1 00:00:03,270 --> 00:00:05,970 thank you so much everyone for coming 2 00:00:05,100 --> 00:00:09,000 along 3 00:00:05,970 --> 00:00:11,700 I should get this this talks about the 4 00:00:09,000 --> 00:00:14,639 the rat industry or the remote access 5 00:00:11,700 --> 00:00:16,470 trojan industry and the kind of Manoa in 6 00:00:14,639 --> 00:00:18,180 the markets which has been developed to 7 00:00:16,470 --> 00:00:19,859 support it but before we actually talk 8 00:00:18,180 --> 00:00:21,810 about something interesting just to get 9 00:00:19,859 --> 00:00:23,609 rid of the way so many know me some of 10 00:00:21,810 --> 00:00:25,619 you probably uh hopefully don't I'm done 11 00:00:23,609 --> 00:00:28,380 I work as a security engineer while 12 00:00:25,619 --> 00:00:32,490 studying at Edinburgh Napier the 13 00:00:28,380 --> 00:00:34,500 software engineering and as of up until 14 00:00:32,490 --> 00:00:36,770 November I was part of the any second 15 00:00:34,500 --> 00:00:40,080 Eddy so not this one 16 00:00:36,770 --> 00:00:41,670 but either just full disclosure I don't 17 00:00:40,080 --> 00:00:44,550 do malware as a job my job is in threat 18 00:00:41,670 --> 00:00:47,250 intelligence so take that with you well 19 00:00:44,550 --> 00:00:49,290 it is a hobby for me for now my max 20 00:00:47,250 --> 00:00:51,930 resolves in infrastructure so very much 21 00:00:49,290 --> 00:00:54,510 detached from all this but um as we call 22 00:00:51,930 --> 00:00:56,700 and as we can try go back to site on 23 00:00:54,510 --> 00:00:58,110 this topic which is very very vast and I 24 00:00:56,700 --> 00:01:00,120 can't get into everything as much as I'd 25 00:00:58,110 --> 00:01:02,190 like well we're gonna start with a quick 26 00:01:00,120 --> 00:01:04,018 introduction on the essentially ancient 27 00:01:02,190 --> 00:01:05,729 history what I find to be the first 28 00:01:04,019 --> 00:01:08,490 things which could be considered rats or 29 00:01:05,729 --> 00:01:10,340 you know remote admin tools as the as 30 00:01:08,490 --> 00:01:13,919 the developers told them and we'll talk 31 00:01:10,340 --> 00:01:16,560 a quick introduction on what malware is 32 00:01:13,920 --> 00:01:19,979 on more specifically what a Trojan is 33 00:01:16,560 --> 00:01:22,499 and this will all be important later 34 00:01:19,979 --> 00:01:23,640 trust me and then hopefully well if the 35 00:01:22,499 --> 00:01:26,158 talk makes it that long we'll move into 36 00:01:23,640 --> 00:01:28,229 what I consider modern-day rotting 37 00:01:26,159 --> 00:01:30,049 samples and again the the markets which 38 00:01:28,229 --> 00:01:33,719 is sprung up to support them which is 39 00:01:30,049 --> 00:01:35,819 quite important there will be time for 40 00:01:33,719 --> 00:01:38,158 questions at the end hopefully so if 41 00:01:35,819 --> 00:01:39,600 again the topic is quite vast well my 42 00:01:38,159 --> 00:01:43,439 answers I don't know please don't be mad 43 00:01:39,600 --> 00:01:46,559 at me so first of all do we all know 44 00:01:43,439 --> 00:01:48,538 what malware is I guess we do but if 45 00:01:46,560 --> 00:01:51,450 you're not sure malware is a portmanteau 46 00:01:48,539 --> 00:01:52,920 of malicious software software which has 47 00:01:51,450 --> 00:01:55,079 been specifically designed to disrupt 48 00:01:52,920 --> 00:01:58,649 damage or gain unauthorized access but 49 00:01:55,079 --> 00:02:00,630 something I noticed in researching this 50 00:01:58,649 --> 00:02:03,329 is that people seem to take specifically 51 00:02:00,630 --> 00:02:05,908 designed like to quite an extreme and 52 00:02:03,329 --> 00:02:07,079 only think like a healer like if I make 53 00:02:05,909 --> 00:02:08,280 a bit of malware but then instead of 54 00:02:07,079 --> 00:02:10,530 software agreement in there that says 55 00:02:08,280 --> 00:02:13,260 please don't use this as malware it 56 00:02:10,530 --> 00:02:14,400 protects you we'll find out just how 57 00:02:13,260 --> 00:02:17,069 true that is by the game 58 00:02:14,400 --> 00:02:18,540 malware includes lots of different types 59 00:02:17,069 --> 00:02:19,319 of programs like viruses which are 60 00:02:18,540 --> 00:02:22,739 self-replicating 61 00:02:19,319 --> 00:02:25,409 and worms which can spread by themselves 62 00:02:22,739 --> 00:02:27,450 intrusions which we'll be talking about 63 00:02:25,409 --> 00:02:28,798 but essentially the very simple versions 64 00:02:27,450 --> 00:02:31,470 are religious programs which rely on 65 00:02:28,799 --> 00:02:34,409 deception to be spread so like whether 66 00:02:31,470 --> 00:02:36,150 it's a three fortnight VBox tool or 67 00:02:34,409 --> 00:02:39,390 whether it's pictures from the runescape 68 00:02:36,150 --> 00:02:41,129 girlfriend exe or whether it's whatever 69 00:02:39,390 --> 00:02:42,540 someone's sending you the premise is 70 00:02:41,129 --> 00:02:43,109 that you don't know that thinking it's 71 00:02:42,540 --> 00:02:45,900 something else 72 00:02:43,110 --> 00:02:48,000 so I thought in mind that what the hell 73 00:02:45,900 --> 00:02:50,910 is the difference between a trojan and a 74 00:02:48,000 --> 00:02:52,739 rat right so there's two so rather than 75 00:02:50,910 --> 00:02:53,849 acronym and depending on who you ask 76 00:02:52,739 --> 00:02:55,859 it either stands for remote access 77 00:02:53,849 --> 00:02:57,450 trojan and this is what you know AV 78 00:02:55,859 --> 00:02:59,549 companies column and/or it stands for 79 00:02:57,450 --> 00:03:00,839 remote administration tools which is 80 00:02:59,549 --> 00:03:02,280 what you know the producers of these 81 00:03:00,840 --> 00:03:03,870 tools call them because obviously you 82 00:03:02,280 --> 00:03:05,190 don't really put yourself in anyone's 83 00:03:03,870 --> 00:03:09,599 good books by saying that you produce a 84 00:03:05,190 --> 00:03:10,680 Georgian you know so whenever I first 85 00:03:09,599 --> 00:03:11,970 started researching this I thought 86 00:03:10,680 --> 00:03:14,220 remote access trojan was a bit of a 87 00:03:11,970 --> 00:03:15,989 misnomer because surely all Trojans 88 00:03:14,220 --> 00:03:17,760 require some form of remote access right 89 00:03:15,989 --> 00:03:19,200 like if it's physical access and 90 00:03:17,760 --> 00:03:23,370 certainly a Trojan you're just at the 91 00:03:19,200 --> 00:03:24,839 computer so I like it it helps to think 92 00:03:23,370 --> 00:03:26,849 about it that like a remote access 93 00:03:24,840 --> 00:03:28,530 Trojan is a Trojan which specifically 94 00:03:26,849 --> 00:03:30,349 goes after as much remote access as 95 00:03:28,530 --> 00:03:32,549 possible so we're talking about almost 96 00:03:30,349 --> 00:03:37,798 administrative level of control remotely 97 00:03:32,549 --> 00:03:39,209 over a system so knowing all the 98 00:03:37,799 --> 00:03:43,410 definitions that start with some very 99 00:03:39,209 --> 00:03:47,280 very old tools a long time ago any 100 00:03:43,410 --> 00:03:50,459 galaxy far far away Sweden started with 101 00:03:47,280 --> 00:03:52,650 NAT buffs in 1998 which carl fredrik 102 00:03:50,459 --> 00:03:56,250 nick der I hope no one's Swedish because 103 00:03:52,650 --> 00:03:58,079 but butchered that essentially said in 104 00:03:56,250 --> 00:04:00,150 an interview in 2002 that he created it 105 00:03:58,079 --> 00:04:03,480 so you have fun with his or her friends 106 00:04:00,150 --> 00:04:05,760 and for the Creator to have fun with his 107 00:04:03,480 --> 00:04:07,198 or her friends and it's also for network 108 00:04:05,760 --> 00:04:09,750 administrators that would like to remove 109 00:04:07,199 --> 00:04:11,699 the administrator and that's quite like 110 00:04:09,750 --> 00:04:13,079 we'll call back on this it's important 111 00:04:11,699 --> 00:04:20,639 to remember that's why he says he 112 00:04:13,079 --> 00:04:23,430 created it and also he claims that it is 113 00:04:20,639 --> 00:04:24,870 the first tool of its type which if 114 00:04:23,430 --> 00:04:26,789 that's correct and I couldn't find any 115 00:04:24,870 --> 00:04:28,160 reliable examples earlier this would 116 00:04:26,789 --> 00:04:30,229 make it the first 117 00:04:28,160 --> 00:04:34,670 remote administration tool which is I 118 00:04:30,230 --> 00:04:36,350 mean it's a good achievement I guess but 119 00:04:34,670 --> 00:04:37,940 moving on the feature list essentially 120 00:04:36,350 --> 00:04:41,120 it they take it uses a client-server 121 00:04:37,940 --> 00:04:43,400 architecture so you'd install a copy of 122 00:04:41,120 --> 00:04:45,320 the server binary onto a handi computer 123 00:04:43,400 --> 00:04:47,900 and when installed it would run 124 00:04:45,320 --> 00:04:51,290 automatically and stay and we are in the 125 00:04:47,900 --> 00:04:52,940 memory and it would support for Windows 126 00:04:51,290 --> 00:04:54,320 an idea it would support key keystroke 127 00:04:52,940 --> 00:04:56,390 logging and would allow you to inject 128 00:04:54,320 --> 00:04:58,550 your own keystrokes which every happen 129 00:04:56,390 --> 00:04:59,840 does I don't know about you guys and it 130 00:04:58,550 --> 00:05:02,180 would allow full display capture and 131 00:04:59,840 --> 00:05:04,390 we're an entire file system access so 132 00:05:02,180 --> 00:05:08,990 that's rewrite any file anyplace 133 00:05:04,390 --> 00:05:10,700 modify anything and you know just cuz is 134 00:05:08,990 --> 00:05:12,560 a great administrator you can open 135 00:05:10,700 --> 00:05:15,050 includes a CD driver will which is a 136 00:05:12,560 --> 00:05:16,460 very useful thing and it also has its 137 00:05:15,050 --> 00:05:19,220 own tunneling protocol which enables you 138 00:05:16,460 --> 00:05:20,780 to use any any server of this which you 139 00:05:19,220 --> 00:05:23,350 have access to you as a proxy to connect 140 00:05:20,780 --> 00:05:26,500 to other computers to which again 141 00:05:23,350 --> 00:05:28,850 totally isn't malicious or anything um 142 00:05:26,500 --> 00:05:31,700 so this is a sensor what it looks like 143 00:05:28,850 --> 00:05:32,840 you can see on the very left ok can you 144 00:05:31,700 --> 00:05:36,229 go to the backseat because this will be 145 00:05:32,840 --> 00:05:37,969 useful for the rest okay cool so on the 146 00:05:36,230 --> 00:05:39,830 left you can see a like open cd-rom you 147 00:05:37,970 --> 00:05:41,420 essentially just pointed as a single 148 00:05:39,830 --> 00:05:43,250 hostname or IP and click connect a 149 00:05:41,420 --> 00:05:45,560 couple of things we can gain from this 150 00:05:43,250 --> 00:05:48,110 is that there's no option and at least 151 00:05:45,560 --> 00:05:49,220 not bus 1.2 to configure the exact port 152 00:05:48,110 --> 00:05:51,380 that connects on so you know quite 153 00:05:49,220 --> 00:05:54,110 primitive very much have fun to whether 154 00:05:51,380 --> 00:05:55,430 it's meant for I'm an access I really 155 00:05:54,110 --> 00:05:58,120 don't know you can also play a saw and 156 00:05:55,430 --> 00:06:03,080 change the volume on the computer so 157 00:05:58,120 --> 00:06:05,419 that kinda sums it up and it kind of 158 00:06:03,080 --> 00:06:09,700 stockholder this one because only a year 159 00:06:05,419 --> 00:06:09,700 later in 1989 he released nap bus Pro 160 00:06:10,480 --> 00:06:16,669 that bus pro version 2.0 which was 161 00:06:14,419 --> 00:06:17,960 essentially just in that bus but only if 162 00:06:16,669 --> 00:06:20,419 you're trying to sell it to a business 163 00:06:17,960 --> 00:06:22,849 under like things like the ability to 164 00:06:20,419 --> 00:06:24,799 cache and store multiple servers and a 165 00:06:22,850 --> 00:06:28,330 greater file system access and like 166 00:06:24,800 --> 00:06:30,310 scripts so you can like run retains on 167 00:06:28,330 --> 00:06:33,289 look whatever machines haven't installed 168 00:06:30,310 --> 00:06:35,180 but of course it got quickly hacked and 169 00:06:33,290 --> 00:06:36,410 although it was intended to be more 170 00:06:35,180 --> 00:06:38,060 visible and it was intended to leave 171 