ok i'll let you know
when you get this t-shirt all that you
know it's pretty yes ok so i think we're
going to wrap up yes so we can Billy
number 4 will be in the Q&A session we may be able to show you some of the last pieces of the demo I'm during the Q&A time there's a but we have a mobile malware demo as well that we're trying to fit into this presentation so basically we're done and in basically the closing argument closing things here is next year we predict a lot of other a lot about new more-advanced activities and thanks for coming
Feedback