00:06:36,410 --> 00:06:40,430 like like like something in the taskbar 172 00:06:38,060 --> 00:06:41,780 stuff it's very easy to remove those 173 00:06:40,430 --> 00:06:44,120 features and then just have a better 174 00:06:41,780 --> 00:06:46,460 version of the first remote access 175 00:06:44,120 --> 00:06:48,290 Trojan if that makes sense 176 00:06:46,460 --> 00:06:50,780 oh yeah and this one had webcam image 177 00:06:48,290 --> 00:06:53,930 culture because that's what enterprises 178 00:06:50,780 --> 00:06:55,190 are looking for I guess but although 179 00:06:53,930 --> 00:06:57,139 we're talking a lot with the fun 180 00:06:55,190 --> 00:06:58,969 features and high like it's such an epic 181 00:06:57,139 --> 00:07:01,760 prank and that's sort of stuff 182 00:06:58,970 --> 00:07:04,520 not the case like these are really 183 00:07:01,760 --> 00:07:06,590 really kind of offensive tools which can 184 00:07:04,520 --> 00:07:08,150 be used for a lot of bad so in the same 185 00:07:06,590 --> 00:07:10,609 year that necklace 2.0 key might the 186 00:07:08,150 --> 00:07:12,530 original program was used to frame 187 00:07:10,610 --> 00:07:14,870 Magnus Ericsson a la researcher at Lund 188 00:07:12,530 --> 00:07:16,099 University in Sweden for a possession of 189 00:07:14,870 --> 00:07:18,139 three and a half thousand child 190 00:07:16,100 --> 00:07:20,360 pornographic images and he wasn't 191 00:07:18,139 --> 00:07:22,729 cleared until five years later when a 192 00:07:20,360 --> 00:07:24,740 computer expert from the es offered to 193 00:07:22,729 --> 00:07:27,289 investigate the case for him and this is 194 00:07:24,740 --> 00:07:30,500 taken from the the newspaper in 2004 the 195 00:07:27,290 --> 00:07:31,729 expression the district court did 196 00:07:30,500 --> 00:07:33,620 someone to go for a control of his 197 00:07:31,729 --> 00:07:37,310 computer so the advanced program that 198 00:07:33,620 --> 00:07:39,440 bus expert expertise I guess is required 199 00:07:37,310 --> 00:07:40,690 to use it and it is conceivable for 200 00:07:39,440 --> 00:07:42,560 example that someone else used 201 00:07:40,690 --> 00:07:44,539 Erickson's computer as a storage place 202 00:07:42,560 --> 00:07:46,370 although it hasn't confirmed whether it 203 00:07:44,539 --> 00:07:48,530 was just used as a proxy server or 204 00:07:46,370 --> 00:07:50,539 whether someone had liked deliberately 205 00:07:48,530 --> 00:07:53,179 planted there and alerted detect the 206 00:07:50,539 --> 00:07:55,010 technicians out University so I guess 207 00:07:53,180 --> 00:07:57,260 we'll never know moving on around the 208 00:07:55,010 --> 00:07:59,599 same time this one's a lot more 209 00:07:57,260 --> 00:08:02,810 well-known than that bus black orifice 210 00:07:59,600 --> 00:08:04,700 was released the DEF CON sex by a member 211 00:08:02,810 --> 00:08:06,800 of the prolific hacking group called to 212 00:08:04,700 --> 00:08:09,289 the dead Cory called sir a stick so I 213 00:08:06,800 --> 00:08:11,510 mean obviously a ministration till right 214 00:08:09,289 --> 00:08:13,460 release the DEF CON I call to the dead 215 00:08:11,510 --> 00:08:15,200 Cory sure but essentially a self 216 00:08:13,460 --> 00:08:17,210 contained self installing utility which 217 00:08:15,200 --> 00:08:19,550 allows the user to control and monitor 218 00:08:17,210 --> 00:08:20,690 computers running running Windows 219 00:08:19,550 --> 00:08:26,270 operating system over a network 220 00:08:20,690 --> 00:08:31,039 Sony excuse me so essentially the 221 00:08:26,270 --> 00:08:34,039 release here is very much sorry like 222 00:08:31,039 --> 00:08:37,848 they advertised it sarcastically as a as 223 00:08:34,039 --> 00:08:39,199 a remote administration tool and the 224 00:08:37,849 --> 00:08:40,909 their motivations for it so they 225 00:08:39,200 --> 00:08:42,650 released like a full memo detailing like 226 00:08:40,909 --> 00:08:43,569 like what the wall black orifice could 227 00:08:42,650 --> 00:08:45,459 do and why they were 228 00:08:43,570 --> 00:08:47,080 lease it and essentially they had made 229 00:08:45,460 --> 00:08:48,910 complaints to Microsoft about the 230 00:08:47,080 --> 00:08:51,640 security of previous operating systems 231 00:08:48,910 --> 00:08:53,740 like Windows ME and they released 232 00:08:51,640 --> 00:08:56,230 Windows 98 which it was described here 233 00:08:53,740 --> 00:08:58,780 as having a Swiss cheese approach to 234 00:08:56,230 --> 00:09:00,430 security so things didn't really get 235 00:08:58,780 --> 00:09:03,010 better and things kind of haven't really 236 00:09:00,430 --> 00:09:05,500 got much better so I must have been on 237 00:09:03,010 --> 00:09:12,000 there something shame about inspiring a 238 00:09:05,500 --> 00:09:12,000 generation of extortion but whatever so 239 00:09:12,780 --> 00:09:17,020 this is what it looks like kind of 240 00:09:15,400 --> 00:09:18,640 standard Windows an idea program you can 241 00:09:17,020 --> 00:09:21,550 see that this one does have a bit more 242 00:09:18,640 --> 00:09:23,020 complexity than that bus whether that 243 00:09:21,550 --> 00:09:24,849 was because it was made by someone but 244 00:09:23,020 --> 00:09:26,380 like you knew more about computers or 245 00:09:24,850 --> 00:09:28,300 look he was more serious by making it 246 00:09:26,380 --> 00:09:30,370 like a proper bit of malware could be 247 00:09:28,300 --> 00:09:33,099 used I'm not sure but essentially like 248 00:09:30,370 --> 00:09:35,350 the same list of features with some 249 00:09:33,100 --> 00:09:37,480 extra ones added on like for instance 250 00:09:35,350 --> 00:09:39,190 you've got an HTTP server which you can 251 00:09:37,480 --> 00:09:40,950 put onto the put onto the server for the 252 00:09:39,190 --> 00:09:43,690 arbitrary uploading download of files 253 00:09:40,950 --> 00:09:45,340 let's go to you can turn the interface 254 00:09:43,690 --> 00:09:48,580 in the promiscuous mode and sniff all 255 00:09:45,340 --> 00:09:51,040 the packets going through it I guess and 256 00:09:48,580 --> 00:09:52,270 most importantly this is one to remember 257 00:09:51,040 --> 00:09:53,800 is this does show up a lot quite 258 00:09:52,270 --> 00:09:55,390 recently and this is the first program I 259 00:09:53,800 --> 00:09:58,959 can find which doesn't this is a plug-in 260 00:09:55,390 --> 00:10:01,030 interface so if let's say I use a back 261 00:09:58,960 --> 00:10:03,460 office at home for administration and 262 00:10:01,030 --> 00:10:06,270 I'd like to upload a custom script which 263 00:10:03,460 --> 00:10:08,590 runs in a biophysicist hidden process I 264 00:10:06,270 --> 00:10:11,170 can I could do so and I can dissolute it 265 00:10:08,590 --> 00:10:13,660 too to my to my client and just run it 266 00:10:11,170 --> 00:10:15,069 on any computer so this does instead of 267 00:10:13,660 --> 00:10:16,300 waiting for suggest stick to add the 268 00:10:15,070 --> 00:10:20,140 feature for me I can just make it myself 269 00:10:16,300 --> 00:10:21,640 so that's cool and it's also it 270 00:10:20,140 --> 00:10:23,080 advertises itself is fully invisible not 271 00:10:21,640 --> 00:10:25,750 appearing in any tasks less or any file 272 00:10:23,080 --> 00:10:28,690 list or any process list at all which I 273 00:10:25,750 --> 00:10:31,000 couldn't imagine three very hard and the 274 00:10:28,690 --> 00:10:32,890 year later just like an app bus came up 275 00:10:31,000 --> 00:10:34,750 with a better version back office 2000 276 00:10:32,890 --> 00:10:38,170 Kim I the next year at Def Con but the 277 00:10:34,750 --> 00:10:40,090 story is essentially the same so like 278 00:10:38,170 --> 00:10:43,630 it's like overly ganar similar 279 00:10:40,090 --> 00:10:46,240 interesting the next year after that sub 280 00:10:43,630 --> 00:10:47,860 7 was developed by mod man who's still 281 00:10:46,240 --> 00:10:49,450 on he's still active in the community is 282 00:10:47,860 --> 00:10:49,670 art Greg components whether if you'd 283 00:10:49,450 --> 00:10:51,470 like 284 00:10:49,670 --> 00:10:52,490 to find out more about subs Abin or more 285 00:10:51,470 --> 00:10:54,350 about like the people and their 286 00:10:52,490 --> 00:10:55,820 motivations for why they made this stuff 287 00:10:54,350 --> 00:10:58,400 a lot of it today we're like software 288 00:10:55,820 --> 00:11:02,060 freedom unlike digital advocacy which 289 00:10:58,400 --> 00:11:03,650 doesn't make sense to me but this is 290 00:11:02,060 --> 00:11:05,270 notable because it came with a whole 291 00:11:03,650 --> 00:11:07,280 bunch of features this really came over 292 00:11:05,270 --> 00:11:10,880 loaded with features compared to other 293 00:11:07,280 --> 00:11:13,730 malware at the time and it's strived to 294 00:11:10,880 --> 00:11:16,900 be the most usable remote access trojan 295 00:11:13,730 --> 00:11:19,040 that that was on the market essentially 296 00:11:16,900 --> 00:11:20,480 but one thing I'd like to note here is 297 00:11:19,040 --> 00:11:22,040 that it was one of the most there was 298 00:11:20,480 --> 00:11:23,930 one of the first widely used rats with 299 00:11:22,040 --> 00:11:27,079 um command and control functionality 300 00:11:23,930 --> 00:11:28,880 which happened three IRC and this is 301 00:11:27,080 --> 00:11:30,320 significant because throughout the 2000s 302 00:11:28,880 --> 00:11:32,150 this is what was used by botnets and I 303 00:11:30,320 --> 00:11:33,860 can't find I can find one like an 304 00:11:32,150 --> 00:11:35,900 example of a worm which is an IRC to 305 00:11:33,860 --> 00:11:38,060 report in but in terms of like actively 306 00:11:35,900 --> 00:11:41,170 like dishing out commands like through 307 00:11:38,060 --> 00:11:43,339 an IRC chatroom because it's ideal for 308 00:11:41,170 --> 00:11:44,780 it's ideal for malware authors right 309 00:11:43,340 --> 00:11:46,490 because like IRC I mean like the 310 00:11:44,780 --> 00:11:47,959 server's already there it's a nice 311 00:11:46,490 --> 00:11:49,460 Vecchio's traffic and you've immediately 312 00:11:47,960 --> 00:11:51,590 got the option to message a whole chat 313 00:11:49,460 --> 00:11:53,210 room full of people or just a specific 314 00:11:51,590 --> 00:11:55,490 box so that's like very easy targeting 315 00:11:53,210 --> 00:11:56,720 for like if you want your botnets 316 00:11:55,490 --> 00:11:58,940 additional things and this is the first 317 00:11:56,720 --> 00:12:01,940 kind of example with it but um to 318 00:11:58,940 --> 00:12:03,620 properly understand would like what we 319 00:12:01,940 --> 00:12:05,450 mean about bots and like botnets and 320 00:12:03,620 --> 00:12:08,150 rats are they also and together we need 321 00:12:05,450 --> 00:12:10,400 to understand what a what a zombie means 322 00:12:08,150 --> 00:12:12,199 so when we talk about botnets we 323 00:12:10,400 --> 00:12:14,199 generally refer to Victor compromised 324 00:12:12,200 --> 00:12:17,390 computers which make up the botnet as 325 00:12:14,200 --> 00:12:20,120 zombies which I accept remote commands 326 00:12:17,390 --> 00:12:22,100 all those authorization from the vault 327 00:12:20,120 --> 00:12:26,780 herder as well or whoever's controlling 328 00:12:22,100 --> 00:12:29,210 the botnet or rat but essentially this 329 00:12:26,780 --> 00:12:32,870 term has kind of been forgotten install 330 00:12:29,210 --> 00:12:34,850 victim and slave or yeast as well but of 331 00:12:32,870 --> 00:12:38,320 course like it's just means compromised 332 00:12:34,850 --> 00:12:41,330 computer really which brings me to my 333 00:12:38,320 --> 00:12:43,730 next point there is although a group of 334 00:12:41,330 --> 00:12:46,190 rock controlled zombies is a botnet 335 00:12:43,730 --> 00:12:49,190 technically there is like technical 336 00:12:46,190 --> 00:12:52,940 differences in these two terms for 337 00:12:49,190 --> 00:12:54,380 instance as botnets scale and they're 338 00:12:52,940 --> 00:12:56,270 designed to scale and they benefit from 339 00:12:54,380 --> 00:12:57,860 scale for instance are used in DDoS 340 00:12:56,270 --> 00:12:59,210 attacks and they're used for spam and 341 00:12:57,860 --> 00:13:00,160 they're generally used for thing where 342 00:12:59,210 --> 00:13:01,540 it's valuable to 343 00:13:00,160 --> 00:13:05,230 a lot of different hosts doing the 344 00:13:01,540 --> 00:13:08,889 connecting it's with the more features 345 00:13:05,230 --> 00:13:10,720 as doesn't mention the sub 713 features 346 00:13:08,889 --> 00:13:13,389 as a version 3.1 which is the one with 347 00:13:10,720 --> 00:13:15,009 the IRC stuff that's not terribly useful 348 00:13:13,389 --> 00:13:16,449 for about that because of a connective 349 00:13:15,009 --> 00:13:18,279 return diem in fact lots and lots of 350 00:13:16,449 --> 00:13:19,628 machines we don't want to make it we 351 00:13:18,279 --> 00:13:21,220 want to make it as hard to detect and 352 00:13:19,629 --> 00:13:22,329 it's hard to stop as possible and if 353 00:13:21,220 --> 00:13:23,860 you've crammed it for the features 354 00:13:22,329 --> 00:13:26,170 that's a lot of indicators compromised 355 00:13:23,860 --> 00:13:27,509 like there's a lot of ways for that to 356 00:13:26,170 --> 00:13:29,500 trip up where there's a lot of ways for 357 00:13:27,509 --> 00:13:32,199 antiviruses to pick it up or identify 358 00:13:29,500 --> 00:13:33,550 processes which connects to which like 359 00:13:32,199 --> 00:13:36,339 in G your screen and that sort of thing 360 00:13:33,550 --> 00:13:39,430 so there is a difference in the way that 361 00:13:36,339 --> 00:13:41,500 rats and trojans the witching are 362 00:13:39,430 --> 00:13:45,430 involved in botnets are used but that's 363 00:13:41,500 --> 00:13:47,800 just semantics essentially moving on to 364 00:13:45,430 --> 00:13:51,040 the modern day I decided to start this 365 00:13:47,800 --> 00:13:52,839 section with like laughing you want but 366 00:13:51,040 --> 00:13:54,849 essentially the the finding of hoc forms 367 00:13:52,839 --> 00:13:56,019 is essentially when I would start the 368 00:13:54,850 --> 00:14:00,850 modern day of the-- remote 369 00:13:56,019 --> 00:14:04,269 administration tool market because like 370 00:14:00,850 --> 00:14:05,589 available with like any kind of like any 371 00:14:04,269 --> 00:14:06,910 kind of special connection or available 372 00:14:05,589 --> 00:14:09,339 just to the clear now for anyone to sign 373 00:14:06,910 --> 00:14:10,930 up to open the new members it really did 374 00:14:09,339 --> 00:14:12,250 help develop a public interest and rats 375 00:14:10,930 --> 00:14:14,620 in cemented there's one of the most 376 00:14:12,250 --> 00:14:16,689 popular ways to kind of induct new black 377 00:14:14,620 --> 00:14:18,069 lab members right because the set up or 378 00:14:16,689 --> 00:14:19,930 more like sisters you don't really need 379 00:14:18,069 --> 00:14:22,899 any like skills the tools are already 380 00:14:19,930 --> 00:14:24,430 there I mean we'll get to some 381 00:14:22,899 --> 00:14:26,380 technicalities with actually running a 382 00:14:24,430 --> 00:14:28,029 campaign which which causes some 383 00:14:26,380 --> 00:14:29,380 difficulty but essentially high 384 00:14:28,029 --> 00:14:31,240 performance did really help to make this 385 00:14:29,380 --> 00:14:33,009 reality because like if you give all 386 00:14:31,240 --> 00:14:35,079 skaters the same kind of way to identify 387 00:14:33,009 --> 00:14:36,939 themselves this creates kind of a 388 00:14:35,079 --> 00:14:38,349 rapport between different industries so 389 00:14:36,939 --> 00:14:40,660 for instance if I'm selling for like 390 00:14:38,350 --> 00:14:42,310 crack to extend like selling a 391 00:14:40,660 --> 00:14:44,290 legitimate for whatever reason hosting 392 00:14:42,310 --> 00:14:45,550 and you're a malware developer and we 393 00:14:44,290 --> 00:14:47,500 both are active in the same forum 394 00:14:45,550 --> 00:14:48,849 there's an implied legitimacy there and 395 00:14:47,500 --> 00:14:50,829 when you're trading on what is 396 00:14:48,850 --> 00:14:52,269 essentially the Wild West and the 397 00:14:50,829 --> 00:14:53,559 internet like anyone can scan me people 398 00:14:52,269 --> 00:14:54,870 can promise stuff you can pay them and 399 00:14:53,559 --> 00:14:57,069 another slave with money right because 400 00:14:54,870 --> 00:15:00,040 like these these are essentially scam 401 00:14:57,069 --> 00:15:01,449 artists we're talking about like it 402 00:15:00,040 --> 00:15:03,490 really does help to have like one kind 403 00:15:01,449 --> 00:15:05,079 of identity and then it obviously I'm 404 00:15:03,490 --> 00:15:07,660 released like different like paid 405 00:15:05,079 --> 00:15:09,758 membership tiers which indeed help to 406 00:15:07,660 --> 00:15:11,040 drive business to the likes likes really 407 00:15:09,759 --> 00:15:13,800 like you buy 408 00:15:11,040 --> 00:15:15,120 level of membership and then the other 409 00:15:13,800 --> 00:15:16,139 kind of like an implicit trust because 410 00:15:15,120 --> 00:15:18,000 you've been vetted and you've paid for 411 00:15:16,139 --> 00:15:21,480 membership so you you're not sitting to 412 00:15:18,000 --> 00:15:23,250 take the money and run right but I think 413 00:15:21,480 --> 00:15:25,800 the most important thing about this was 414 00:15:23,250 --> 00:15:27,209 hi it made zombie monetization like a 415 00:15:25,800 --> 00:15:28,859 reality and it made it instead of 416 00:15:27,209 --> 00:15:30,149 something being abstract like oh I'll 417 00:15:28,860 --> 00:15:31,740 come up with an awful way to make money 418 00:15:30,149 --> 00:15:33,389 out of these like you can go in the 419 00:15:31,740 --> 00:15:34,620 forum and watch people do it you can go 420 00:15:33,389 --> 00:15:36,690 in the forum and see what people are 421 00:15:34,620 --> 00:15:38,970 selling and you know these selling them 422 00:15:36,690 --> 00:15:41,339 out where and you know what they what 423 00:15:38,970 --> 00:15:43,350 they're selling from the like from the 424 00:15:41,339 --> 00:15:44,759 zombies right so essentially when we 425 00:15:43,350 --> 00:15:46,680 talk about matters of monetization that 426 00:15:44,759 --> 00:15:48,660 can be summed up is they summed up in 427 00:15:46,680 --> 00:15:51,569 what the hell would anyone do with my PC 428 00:15:48,660 --> 00:15:54,259 if I get a virus why why do they want 429 00:15:51,569 --> 00:15:57,420 the virus there except for you know fun 430 00:15:54,259 --> 00:15:59,819 fun with your friends as a karl-frederik 431 00:15:57,420 --> 00:16:03,240 put it why on earth would anyone want 432 00:15:59,819 --> 00:16:06,240 the the malware to be there and excuse 433 00:16:03,240 --> 00:16:08,250 me in 2009 Brian Krebs asked the same 434 00:16:06,240 --> 00:16:10,160 question and rode around the article 435 00:16:08,250 --> 00:16:12,360 called the scrap value of a hiked PC 436 00:16:10,160 --> 00:16:14,490 addressing the question of like oh well 437 00:16:12,360 --> 00:16:16,829 I only use my PC for solitaire like why 438 00:16:14,490 --> 00:16:18,300 would you hack me and if we want users 439 00:16:16,829 --> 00:16:19,620 to start taking security seriously and 440 00:16:18,300 --> 00:16:20,670 if you want them to be aware of the 441 00:16:19,620 --> 00:16:23,130 threats right there this is a really 442 00:16:20,670 --> 00:16:26,040 important question to answer like fully 443 00:16:23,130 --> 00:16:28,110 so forgetting targeted attacks like me 444 00:16:26,040 --> 00:16:29,910 in fact in a specific person here's 445 00:16:28,110 --> 00:16:32,760 here's some things which would make like 446 00:16:29,910 --> 00:16:35,310 a a computer controlled by rap pretty 447 00:16:32,760 --> 00:16:37,319 valuable so sort of a web hosting so the 448 00:16:35,310 --> 00:16:39,899 value here is the anonymity it delivers 449 00:16:37,319 --> 00:16:41,189 to the attacker so for instance I can 450 00:16:39,899 --> 00:16:42,300 sell you a posting and you can host 451 00:16:41,190 --> 00:16:44,220 whatever you want on it and it doesn't 452 00:16:42,300 --> 00:16:45,359 matter if it goes doreen because there's 453 00:16:44,220 --> 00:16:48,750 no way to tie you back to the original 454 00:16:45,360 --> 00:16:50,519 hosting right except for me and this is 455 00:16:48,750 --> 00:16:52,949 the CDs for lots of stuff so like 456 00:16:50,519 --> 00:16:55,529 fashion campaigns will use this malware 457 00:16:52,949 --> 00:16:57,359 hosting so if you're um if part of your 458 00:16:55,529 --> 00:16:59,370 fetching campaign is to download malware 459 00:16:57,360 --> 00:17:00,870 from a site the site can be hosted here 460 00:16:59,370 --> 00:17:02,519 in that way you know you're not getting 461 00:17:00,870 --> 00:17:03,750 blacklisted from hosting domains or 462 00:17:02,519 --> 00:17:05,939 getting arrested because she signed up 463 00:17:03,750 --> 00:17:08,459 with it in a real name which does happen 464 00:17:05,939 --> 00:17:09,299 um you can host wares on it and again 465 00:17:08,459 --> 00:17:11,280 illegal pornography 466 00:17:09,299 --> 00:17:12,510 people will pay a lot of money to like 467 00:17:11,280 --> 00:17:16,470 host this kind of stuff if you can do 468 00:17:12,510 --> 00:17:19,109 reliably so like why not focus in on the 469 00:17:16,470 --> 00:17:20,189 right campaign essentially next up is 470 00:17:19,109 --> 00:17:22,109 something guys some of us might be 471 00:17:20,189 --> 00:17:24,449 familiar with virtual goods 472 00:17:22,109 --> 00:17:25,829 so online games now I have like trading 473 00:17:24,449 --> 00:17:27,899 features and lighting in order to get 474 00:17:25,829 --> 00:17:29,668 people to play nice and in order to and 475 00:17:27,898 --> 00:17:31,199 devise people playing the game you'll 476 00:17:29,669 --> 00:17:33,119 get items which are sometimes worth 477 00:17:31,200 --> 00:17:34,919 real-life money and this didn't rinse 478 00:17:33,119 --> 00:17:36,928 from like developer sanctioned 479 00:17:34,919 --> 00:17:39,409 activities like like the state market 480 00:17:36,929 --> 00:17:41,460 and condor strike in team fortress t2 481 00:17:39,409 --> 00:17:43,919 economies which aren't supposed to be a 482 00:17:41,460 --> 00:17:44,399 really like have real life value but do 483 00:17:43,919 --> 00:17:45,809 anyway 484 00:17:44,399 --> 00:17:47,789 like for instance you've got a rinse 485 00:17:45,809 --> 00:17:50,639 cape and so on and so forth um and a 486 00:17:47,789 --> 00:17:52,408 nice benefit of this is that they're 487 00:17:50,639 --> 00:17:53,850 owned predominantly by children like 488 00:17:52,409 --> 00:17:56,159 these are people who don't really have 489 00:17:53,850 --> 00:17:57,719 not much or young adults are best sorry 490 00:17:56,159 --> 00:17:59,399 they like this they don't really have 491 00:17:57,720 --> 00:18:01,049 that much knowledge about computers like 492 00:17:59,399 --> 00:18:02,129 generally do have that much money so 493 00:18:01,049 --> 00:18:05,158 they're the type of person to search in 494 00:18:02,129 --> 00:18:06,389 the youtube free free cabo credits or so 495 00:18:05,159 --> 00:18:09,029 on and so forth and you'll see a lot of 496 00:18:06,389 --> 00:18:12,299 a lot of hosting or a lot of spreading 497 00:18:09,029 --> 00:18:13,919 of the bar word on there and essentially 498 00:18:12,299 --> 00:18:16,529 those are then taken from the accounts 499 00:18:13,919 --> 00:18:18,179 which have per authentication and like 500 00:18:16,529 --> 00:18:19,379 like if like if you think about it your 501 00:18:18,179 --> 00:18:21,720 statement kind is less protected than 502 00:18:19,379 --> 00:18:23,219 your bank accounts and i can sell my i 503 00:18:21,720 --> 00:18:24,629 can sell the same items to anyone right 504 00:18:23,220 --> 00:18:26,190 so instead of there being like an actual 505 00:18:24,629 --> 00:18:29,189 paper trail of me funding money out of 506 00:18:26,190 --> 00:18:30,810 your account like valve has a good luck 507 00:18:29,190 --> 00:18:32,159 support 508 00:18:30,810 --> 00:18:35,730 [Music] 509 00:18:32,159 --> 00:18:37,440 next up reputation hijacking so way back 510 00:18:35,730 --> 00:18:39,749 in the day this was essentially when 511 00:18:37,440 --> 00:18:41,399 spammers find a way to amass sign up for 512 00:18:39,749 --> 00:18:43,830 yahoo accounts or hotmail accounts and 513 00:18:41,399 --> 00:18:46,619 then use the inherent validity of a 514 00:18:43,830 --> 00:18:48,899 hotmail account because like different 515 00:18:46,619 --> 00:18:52,080 like web mail hosts would trust these 516 00:18:48,899 --> 00:18:56,129 addresses more given that they caesar 517 00:18:52,080 --> 00:18:57,539 given they had like like security behind 518 00:18:56,129 --> 00:18:59,100 signing up and they had spam detection 519 00:18:57,539 --> 00:19:00,690 that sort of thing so if you find a way 520 00:18:59,100 --> 00:19:02,639 to actually sign up to these addresses 521 00:19:00,690 --> 00:19:04,139 that was really good for getting your 522 00:19:02,639 --> 00:19:06,559 spam seen by as many people as possible 523 00:19:04,139 --> 00:19:08,668 but nowadays with social media 524 00:19:06,559 --> 00:19:10,710 reputation hijacking essentially means 525 00:19:08,669 --> 00:19:12,539 when you take over someones a current 526 00:19:10,710 --> 00:19:13,889 which usually identifies them like for 527 00:19:12,539 --> 00:19:15,509 instance if you go on any social media 528 00:19:13,889 --> 00:19:17,609 or any forum site and you see a post 529 00:19:15,509 --> 00:19:19,499 from someone who's not in current 530 00:19:17,609 --> 00:19:21,119 there's a lot inherent value of what 531 00:19:19,499 --> 00:19:22,830 they post based on who they are so if 532 00:19:21,119 --> 00:19:24,119 like if i had to try the generation 533 00:19:22,830 --> 00:19:25,439 current and i posted someone like people 534 00:19:24,119 --> 00:19:26,488 are going to trust that length more than 535 00:19:25,440 --> 00:19:29,129 if i push it on my own 536 00:19:26,489 --> 00:19:32,249 twitter because like there's like she's 537 00:19:29,129 --> 00:19:33,658 got much more to lose than i so um rats 538 00:19:32,249 --> 00:19:34,930 have been spread in order to get access 539 00:19:33,659 --> 00:19:36,720 to high value socially 540 00:19:34,930 --> 00:19:39,510 - which can be used in further malware 541 00:19:36,720 --> 00:19:42,160 spreading or indeed advertising services 542 00:19:39,510 --> 00:19:44,080 other advertising services is much less 543 00:19:42,160 --> 00:19:45,760 profitable than horse or sorry selling 544 00:19:44,080 --> 00:19:47,620 advertising services on still many kinds 545 00:19:45,760 --> 00:19:50,080 as much less profitable just spreading 546 00:19:47,620 --> 00:19:54,969 more malware so it's become much more 547 00:19:50,080 --> 00:19:58,689 common excuse me 548 00:19:54,970 --> 00:19:59,950 and up next probably the biggest thing 549 00:19:58,690 --> 00:20:02,740 with widespread one would be credential 550 00:19:59,950 --> 00:20:05,020 stealing so essentially get around 551 00:20:02,740 --> 00:20:06,430 you're on your computer take all the 552 00:20:05,020 --> 00:20:08,110 passwords on them and anything which can 553 00:20:06,430 --> 00:20:10,000 be used to process money or deliver 554 00:20:08,110 --> 00:20:12,040 value to the person running the botnet 555 00:20:10,000 --> 00:20:13,900 they'll just tick so this isn't limited 556 00:20:12,040 --> 00:20:15,280 although they obviously would prefer for 557 00:20:13,900 --> 00:20:17,320 them to like fund sale of access to your 558 00:20:15,280 --> 00:20:18,850 to your savings that love access to your 559 00:20:17,320 --> 00:20:20,649 mind the kind they love all that it's 560 00:20:18,850 --> 00:20:21,820 not just limited to coins actually store 561 00:20:20,650 --> 00:20:23,290 money occurrence which you use the 562 00:20:21,820 --> 00:20:25,659 process money in general do you have an 563 00:20:23,290 --> 00:20:27,550 inherent value because of the capacity 564 00:20:25,660 --> 00:20:28,990 for money laundering and because the the 565 00:20:27,550 --> 00:20:31,120 value of an account used for legitimate 566 00:20:28,990 --> 00:20:32,620 reasons is so much more is so much 567 00:20:31,120 --> 00:20:34,239 higher than just and I find it's just 568 00:20:32,620 --> 00:20:36,790 been made right because if I make an 569 00:20:34,240 --> 00:20:38,140 offender then immediately use it to sell 570 00:20:36,790 --> 00:20:39,340 something worth a thousand times off 571 00:20:38,140 --> 00:20:40,990 someone else he just made an account 572 00:20:39,340 --> 00:20:42,580 like but there's like there are fraud 573 00:20:40,990 --> 00:20:44,350 prevention and then these types of 574 00:20:42,580 --> 00:20:46,540 programs so this does help to evade 575 00:20:44,350 --> 00:20:48,040 those and that's like an think for 576 00:20:46,540 --> 00:20:49,379 examples those to be eBay and Skrill 577 00:20:48,040 --> 00:20:53,710 much both for problems so that kind of 578 00:20:49,380 --> 00:20:55,270 behavior and leaving the worst for last 579 00:20:53,710 --> 00:20:56,500 we've got extortion so I'm sure 580 00:20:55,270 --> 00:20:58,300 everyone's familiar will run somewhere 581 00:20:56,500 --> 00:21:00,160 ransomware is much more common than 582 00:20:58,300 --> 00:21:01,560 relaxed estrogens because like there's 583 00:21:00,160 --> 00:21:04,660 no management involved you just kind of 584 00:21:01,560 --> 00:21:06,070 sell of a key experience ended I someone 585 00:21:04,660 --> 00:21:07,600 downloads and all of a sudden they have 586 00:21:06,070 --> 00:21:09,970 to pay you or it's you know they're not 587 00:21:07,600 --> 00:21:11,379 getting their stuff back but we like 588 00:21:09,970 --> 00:21:13,060 with our devices and we trust them with 589 00:21:11,380 --> 00:21:15,700 a lot of very sensitive stuff so it 590 00:21:13,060 --> 00:21:17,950 doesn't have to just be like we'll get 591 00:21:15,700 --> 00:21:19,720 access to your system like you can use I 592 00:21:17,950 --> 00:21:21,040 can I get into ten extent blackmail you 593 00:21:19,720 --> 00:21:23,290 can find something that they do not want 594 00:21:21,040 --> 00:21:24,970 all right and use the secrecy of this to 595 00:21:23,290 --> 00:21:26,290 their demand money of them so I don't 596 00:21:24,970 --> 00:21:27,520 know if anyone remembers but early 597 00:21:26,290 --> 00:21:30,250 examples around somewhere I would say 598 00:21:27,520 --> 00:21:31,480 that oh the FBI is detected child 599 00:21:30,250 --> 00:21:33,190 pornography on your computer and then 600 00:21:31,480 --> 00:21:34,540 actually give me five hundred dollars of 601 00:21:33,190 --> 00:21:37,000 iTunes vouchers you're going to go to 602 00:21:34,540 --> 00:21:38,920 jail like that sort of stuff and like 603 00:21:37,000 --> 00:21:40,870 the data is very much coming from these 604 00:21:38,920 --> 00:21:42,280 practices like other ransomware has 605 00:21:40,870 --> 00:21:43,629 existed for a while something unpopular 606 00:21:42,280 --> 00:21:45,980 recently and this practice definitely 607 00:21:43,630 --> 00:21:49,570 predates it to a large extent 608 00:21:45,980 --> 00:21:51,860 and so if if you can't hold the system 609 00:21:49,570 --> 00:21:53,510 ransom the my name LeConte like again 610 00:21:51,860 --> 00:21:55,428 going back to social media some social 611 00:21:53,510 --> 00:21:56,870 medias are the basis of people's 612 00:21:55,429 --> 00:21:58,880 businesses some like social media 613 00:21:56,870 --> 00:22:01,520 accounts or clients on external services 614 00:21:58,880 --> 00:22:02,690 like the person needs otherwise they 615 00:22:01,520 --> 00:22:05,000 will not be able to make their living 616 00:22:02,690 --> 00:22:06,140 and so there's there's value to that so 617 00:22:05,000 --> 00:22:07,970 if they can lock you out of your email 618 00:22:06,140 --> 00:22:09,620 and lock you out of your Twitter then 619 00:22:07,970 --> 00:22:11,030 like it's gonna be hard to get your 620 00:22:09,620 --> 00:22:13,909 account pack and rather than wait 30 621 00:22:11,030 --> 00:22:15,559 days for Twitter support pay $200 get a 622 00:22:13,910 --> 00:22:17,990 box I guess 623 00:22:15,559 --> 00:22:19,549 and finally webcam extortion which is 624 00:22:17,990 --> 00:22:21,770 quite a big one because obviously like 625 00:22:19,549 --> 00:22:23,389 anyone can set up one of these campaigns 626 00:22:21,770 --> 00:22:25,190 it's not because you can just download 627 00:22:23,390 --> 00:22:27,350 it for free on the internet there's not 628 00:22:25,190 --> 00:22:29,000 really not everyone tried to make money 629 00:22:27,350 --> 00:22:31,178 there like there are an awful lot of 630 00:22:29,000 --> 00:22:34,010 just very very sick people for instance 631 00:22:31,179 --> 00:22:36,350 like webcam extortion so I'm attempting 632 00:22:34,010 --> 00:22:37,730 to I get lewd photos off someone's 633 00:22:36,350 --> 00:22:39,168 webcam without them knowing it's on and 634 00:22:37,730 --> 00:22:41,090 then using those images to extort and 635 00:22:39,169 --> 00:22:43,280 further it's very very common and indeed 636 00:22:41,090 --> 00:22:46,760 you can see that mirrored and in the 637 00:22:43,280 --> 00:22:48,320 forms of today so if if you can't read 638 00:22:46,760 --> 00:22:51,169 that it essentially it's advertising 639 00:22:48,320 --> 00:22:53,928 ebooks and services for getting teenage 640 00:22:51,169 --> 00:22:56,000 girls and young women to install your 641 00:22:53,929 --> 00:22:58,610 remote access trojan because these 642 00:22:56,000 --> 00:23:00,679 instances of the sprouting are worth 643 00:22:58,610 --> 00:23:01,490 more and can be sold to more people and 644 00:23:00,679 --> 00:23:04,910 if you're not going to use them yourself 645 00:23:01,490 --> 00:23:06,470 someone else certainly will so rather 646 00:23:04,910 --> 00:23:11,240 that obviously sucks but that's 647 00:23:06,470 --> 00:23:12,500 a should inspire but that's a I like 648 00:23:11,240 --> 00:23:14,390 this part and parcel of this kind of 649 00:23:12,500 --> 00:23:16,280 what this kind of access attracts that 650 00:23:14,390 --> 00:23:17,780 people aren't just here to make money or 651 00:23:16,280 --> 00:23:19,639 just throw people are here to make money 652 00:23:17,780 --> 00:23:20,899 in any way they can and generally if 653 00:23:19,640 --> 00:23:22,130 they're willing to take access to your 654 00:23:20,900 --> 00:23:23,600 entire computer without you knowing 655 00:23:22,130 --> 00:23:26,330 they're not really that bothered about 656 00:23:23,600 --> 00:23:28,580 extortion either so let's say we've got 657 00:23:26,330 --> 00:23:31,100 Indiana coin we've made all this money 658 00:23:28,580 --> 00:23:32,210 were like okay what's the point like it 659 00:23:31,100 --> 00:23:33,350 doesn't really scale like yeah I just 660 00:23:32,210 --> 00:23:36,110 keep making this I went to money forever 661 00:23:33,350 --> 00:23:38,090 well as Homer right you put said money 662 00:23:36,110 --> 00:23:40,040 can be exchanged for goods and services 663 00:23:38,090 --> 00:23:43,340 and we can actually make our malware 664 00:23:40,040 --> 00:23:44,780 better not only by like like buying a 665 00:23:43,340 --> 00:23:46,939 premium version but we can also employ 666 00:23:44,780 --> 00:23:48,760 services by like tangentially related 667 00:23:46,940 --> 00:23:52,520 but different industry or different 668 00:23:48,760 --> 00:23:54,379 markets of blackhat to make our malware 669 00:23:52,520 --> 00:23:55,779 more successful to make it spread faster 670 00:23:54,380 --> 00:24:00,429 so 671 00:23:55,779 --> 00:24:02,200 Yashin actually been earlier but if if 672 00:24:00,429 --> 00:24:03,429 you've ever even following there might 673 00:24:02,200 --> 00:24:05,230 be a couple of things too from your head 674 00:24:03,429 --> 00:24:06,429 like oh well if they're just using all 675 00:24:05,230 --> 00:24:07,779 these free tools well then the anti 676 00:24:06,429 --> 00:24:13,230 viruses can block the free tools and 677 00:24:07,779 --> 00:24:16,029 I'll be safe right well yes but also new 678 00:24:13,230 --> 00:24:18,039 so the idea here is that while the 679 00:24:16,029 --> 00:24:19,990 viruses can block them and then it takes 680 00:24:18,039 --> 00:24:23,139 longer to make it to make a remote 681 00:24:19,990 --> 00:24:24,970 access Trojan than it does to like block 682 00:24:23,139 --> 00:24:28,570 one so eventually will keep up with the 683 00:24:24,970 --> 00:24:31,179 tide not quite so crypting is 684 00:24:28,570 --> 00:24:33,668 essentially the encryption i've also 685 00:24:31,179 --> 00:24:35,230 referred to as packing but for um for 686 00:24:33,669 --> 00:24:36,519 doing it for malicious purposes it's 687 00:24:35,230 --> 00:24:39,700 generally referred to in the market as 688 00:24:36,519 --> 00:24:41,169 crypting it's essentially the process of 689 00:24:39,700 --> 00:24:43,539 obscuring an executable in order to 690 00:24:41,169 --> 00:24:45,610 prevent detection of the malicious code 691 00:24:43,539 --> 00:24:49,658 in so corrupters of various functions 692 00:24:45,610 --> 00:24:52,870 but like the core of it is popping under 693 00:24:49,659 --> 00:24:54,960 film familiar popping is shorthand for 694 00:24:52,870 --> 00:24:56,678 executable compression which is on 695 00:24:54,960 --> 00:24:58,299 compressing the file and then 696 00:24:56,679 --> 00:25:01,809 decompressing it in memory once it's a 697 00:24:58,299 --> 00:25:03,549 once it's wrong so generally in Windows 698 00:25:01,809 --> 00:25:06,340 the encrypted code exists as a PE 699 00:25:03,549 --> 00:25:08,168 resource within within the binary which 700 00:25:06,340 --> 00:25:09,519 is then so the the sort of the program 701 00:25:08,169 --> 00:25:13,000 is essentially the instructions on how 702 00:25:09,519 --> 00:25:15,519 to unpack the the program and then the 703 00:25:13,000 --> 00:25:17,649 rest is just on the run the rest is this 704 00:25:15,519 --> 00:25:19,509 nonsense until it's uncompressed right 705 00:25:17,649 --> 00:25:22,239 so while parking has legitimate uses 706 00:25:19,509 --> 00:25:24,009 like blackman memory wasn't really that 707 00:25:22,240 --> 00:25:25,419 it was much more scarce than it was 708 00:25:24,009 --> 00:25:26,769 everything will be packed because you're 709 00:25:25,419 --> 00:25:28,570 trying to cram as much on your floppy 710 00:25:26,769 --> 00:25:30,190 disk as you're on right like if you've 711 00:25:28,570 --> 00:25:31,509 only got like 64 K of memory you don't 712 00:25:30,190 --> 00:25:33,429 want something taking up space just 713 00:25:31,509 --> 00:25:35,590 because it's more legitimate right like 714 00:25:33,429 --> 00:25:37,990 even Sophos distributed its own 715 00:25:35,590 --> 00:25:40,000 antivirus fully packed so we've said on 716 00:25:37,990 --> 00:25:42,090 a floppy disk because things used to run 717 00:25:40,000 --> 00:25:46,059 faster on floppy disks have been told 718 00:25:42,090 --> 00:25:47,259 but essentially why it works is the the 719 00:25:46,059 --> 00:25:48,668 the program will start at a launch and 720 00:25:47,259 --> 00:25:55,570 unpacking routine which will be pointed 721 00:25:48,669 --> 00:25:57,549 at a pace of a malicious code and then 722 00:25:55,570 --> 00:26:00,129 it'll just hand over control to that 723 00:25:57,549 --> 00:26:03,490 malicious code wants to compact and no 724 00:26:00,129 --> 00:26:07,689 one will be any other wiser so 725 00:26:03,490 --> 00:26:09,490 sorry excuse me of course it doesn't 726 00:26:07,690 --> 00:26:11,890 it's not just a simple there are various 727 00:26:09,490 --> 00:26:13,149 levels of sophistication and because we 728 00:26:11,890 --> 00:26:15,010 have various levels of sophisticated 729 00:26:13,149 --> 00:26:16,899 actors a lot of them are commonly used 730 00:26:15,010 --> 00:26:18,610 so we'll start with the very very basic 731 00:26:16,899 --> 00:26:20,049 ones which are easy for antiviruses to 732 00:26:18,610 --> 00:26:21,969 catch on to and then we'll go up to 733 00:26:20,049 --> 00:26:23,440 relate ridiculous lots and lots of 734 00:26:21,970 --> 00:26:25,750 effort I want to stay undetected for the 735 00:26:23,440 --> 00:26:27,760 rest of my life edge stuff so you can 736 00:26:25,750 --> 00:26:28,870 use open source placards but and on the 737 00:26:27,760 --> 00:26:30,250 plus side they're available for free 738 00:26:28,870 --> 00:26:32,110 right so you're not paying any one more 739 00:26:30,250 --> 00:26:33,789 that profit to yourself good job 740 00:26:32,110 --> 00:26:36,639 on the downside they're available for 741 00:26:33,789 --> 00:26:38,080 free so like everyone else can download 742 00:26:36,640 --> 00:26:39,429 them as well and when you're in an arms 743 00:26:38,080 --> 00:26:40,870 race with an antivirus company you 744 00:26:39,429 --> 00:26:43,510 probably shouldn't give your secret key 745 00:26:40,870 --> 00:26:45,100 to not being detected to them so anti 746 00:26:43,510 --> 00:26:46,750 viruses of had access to the source code 747 00:26:45,100 --> 00:26:47,770 for ages which makes detecting them 748 00:26:46,750 --> 00:26:51,159 pretty trivial it's just you know 749 00:26:47,770 --> 00:26:54,309 finding out other pipes and then like 750 00:26:51,159 --> 00:26:55,779 applying that to to the files you're 751 00:26:54,309 --> 00:26:57,668 scanning excuse me 752 00:26:55,779 --> 00:26:59,200 next up the wrong you can pay for a 753 00:26:57,669 --> 00:27:00,909 crippling service so on a public forum 754 00:26:59,200 --> 00:27:01,960 someone elaborate eyes hi guys have been 755 00:27:00,909 --> 00:27:03,610 equipped there and if you want to 756 00:27:01,960 --> 00:27:05,320 encrypt your files you can either pay 757 00:27:03,610 --> 00:27:06,729 for access per month or you can pay for 758 00:27:05,320 --> 00:27:08,439 access as you go so you can pay per 759 00:27:06,730 --> 00:27:11,470 crept usually a couple of couple of 760 00:27:08,440 --> 00:27:12,760 pennies like 50 P or 20 P or whatever so 761 00:27:11,470 --> 00:27:14,679 the source code will be generally 762 00:27:12,760 --> 00:27:16,120 attempt to be made unavailable so you 763 00:27:14,679 --> 00:27:18,669 won't have access to a list of access to 764 00:27:16,120 --> 00:27:20,049 the cryptid files so the AV has to 765 00:27:18,669 --> 00:27:21,760 reverse-engineer samples and that takes 766 00:27:20,049 --> 00:27:24,879 time that more time than it would to 767 00:27:21,760 --> 00:27:28,440 find out exactly how to block or buy 768 00:27:24,880 --> 00:27:30,549 over rats which are entirely unpacked so 769 00:27:28,440 --> 00:27:32,500 it'll also contain on the analysis 770 00:27:30,549 --> 00:27:34,179 features that'll obfuscate the stub and 771 00:27:32,500 --> 00:27:35,529 by stub I mean that bit of code at the 772 00:27:34,179 --> 00:27:36,840 start which is uncompressed which is 773 00:27:35,529 --> 00:27:40,179 essentially instructions on how to 774 00:27:36,840 --> 00:27:41,649 decompress the rest and it'll behave 775 00:27:40,179 --> 00:27:43,809 differently if it notices it's in a 776 00:27:41,649 --> 00:27:46,120 sandbox or VM so that's not about 777 00:27:43,809 --> 00:27:47,710 specific that's very common so semi 778 00:27:46,120 --> 00:27:49,389 aware and encrypted obviously can be 779 00:27:47,710 --> 00:27:53,320 Kryptos obviously can be used anywhere 780 00:27:49,390 --> 00:27:54,850 not just with relaxed estrogens so next 781 00:27:53,320 --> 00:27:57,610 a lot either private corrupting services 782 00:27:54,850 --> 00:27:59,260 so instead of um instead of selling like 783 00:27:57,610 --> 00:28:01,510 individual licenses or individual crypts 784 00:27:59,260 --> 00:28:03,429 you sell spots on a program so there's a 785 00:28:01,510 --> 00:28:05,080 there's limited access and this is 786 00:28:03,429 --> 00:28:06,549 entirely intentional because the idea is 787 00:28:05,080 --> 00:28:08,320 if not many people are using it there's 788 00:28:06,549 --> 00:28:09,879 not gonna be that many samples so if 789 00:28:08,320 --> 00:28:12,428 I've got a really important thing I want 790 00:28:09,880 --> 00:28:13,720 to put a virus on or a piece of malware 791 00:28:12,429 --> 00:28:16,029 I'm sorry then I can 792 00:28:13,720 --> 00:28:17,590 that won't be detected right but the 793 00:28:16,029 --> 00:28:19,330 downside is you actually think this has 794 00:28:17,590 --> 00:28:21,730 actually cost money price goes 795 00:28:19,330 --> 00:28:23,049 significantly up to to the suitor how 796 00:28:21,730 --> 00:28:25,629 the business works was limited in winter 797 00:28:23,049 --> 00:28:26,470 spots but the idea here is it'll be 798 00:28:25,629 --> 00:28:29,230 updated regularly 799 00:28:26,470 --> 00:28:30,700 so hopefully evade detection for longer 800 00:28:29,230 --> 00:28:32,919 and it'll how you generally have more 801 00:28:30,700 --> 00:28:34,389 advanced the analysis features like 802 00:28:32,919 --> 00:28:36,370 it'll obfuscate the control flow when 803 00:28:34,389 --> 00:28:39,279 that's being reversed in the API and so 804 00:28:36,370 --> 00:28:41,320 on and so forth and right at the top the 805 00:28:39,279 --> 00:28:43,870 ground of the crime not universally 806 00:28:41,320 --> 00:28:45,789 available and used for the general 807 00:28:43,870 --> 00:28:48,518 applications as well as a virtualized 808 00:28:45,789 --> 00:28:50,019 exe obfuscator which essentially instead 809 00:28:48,519 --> 00:28:52,000 of decrypting the code it just runs it 810 00:28:50,019 --> 00:28:54,549 in a virtual machine which has an 811 00:28:52,000 --> 00:28:55,929 architecture which is not like any of 812 00:28:54,549 --> 00:28:57,070 the architectures we use so if you're 813 00:28:55,929 --> 00:28:59,259 reversing it you need to learn an 814 00:28:57,070 --> 00:29:01,509 entirely new control set or command set 815 00:28:59,259 --> 00:29:02,740 and so on and so forth so like if you're 816 00:29:01,509 --> 00:29:04,179 trying to reverse this for answers that 817 00:29:02,740 --> 00:29:06,220 can be quite a pain it can take much 818 00:29:04,179 --> 00:29:07,899 much much longer so this is kind of what 819 00:29:06,220 --> 00:29:09,730 you're aiming for but obviously it costs 820 00:29:07,899 --> 00:29:10,928 significantly more than the other 821 00:29:09,730 --> 00:29:13,059 options and generally if you're just 822 00:29:10,929 --> 00:29:14,049 you're just doing it to scam a few 823 00:29:13,059 --> 00:29:15,730 prints kippur coins 824 00:29:14,049 --> 00:29:18,850 you wouldn't year like you wouldn't need 825 00:29:15,730 --> 00:29:21,250 users so let's pretend they've done all 826 00:29:18,850 --> 00:29:23,799 that ok so I've got my rat I've got my 827 00:29:21,250 --> 00:29:25,090 I've got it encrypted ID I even know if 828 00:29:23,799 --> 00:29:26,408 it works right because I'd like I don't 829 00:29:25,090 --> 00:29:28,059 want to just burn all my crepes by 830 00:29:26,409 --> 00:29:29,980 testing if my rat works you know like I 831 00:29:28,059 --> 00:29:31,240 don't want to see I like I do want to 832 00:29:29,980 --> 00:29:33,519 drop it on the alive system it gets 833 00:29:31,240 --> 00:29:35,230 detected and then suddenly I'm not like 834 00:29:33,519 --> 00:29:37,779 I've I've lost that spreading mechanism 835 00:29:35,230 --> 00:29:39,700 or something so if you're thinking a 836 00:29:37,779 --> 00:29:41,080 service like virus toodle we are half 837 00:29:39,700 --> 00:29:42,970 right it would be great if we had 838 00:29:41,080 --> 00:29:45,610 services where we could just show them 839 00:29:42,970 --> 00:29:48,100 our out and it would give us the the 840 00:29:45,610 --> 00:29:49,809 detection rate back and virus to do that 841 00:29:48,100 --> 00:29:52,360 however it also provides callbacks to 842 00:29:49,809 --> 00:29:54,100 the antivirus companies so not ideal if 843 00:29:52,360 --> 00:29:55,299 I'm a malware author and I'm testing new 844 00:29:54,100 --> 00:29:57,279 types of corrupting and I'm just sending 845 00:29:55,299 --> 00:29:58,870 my sample but cryptid in various 846 00:29:57,279 --> 00:30:00,669 different ways directly to the antivirus 847 00:29:58,870 --> 00:30:02,199 company that's generally what we want to 848 00:30:00,669 --> 00:30:04,240 avoid so what if we made our room 849 00:30:02,200 --> 00:30:05,830 service what and it did the same thing 850 00:30:04,240 --> 00:30:06,309 as virustotal but only it didn't send 851 00:30:05,830 --> 00:30:10,178 them back 852 00:30:06,309 --> 00:30:12,158 well we're 12 years late as the clangor 853 00:30:10,179 --> 00:30:13,840 antivirus services which essentially are 854 00:30:12,159 --> 00:30:15,850 kills which can be best described as 855 00:30:13,840 --> 00:30:18,279 mimicking the services virus to the 856 00:30:15,850 --> 00:30:19,870 provides but only running the device 857 00:30:18,279 --> 00:30:21,519 tools in the sandbox when they are 858 00:30:19,870 --> 00:30:23,049 little more into it which stops it 859 00:30:21,519 --> 00:30:25,120 calling back to the original service are 860 00:30:23,049 --> 00:30:31,389 used to determine how good 861 00:30:25,120 --> 00:30:33,399 my crypt is and essentially this has 862 00:30:31,390 --> 00:30:34,720 happened quite a few times the most one 863 00:30:33,400 --> 00:30:37,830 of the most recently most notable cases 864 00:30:34,720 --> 00:30:40,570 was referred about me started in 2011 865 00:30:37,830 --> 00:30:42,070 ended in 2015 because it's still illegal 866 00:30:40,570 --> 00:30:43,990 even if you're not the person holding 867 00:30:42,070 --> 00:30:47,649 the malware itself if you enable and 868 00:30:43,990 --> 00:30:50,170 make money off hackers you're at best an 869 00:30:47,650 --> 00:30:51,760 accomplice and worst a bit of a scumbag 870 00:30:50,170 --> 00:30:54,160 so two charges of the computer misuse 871 00:30:51,760 --> 00:30:56,590 Act and interestingly enough one charge 872 00:30:54,160 --> 00:30:57,550 of money laundering because I guess like 873 00:30:56,590 --> 00:30:58,899 that's what they care about right like 874 00:30:57,550 --> 00:31:01,810 don't care if you're making money so uh 875 00:30:58,900 --> 00:31:04,120 the NCA reported 1.2 million scans using 876 00:31:01,810 --> 00:31:06,280 the service in the time it was a made 877 00:31:04,120 --> 00:31:06,669 available so I mean with a better room 878 00:31:06,280 --> 00:31:09,220 for error 879 00:31:06,670 --> 00:31:11,290 it's like 1.2 million scans or with our 880 00:31:09,220 --> 00:31:13,450 1.2 million bits of malware which had 881 00:31:11,290 --> 00:31:15,790 been analyzed or different definitely 882 00:31:13,450 --> 00:31:18,250 corrupted malware which is quite a scale 883 00:31:15,790 --> 00:31:19,659 and interestingly enough was noticed by 884 00:31:18,250 --> 00:31:24,280 train right group because the service 885 00:31:19,660 --> 00:31:26,440 also offered a URL sorry domain and IP 886 00:31:24,280 --> 00:31:28,090 reputation checking so of course in the 887 00:31:26,440 --> 00:31:30,040 same service because you paid for one 888 00:31:28,090 --> 00:31:32,560 you also get reputation checking thrown 889 00:31:30,040 --> 00:31:34,570 in and of course they noticed that there 890 00:31:32,560 --> 00:31:37,870 was reputation checks coming from this 891 00:31:34,570 --> 00:31:40,540 IP I'm not I'm not like the actual virus 892 00:31:37,870 --> 00:31:41,879 callbacks since who logins the fact that 893 00:31:40,540 --> 00:31:46,420 their products were being used 894 00:31:41,880 --> 00:31:48,580 maliciously so so let's say I've cryptid 895 00:31:46,420 --> 00:31:50,770 my software I've I know it works 896 00:31:48,580 --> 00:31:52,240 I know it's undetected so how do I know 897 00:31:50,770 --> 00:31:54,370 if anyone will fall for right because 898 00:31:52,240 --> 00:31:56,200 like the way I've spread like how we 899 00:31:54,370 --> 00:31:57,580 spread malware changes as fast as human 900 00:31:56,200 --> 00:31:59,560 interests change right like people might 901 00:31:57,580 --> 00:32:01,090 want to download free fortnight V Buck 902 00:31:59,560 --> 00:32:02,080 generator today but they might not want 903 00:32:01,090 --> 00:32:03,399 the done with it tomorrow and I don't 904 00:32:02,080 --> 00:32:05,199 want to spend all my time searching on 905 00:32:03,400 --> 00:32:06,730 what the kids are doing these days so of 906 00:32:05,200 --> 00:32:09,550 course I can this go on high form the 907 00:32:06,730 --> 00:32:11,620 game and find no that's tiny and they do 908 00:32:09,550 --> 00:32:14,889 apologize but essentially it's various 909 00:32:11,620 --> 00:32:17,050 different guides and services for for 910 00:32:14,890 --> 00:32:20,680 how to spread your malware promising 911 00:32:17,050 --> 00:32:23,139 arranged from hundreds plus to thirty to 912 00:32:20,680 --> 00:32:24,760 fifty five downloads per day so I mean 913 00:32:23,140 --> 00:32:26,140 they like it instead of you figuring 914 00:32:24,760 --> 00:32:27,430 right okay how do I spread this and how 915 00:32:26,140 --> 00:32:29,230 do I make the pantsing you just pay 916 00:32:27,430 --> 00:32:30,940 someone to do that for you stick your 917 00:32:29,230 --> 00:32:34,360 execute upon it and send it off away you 918 00:32:30,940 --> 00:32:36,470 go so like upload upload sites good are 919 00:32:34,360 --> 00:32:38,479 in contents like its content 920 00:32:36,470 --> 00:32:40,370 sites get moderated and of course like 921 00:32:38,480 --> 00:32:42,620 the metrics for actual monetization 922 00:32:40,370 --> 00:32:44,299 change so for instance with the steam 923 00:32:42,620 --> 00:32:47,120 trading it used to be very much that I'm 924 00:32:44,299 --> 00:32:49,250 if I scan the knife of someone on hunger 925 00:32:47,120 --> 00:32:52,039 strike I'd be able to sell it no problem 926 00:32:49,250 --> 00:32:53,510 on multiple sites but now to trade 927 00:32:52,039 --> 00:32:55,190 statement forces two-factor 928 00:32:53,510 --> 00:32:58,309 authentication and its moves like these 929 00:32:55,190 --> 00:33:00,380 which really stop remote access Trojan 930 00:32:58,309 --> 00:33:02,000 authors and like people who are trying 931 00:33:00,380 --> 00:33:04,220 to make money to this it's essentially 932 00:33:02,000 --> 00:33:06,140 as our security gets better the like 933 00:33:04,220 --> 00:33:08,030 opportunity gets lower in the word for 934 00:33:06,140 --> 00:33:10,909 opportunistic scams like this so that's 935 00:33:08,030 --> 00:33:13,700 kind of the that's a lesson to take away 936 00:33:10,909 --> 00:33:15,590 from this certainly and finally 937 00:33:13,700 --> 00:33:18,740 something that people struggle with 938 00:33:15,590 --> 00:33:21,230 because you've got like OPSEC is like 939 00:33:18,740 --> 00:33:23,480 essentially a universal problem for for 940 00:33:21,230 --> 00:33:25,220 all black hats it's and he like no 941 00:33:23,480 --> 00:33:26,539 matter what you do it's not worth very 942 00:33:25,220 --> 00:33:27,620 much so you get caught right like you're 943 00:33:26,539 --> 00:33:31,000 like you're not a millionaire in prison 944 00:33:27,620 --> 00:33:35,090 well depending on where you live but 945 00:33:31,000 --> 00:33:36,679 whether it's running Skype Skype support 946 00:33:35,090 --> 00:33:38,750 accounts for their malware signed up to 947 00:33:36,679 --> 00:33:41,480 their own email address or running a new 948 00:33:38,750 --> 00:33:45,710 IP service off their home reader they're 949 00:33:41,480 --> 00:33:48,080 not very good at it so how do we 950 00:33:45,710 --> 00:33:51,770 actually know how do we how do they get 951 00:33:48,080 --> 00:33:53,270 better other I'm the I I hope they feel 952 00:33:51,770 --> 00:33:55,520 forever that I don't know how to get 953 00:33:53,270 --> 00:33:58,370 better other I don't I don't want them 954 00:33:55,520 --> 00:34:00,168 to know really as the people who make 955 00:33:58,370 --> 00:34:01,610 these not like just to be clear the 956 00:34:00,169 --> 00:34:03,520 people who make these malware and the 957 00:34:01,610 --> 00:34:06,439 people who support them three businesses 958 00:34:03,520 --> 00:34:08,330 which enable like which enable catch 959 00:34:06,440 --> 00:34:10,339 exfiltration or businesses which enable 960 00:34:08,330 --> 00:34:13,909 log less hosting or businesses which 961 00:34:10,339 --> 00:34:15,320 enable essentially like free like free 962 00:34:13,909 --> 00:34:17,629 EULA software which totally is in the 963 00:34:15,320 --> 00:34:18,500 malware like I mean they're all they're 964 00:34:17,629 --> 00:34:20,509 all cut from the same cloth 965 00:34:18,500 --> 00:34:22,909 they're all just enabling vulnerable 966 00:34:20,510 --> 00:34:25,089 people on online getting scammed and 967 00:34:22,909 --> 00:34:27,470 like a mess we do something about it 968 00:34:25,089 --> 00:34:30,918 nothing's really going to win is this 969 00:34:27,469 --> 00:34:32,118 being recorded it is right well I mean 970 00:34:30,918 --> 00:34:36,129 if you're if you're a block caught 971 00:34:32,119 --> 00:34:40,570 watching get a job seriously so moving 972 00:34:36,129 --> 00:34:44,600 roughly on.com it was developed in 2008 973 00:34:40,570 --> 00:34:48,350 until 2012 by dark cooler SC 974 00:34:44,600 --> 00:34:50,440 active still not arrested I I guess and 975 00:34:48,350 --> 00:34:52,489 had seventy thousand users added to peak 976 00:34:50,440 --> 00:34:53,810 but essentially he's quoted as saying 977 00:34:52,489 --> 00:34:55,100 that the whole development process of 978 00:34:53,810 --> 00:34:58,279 dark comment was just a challenge for 979 00:34:55,100 --> 00:34:59,630 myself and he had no issues developing 980 00:34:58,280 --> 00:35:00,890 and providing support for skids and what 981 00:34:59,630 --> 00:35:02,090 we going to go too much into the tech of 982 00:35:00,890 --> 00:35:02,990 the technical details which are common 983 00:35:02,090 --> 00:35:04,850 because we're really seen it was sub 984 00:35:02,990 --> 00:35:05,450 seven essentially programs are do get 985 00:35:04,850 --> 00:35:07,069 very Sammy 986 00:35:05,450 --> 00:35:09,169 so instead of going through each one 987 00:35:07,070 --> 00:35:11,780 individually although I'll provide run 988 00:35:09,170 --> 00:35:14,600 at the end so for four years do thousand 989 00:35:11,780 --> 00:35:17,120 Ania to actually you know for six years 990 00:35:14,600 --> 00:35:18,890 he be he provided support for this well 991 00:35:17,120 --> 00:35:20,540 for no problem the fact that it was 992 00:35:18,890 --> 00:35:21,859 being abused I guess I mean in writing 993 00:35:20,540 --> 00:35:24,650 had a problem but he also earn two 994 00:35:21,860 --> 00:35:27,230 thousand euros providing support for for 995 00:35:24,650 --> 00:35:28,370 for combat through the years so not 996 00:35:27,230 --> 00:35:30,590 enough of a problem did not take money 997 00:35:28,370 --> 00:35:35,870 off my desk and then suddenly and then 998 00:35:30,590 --> 00:35:37,670 2014 this happened so it is with deep 999 00:35:35,870 --> 00:35:39,920 regret that I'm here to announce the end 1000 00:35:37,670 --> 00:35:41,840 of project dark comic rat after over 1001 00:35:39,920 --> 00:35:45,020 four years in development hard work day 1002 00:35:41,840 --> 00:35:46,310 and night to offer you free at will with 1003 00:35:45,020 --> 00:35:48,440 the well to make communities 1004 00:35:46,310 --> 00:35:53,330 expectations of a program of type remote 1005 00:35:48,440 --> 00:35:55,940 administration till I have devoted years 1006 00:35:53,330 --> 00:35:57,590 with a nonprofit philosophy for you to 1007 00:35:55,940 --> 00:36:00,400 enjoy without asking anything in return 1008 00:35:57,590 --> 00:36:02,510 other than respect of the rules 1009 00:36:00,400 --> 00:36:04,070 unfortunately some of you couldn't 1010 00:36:02,510 --> 00:36:06,650 respect the terms so because of you 1011 00:36:04,070 --> 00:36:10,460 generally speaking mid dar common route 1012 00:36:06,650 --> 00:36:11,360 and so sad story involved just trying to 1013 00:36:10,460 --> 00:36:12,890 help people whether this remote 1014 00:36:11,360 --> 00:36:15,110 administration tool and a lot bunch of 1015 00:36:12,890 --> 00:36:16,940 bad people use the features built into 1016 00:36:15,110 --> 00:36:19,130 the program to in fact people's 1017 00:36:16,940 --> 00:36:22,010 computers let them knowing happens to 1018 00:36:19,130 --> 00:36:23,270 the best of us I guess so something 1019 00:36:22,010 --> 00:36:24,380 that's right at the end there and I've 1020 00:36:23,270 --> 00:36:25,880 highlighted at the talks and gets 1021 00:36:24,380 --> 00:36:27,920 important without mentioning what 1022 00:36:25,880 --> 00:36:32,420 happened in Syria and I guess that must 1023 00:36:27,920 --> 00:36:34,040 be French for oops a hostile dictator 1024 00:36:32,420 --> 00:36:35,090 government used my tool to target 1025 00:36:34,040 --> 00:36:36,560 journalists within the country and 1026 00:36:35,090 --> 00:36:38,360 disabled their computers and stop them 1027 00:36:36,560 --> 00:36:41,570 from telling people about what was 1028 00:36:38,360 --> 00:36:42,980 happening so I mean I thought I don't 1029 00:36:41,570 --> 00:36:45,740 know why closed either if anyone if 1030 00:36:42,980 --> 00:36:48,410 anyone knows do something I'm a rough at 1031 00:36:45,740 --> 00:36:49,459 the same time created in 2010 was black 1032 00:36:48,410 --> 00:36:52,359 shirts and black sheets it's quite 1033 00:36:49,460 --> 00:36:56,120 famous here's how did that if anyone 1034 00:36:52,360 --> 00:36:57,400 okay cool and bloodless new info so 1035 00:36:56,120 --> 00:36:59,380 available for forty 1036 00:36:57,400 --> 00:37:02,110 I sighed I signed out forms and pay 1037 00:36:59,380 --> 00:37:06,160 someone $40 and I get a month of support 1038 00:37:02,110 --> 00:37:07,870 and this that's rap for and any future 1039 00:37:06,160 --> 00:37:09,549 updates it gets so essentially what 1040 00:37:07,870 --> 00:37:11,770 we're saying with advertising support 1041 00:37:09,550 --> 00:37:13,240 they are kind of going after the lowest 1042 00:37:11,770 --> 00:37:14,530 common denominator here they are selling 1043 00:37:13,240 --> 00:37:16,180 it there active these targets people 1044 00:37:14,530 --> 00:37:18,370 they don't know how to set up a remote 1045 00:37:16,180 --> 00:37:21,040 administration tool so I mean short of 1046 00:37:18,370 --> 00:37:22,569 them being you know the Red Hat of the 1047 00:37:21,040 --> 00:37:24,130 rap industry like this is it's very 1048 00:37:22,570 --> 00:37:26,050 clear who they want to use this program 1049 00:37:24,130 --> 00:37:30,570 and I'll give you a hint it's not 1050 00:37:26,050 --> 00:37:30,570 seasoned you know network administrators 1051 00:37:30,630 --> 00:37:36,820 but essentially came in three versions 1052 00:37:33,150 --> 00:37:39,010 blotches net which is made in VB and 1053 00:37:36,820 --> 00:37:40,740 lots and lots of features loathsome just 1054 00:37:39,010 --> 00:37:43,120 as only a sub seven if not more and 1055 00:37:40,740 --> 00:37:44,950 hardware ID locked so once you bought it 1056 00:37:43,120 --> 00:37:46,630 is like you couldn't use not licensed 1057 00:37:44,950 --> 00:37:49,299 anywhere else in an attempt to make more 1058 00:37:46,630 --> 00:37:51,160 money arson and black she'd stealth 1059 00:37:49,300 --> 00:37:52,960 which is made in Java a much smaller bug 1060 00:37:51,160 --> 00:37:55,029 featured and way way way less features 1061 00:37:52,960 --> 00:37:57,040 but essentially like basic remote access 1062 00:37:55,030 --> 00:37:58,990 features and all the communication was 1063 00:37:57,040 --> 00:38:00,850 encrypted so I guess if that was more 1064 00:37:58,990 --> 00:38:02,259 suited to your needs then go for that it 1065 00:38:00,850 --> 00:38:04,299 was also slightly cheaper I think but 1066 00:38:02,260 --> 00:38:08,050 let's have a look black kids and that 1067 00:38:04,300 --> 00:38:09,880 seemed save architecture the same 1068 00:38:08,050 --> 00:38:13,960 architecture as an app bus I mean and 1069 00:38:09,880 --> 00:38:15,580 this is like 12 years later so cold I 1070 00:38:13,960 --> 00:38:17,260 guess it was a you could either use a 1071 00:38:15,580 --> 00:38:20,290 web or application based or come on the 1072 00:38:17,260 --> 00:38:21,580 control framework for yourself and one 1073 00:38:20,290 --> 00:38:22,960 thing is interesting about I'd like to 1074 00:38:21,580 --> 00:38:25,120 note was a lot of routes at this time 1075 00:38:22,960 --> 00:38:28,630 calm included offered a customizable 1076 00:38:25,120 --> 00:38:30,509 payload creation so excuse me when 1077 00:38:28,630 --> 00:38:33,720 you're when you're making a server to 1078 00:38:30,510 --> 00:38:35,800 tip it on to one of your machines I hope 1079 00:38:33,720 --> 00:38:37,689 it gives you a whole bunch of options 1080 00:38:35,800 --> 00:38:39,910 like you could specify the IP connection 1081 00:38:37,690 --> 00:38:42,580 port the transport profiles you could 1082 00:38:39,910 --> 00:38:45,700 name the server you could tell you can 1083 00:38:42,580 --> 00:38:47,560 tell what found in and mutex so if 1084 00:38:45,700 --> 00:38:50,350 you're this important so if you're 1085 00:38:47,560 --> 00:38:52,180 sending a version of your route to your 1086 00:38:50,350 --> 00:38:54,370 big list of machines you're ready I'm 1087 00:38:52,180 --> 00:38:57,100 accessory you can put a new taxing and 1088 00:38:54,370 --> 00:38:59,830 then if a binary if the same mutex is 1089 00:38:57,100 --> 00:39:02,319 already running then it won't run twice 1090 00:38:59,830 --> 00:39:04,569 and give you two versions of access to 1091 00:39:02,320 --> 00:39:06,040 the same machine so like that it's it's 1092 00:39:04,570 --> 00:39:08,290 clear that this was intended at some 1093 00:39:06,040 --> 00:39:09,759 stage for like bats usage like for the 1094 00:39:08,290 --> 00:39:10,910 control lots and lots of machines not 1095 00:39:09,760 --> 00:39:14,570 just like a few 1096 00:39:10,910 --> 00:39:16,700 on your estate so know the language 1097 00:39:14,570 --> 00:39:20,300 language used at the bottom there in 1098 00:39:16,700 --> 00:39:22,490 fact that's one GSB helps with spreading 1099 00:39:20,300 --> 00:39:25,580 as we know as we know what spreading is 1100 00:39:22,490 --> 00:39:27,259 that's kind of word like what we the 1101 00:39:25,580 --> 00:39:28,460 term we use and we describe like trying 1102 00:39:27,260 --> 00:39:30,740 to get your malware under someone else's 1103 00:39:28,460 --> 00:39:34,910 computers or a method so I'll strike two 1104 00:39:30,740 --> 00:39:39,470 and makes your server appear to be a 1105 00:39:34,910 --> 00:39:41,779 normal file strike three malware so one 1106 00:39:39,470 --> 00:39:43,549 - I like what Satori mentioned at the 1107 00:39:41,780 --> 00:39:45,470 end there they are clone file tool which 1108 00:39:43,550 --> 00:39:48,470 makes sure to look like a similar file 1109 00:39:45,470 --> 00:39:49,759 so here we have on the Left people the 1110 00:39:48,470 --> 00:39:53,480 back you have to take my word for it but 1111 00:39:49,760 --> 00:39:55,760 on the Left we have we have essentially 1112 00:39:53,480 --> 00:39:58,010 a normal notepad.exe and on the right we 1113 00:39:55,760 --> 00:39:59,600 have the fake no pot Exe and you can 1114 00:39:58,010 --> 00:40:02,240 replace the icon separately so it would 1115 00:39:59,600 --> 00:40:03,589 look exactly like the normal notepad but 1116 00:40:02,240 --> 00:40:05,450 only it would just be 300 kilobytes 1117 00:40:03,590 --> 00:40:06,680 larger so like I don't know about you 1118 00:40:05,450 --> 00:40:08,950 but I wouldn't say that if it somewhere 1119 00:40:06,680 --> 00:40:10,790 managed to go on my computer you know so 1120 00:40:08,950 --> 00:40:12,319 I'm just like every other piece of 1121 00:40:10,790 --> 00:40:15,140 malware uses the registry it's 1122 00:40:12,320 --> 00:40:18,490 extensively to identify the payload to 1123 00:40:15,140 --> 00:40:21,259 ensure like persistence through reboot 1124 00:40:18,490 --> 00:40:22,700 to open up for open a new firewall rule 1125 00:40:21,260 --> 00:40:25,120 so it wouldn't pop up with something's 1126 00:40:22,700 --> 00:40:28,939 trying to connect but sort of stuff very 1127 00:40:25,120 --> 00:40:33,049 silent worked very well at the time or 1128 00:40:28,940 --> 00:40:34,250 so Akamai says so once let's say I in 1129 00:40:33,050 --> 00:40:35,720 fact someone successfully it makes the 1130 00:40:34,250 --> 00:40:37,220 firewall really connects right this is 1131 00:40:35,720 --> 00:40:39,259 what I'd see essentially what we're 1132 00:40:37,220 --> 00:40:42,439 looking at there's a big potential list 1133 00:40:39,260 --> 00:40:44,090 box full from full of server details and 1134 00:40:42,440 --> 00:40:46,730 we've got the options to ping quick 1135 00:40:44,090 --> 00:40:48,530 search map view resolve host name and 1136 00:40:46,730 --> 00:40:50,900 then the categories of surveillance 1137 00:40:48,530 --> 00:40:53,720 network system on miscellaneous so on 1138 00:40:50,900 --> 00:40:55,520 server as well and you can also there's 1139 00:40:53,720 --> 00:40:57,049 also chatroom I'm not sure if I allows 1140 00:40:55,520 --> 00:40:59,480 you to chat with the person on the other 1141 00:40:57,050 --> 00:41:03,110 side but that would be pretty creepy to 1142 00:40:59,480 --> 00:41:04,400 me it enables persistence or it enables 1143 00:41:03,110 --> 00:41:07,490 you to access all of the events which 1144 00:41:04,400 --> 00:41:09,820 happen all of the click and keyboard 1145 00:41:07,490 --> 00:41:12,020 events which are using system-wide hooks 1146 00:41:09,820 --> 00:41:13,430 so anything that's typed on any 1147 00:41:12,020 --> 00:41:14,960 application you immediately get access 1148 00:41:13,430 --> 00:41:17,600 to and I assume I can botch it off and 1149 00:41:14,960 --> 00:41:20,750 send it to wherever you wanted and 1150 00:41:17,600 --> 00:41:22,540 looking a bit know I once identify yeah 1151 00:41:20,750 --> 00:41:25,600 so looking a bit and 1152 00:41:22,540 --> 00:41:27,340 the features so system essentially like 1153 00:41:25,600 --> 00:41:30,250 if we think back to necklaces features 1154 00:41:27,340 --> 00:41:32,020 exactly the same features so like I 1155 00:41:30,250 --> 00:41:34,120 think we're correct in saying the 1156 00:41:32,020 --> 00:41:35,650 necklace was the first but a full access 1157 00:41:34,120 --> 00:41:39,069 to the files for access the project 1158 00:41:35,650 --> 00:41:40,750 processes registry everything basically 1159 00:41:39,070 --> 00:41:42,700 and then these are these features at the 1160 00:41:40,750 --> 00:41:44,860 bottom were used to if you ever would 1161 00:41:42,700 --> 00:41:47,710 like let's say if I infected someone in 1162 00:41:44,860 --> 00:41:49,240 January and then by March the krypter I 1163 00:41:47,710 --> 00:41:50,620 used to close darling and I wasn't sure 1164 00:41:49,240 --> 00:41:52,600 if it was going to be valid for very 1165 00:41:50,620 --> 00:41:54,850 longer I could just crept a new file and 1166 00:41:52,600 --> 00:41:56,170 then send them to all of my existing 1167 00:41:54,850 --> 00:41:58,779 people had infected and then all of a 1168 00:41:56,170 --> 00:42:00,610 sudden my with limited downtime I mean 1169 00:41:58,780 --> 00:42:02,710 obviously the effectiveness of the stuff 1170 00:42:00,610 --> 00:42:05,560 varies but um what a limited time time 1171 00:42:02,710 --> 00:42:08,260 I'm essentially got a new got any 1172 00:42:05,560 --> 00:42:09,930 connection so that's cool and then 1173 00:42:08,260 --> 00:42:12,640 finally like every other legitimate 1174 00:42:09,930 --> 00:42:15,640 access tool we've got Steve Micawber a 1175 00:42:12,640 --> 00:42:19,420 fund manager spreading file hijacker 1176 00:42:15,640 --> 00:42:22,120 cookie manager and odd clicker so again 1177 00:42:19,420 --> 00:42:26,200 the more methods of more methods of 1178 00:42:22,120 --> 00:42:27,549 monetization therefore before obviously 1179 00:42:26,200 --> 00:42:29,319 people looking to make money out of 1180 00:42:27,550 --> 00:42:31,450 these machines is infected so everything 1181 00:42:29,320 --> 00:42:35,830 kind of pointing that being nada oh yeah 1182 00:42:31,450 --> 00:42:39,100 in his back so not really not really 1183 00:42:35,830 --> 00:42:41,549 gentleman at all and what could happen 1184 00:42:39,100 --> 00:42:44,770 such a great feel very very future risk 1185 00:42:41,550 --> 00:42:46,270 very feature-rich very unlike it were 1186 00:42:44,770 --> 00:42:46,690 very well people pay for that great 1187 00:42:46,270 --> 00:42:49,300 support 1188 00:42:46,690 --> 00:42:57,910 what could possibly possibly go wrong 1189 00:42:49,300 --> 00:43:00,760 next only the biggest malware take turn 1190 00:42:57,910 --> 00:43:03,160 off the time so far with I think there 1191 00:43:00,760 --> 00:43:04,960 was 50 raids in the u.s. 90 in Europe or 1192 00:43:03,160 --> 00:43:06,790 Europol kid an idea I'm not sure what 1193 00:43:04,960 --> 00:43:09,400 their jurisdiction is but essentially 1194 00:43:06,790 --> 00:43:11,550 everyone who was anyone involved in the 1195 00:43:09,400 --> 00:43:16,600 core Blackshades industry got taken down 1196 00:43:11,550 --> 00:43:18,100 and why then that's my question why not 1197 00:43:16,600 --> 00:43:19,630 all of them are all the routes before 1198 00:43:18,100 --> 00:43:21,850 them well how to think about it and 1199 00:43:19,630 --> 00:43:23,980 write its life so starting in 2010 1200 00:43:21,850 --> 00:43:25,960 remember it was again used in Syria and 1201 00:43:23,980 --> 00:43:28,180 a great source to check out about the 1202 00:43:25,960 --> 00:43:30,430 use of like commercial malware tools and 1203 00:43:28,180 --> 00:43:32,529 then places like Syria citizen lab he 1204 00:43:30,430 --> 00:43:34,390 did great great work in that area by 1205 00:43:32,530 --> 00:43:35,690 keeping keeping us up-to-date with what 1206 00:43:34,390 --> 00:43:37,520 preference we're using so 1207 00:43:35,690 --> 00:43:42,250 like their tactics and seizures in Seoul 1208 00:43:37,520 --> 00:43:45,470 so forth and then in I think it was 20 1209 00:43:42,250 --> 00:43:47,480 only 12 may miss teen USA candidate was 1210 00:43:45,470 --> 00:43:49,549 um was infected with one of these rats 1211 00:43:47,480 --> 00:43:51,440 and it was actually a victim of 1212 00:43:49,550 --> 00:43:52,760 sextortion so essentially they took 1213 00:43:51,440 --> 00:43:54,380 compromising photos of her using the 1214 00:43:52,760 --> 00:43:56,300 webcam and demanded more otherwise 1215 00:43:54,380 --> 00:43:57,890 they'd release the photos she said no 1216 00:43:56,300 --> 00:44:00,770 one went to the media about it and the 1217 00:43:57,890 --> 00:44:02,060 he got arrested so he choked her but I 1218 00:44:00,770 --> 00:44:03,829 think the main thing that made back to 1219 00:44:02,060 --> 00:44:05,210 it's different was that it was run not 1220 00:44:03,829 --> 00:44:07,130 only in conjunction with other black cup 1221 00:44:05,210 --> 00:44:10,819 businesses and that should be businesses 1222 00:44:07,130 --> 00:44:12,230 not business but you know that was also 1223 00:44:10,819 --> 00:44:15,740 a business and its own right like 1224 00:44:12,230 --> 00:44:17,000 between 2010 and April 2014 according to 1225 00:44:15,740 --> 00:44:18,379 justice sakarov they made over three 1226 00:44:17,000 --> 00:44:20,089 hundred and fifty thousand dollars with 1227 00:44:18,380 --> 00:44:22,579 the seals and like I know it's not much 1228 00:44:20,089 --> 00:44:23,839 over four years like I mean especially 1229 00:44:22,579 --> 00:44:26,420 when you know you go to jail at Leon fit 1230 00:44:23,839 --> 00:44:27,650 and fun it's like it's it's certainly a 1231 00:44:26,420 --> 00:44:30,349 significant amount and if we're talking 1232 00:44:27,650 --> 00:44:33,020 about like a industry which is 1233 00:44:30,349 --> 00:44:34,760 essentially kept afloat by children like 1234 00:44:33,020 --> 00:44:38,329 that's a significant amount of money 1235 00:44:34,760 --> 00:44:40,460 stolen you know so the list goes on 1236 00:44:38,329 --> 00:44:44,329 there's far too many more examples to 1237 00:44:40,460 --> 00:44:47,329 talk about so NJ rot is another another 1238 00:44:44,329 --> 00:44:49,369 notable example made in 2012 in Asia 1239 00:44:47,329 --> 00:44:52,670 loves it it's it's all over the place in 1240 00:44:49,369 --> 00:44:54,560 China and India and this neutral partly 1241 00:44:52,670 --> 00:44:56,450 because Microsoft took down four million 1242 00:44:54,560 --> 00:44:58,400 IP addresses related to the service in 1243 00:44:56,450 --> 00:45:00,560 new IP much essentially if I want to run 1244 00:44:58,400 --> 00:45:03,079 malware from my home computer because I 1245 00:45:00,560 --> 00:45:06,170 don't think much what I can do is I can 1246 00:45:03,079 --> 00:45:08,390 get I can use a service like no IP which 1247 00:45:06,170 --> 00:45:10,970 will then attach my rigor to your demand 1248 00:45:08,390 --> 00:45:12,470 and then I can just access my my IP 1249 00:45:10,970 --> 00:45:14,839 through that domain rather than like 1250 00:45:12,470 --> 00:45:17,140 having to change the IP I'm using every 1251 00:45:14,839 --> 00:45:19,160 15 minutes so of course Microsoft once 1252 00:45:17,140 --> 00:45:21,470 there was there was a big spike in usage 1253 00:45:19,160 --> 00:45:23,089 and Microsoft reacted by taking four 1254 00:45:21,470 --> 00:45:25,759 million accounts or four million 1255 00:45:23,089 --> 00:45:28,759 addresses offline which is I mean all of 1256 00:45:25,760 --> 00:45:30,109 the software advocates immediately got 1257 00:45:28,760 --> 00:45:31,730 very up in arms about it and said well 1258 00:45:30,109 --> 00:45:32,619 it's it's awful the one company can do 1259 00:45:31,730 --> 00:45:35,349 that 1260 00:45:32,619 --> 00:45:38,589 I can use my malware anymore so that was 1261 00:45:35,349 --> 00:45:40,239 sad and then luminosity like made a lot 1262 00:45:38,589 --> 00:45:43,180 of money as well Colton grubs 1263 00:45:40,239 --> 00:45:45,519 his name was so he launched his malware 1264 00:45:43,180 --> 00:45:48,399 and then offered support by the name 1265 00:45:45,519 --> 00:45:50,288 under the name of KFC watermelon on hack 1266 00:45:48,400 --> 00:45:55,150 forms so you can tell it literal I think 1267 00:45:50,289 --> 00:45:57,670 it was literally 17 and he signed up for 1268 00:45:55,150 --> 00:46:00,489 his official platform Skype account at 1269 00:45:57,670 --> 00:46:04,390 Colton grubs gmail.com and got caught 1270 00:46:00,489 --> 00:46:06,099 Wow so that's essentially we're all 1271 00:46:04,390 --> 00:46:08,410 caught up so what do we learn from this 1272 00:46:06,099 --> 00:46:09,819 like a what now I know how a broad 1273 00:46:08,410 --> 00:46:12,249 industry propagated and how it started 1274 00:46:09,819 --> 00:46:14,199 and he supports it know why they did how 1275 00:46:12,249 --> 00:46:15,669 do we fight this right like hide away as 1276 00:46:14,199 --> 00:46:16,539 in preset professionals and students and 1277 00:46:15,670 --> 00:46:19,150 people who want to be part of the 1278 00:46:16,539 --> 00:46:21,339 industry how do we make the world safer 1279 00:46:19,150 --> 00:46:24,309 right so I mean what can go after the 1280 00:46:21,339 --> 00:46:25,180 profit motive but the journalist I don't 1281 00:46:24,309 --> 00:46:26,709 think that tells much because people 1282 00:46:25,180 --> 00:46:28,390 have things of value that's kind of 1283 00:46:26,709 --> 00:46:30,038 inherent otherwise we wouldn't have it 1284 00:46:28,390 --> 00:46:32,558 let's go I don't think that's 1285 00:46:30,039 --> 00:46:34,299 incentivizing I'd like I don't think 1286 00:46:32,559 --> 00:46:35,799 it's like no way this is a technical 1287 00:46:34,299 --> 00:46:37,900 problem first and foremost I feel like 1288 00:46:35,799 --> 00:46:40,179 any norms risks of Bagdad companies 1289 00:46:37,900 --> 00:46:41,559 versus tiny crypto authors I don't think 1290 00:46:40,179 --> 00:46:43,299 we're gonna win so I feel like if we 1291 00:46:41,559 --> 00:46:45,339 could try and disincentivizes it once as 1292 00:46:43,299 --> 00:46:46,749 possible so collaboration with law 1293 00:46:45,339 --> 00:46:47,949 enforcement from the likes of Trend 1294 00:46:46,749 --> 00:46:50,078 Micro and companies to bring these 1295 00:46:47,949 --> 00:46:52,660 people to justice and for making making 1296 00:46:50,079 --> 00:46:54,009 it very clear that if you're going to 1297 00:46:52,660 --> 00:46:55,509 have any success at all you will be 1298 00:46:54,009 --> 00:46:57,729 caught because I think the p.m. point 1299 00:46:55,509 --> 00:46:59,859 here is transferring that wealth from 1300 00:46:57,729 --> 00:47:02,109 prospective wealth online from control 1301 00:46:59,859 --> 00:47:04,660 of accounts into like real-world money 1302 00:47:02,109 --> 00:47:05,920 and you know food my god if we can make 1303 00:47:04,660 --> 00:47:07,538 that as difficult as possible I feel 1304 00:47:05,920 --> 00:47:11,140 like we can really strike at the heart 1305 00:47:07,539 --> 00:47:13,299 of this and stopping the hustle and NCAA 1306 00:47:11,140 --> 00:47:14,650 has started to prevent program recently 1307 00:47:13,299 --> 00:47:16,479 which is essentially in line with what 1308 00:47:14,650 --> 00:47:19,089 with the last point there we need to 1309 00:47:16,479 --> 00:47:20,979 stop people's first like because like 1310 00:47:19,089 --> 00:47:22,119 kids are broke like like you know the 1311 00:47:20,979 --> 00:47:24,428 valta computer they've got an internet 1312 00:47:22,119 --> 00:47:26,019 access can I have some money no final 1313 00:47:24,429 --> 00:47:28,839 ghost comes in for tonight's games you 1314 00:47:26,019 --> 00:47:30,519 know like it's I mean it's it's entirely 1315 00:47:28,839 --> 00:47:31,900 human nature because it's the path of 1316 00:47:30,519 --> 00:47:33,129 least resistance to making money and 1317 00:47:31,900 --> 00:47:36,009 feeling powerful a lot through the stuff 1318 00:47:33,130 --> 00:47:37,539 so we need to stop kids from having 1319 00:47:36,009 --> 00:47:39,160 their first exposure and information 1320 00:47:37,539 --> 00:47:41,819 security some very very talented kids 1321 00:47:39,160 --> 00:47:44,410 mind gee some of them a few of them and 1322 00:47:41,819 --> 00:47:46,140 like we need to stop them stop their 1323 00:47:44,410 --> 00:47:49,960 first 1324 00:47:46,140 --> 00:47:51,609 like interaction with solar first 1325 00:47:49,960 --> 00:47:56,349 interaction with this with this industry 1326 00:47:51,609 --> 00:47:58,869 being you know involving the law so yeah 1327 00:47:56,349 --> 00:48:00,970 so as this desk talked to a lot of 1328 00:47:58,869 --> 00:48:04,960 effort and the few I need to fight for 1329 00:48:00,970 --> 00:48:05,529 it Lloyd is here Rosie wave who cares 1330 00:48:04,960 --> 00:48:06,880 about the bike 1331 00:48:05,530 --> 00:48:08,020 Lloyd help me with a lot of the 1332 00:48:06,880 --> 00:48:09,849 technical details of it because as I 1333 00:48:08,020 --> 00:48:11,770 said I'm not more aware author I'm not a 1334 00:48:09,849 --> 00:48:13,599 malware user I don't know anything about 1335 00:48:11,770 --> 00:48:15,940 well I didn't know anything written any 1336 00:48:13,599 --> 00:48:17,680 of this and if you're like him some good 1337 00:48:15,940 --> 00:48:19,900 feeds to follow their malware hunter 1338 00:48:17,680 --> 00:48:21,180 team no I thought that got some help 1339 00:48:19,900 --> 00:48:22,990 from them as well they know a lot about 1340 00:48:21,180 --> 00:48:24,879 they've been here for a while they 1341 00:48:22,990 --> 00:48:26,859 didn't all about historical stuff and of 1342 00:48:24,880 --> 00:48:29,410 course the gold mine that is Brian Krebs 1343 00:48:26,859 --> 00:48:32,259 on crabs on security calm he covers a 1344 00:48:29,410 --> 00:48:33,788 lot of the sane and the people here 1345 00:48:32,260 --> 00:48:38,200 involved in it so I'll leave you with a 1346 00:48:33,789 --> 00:48:39,880 question why do we encourage more kids 1347 00:48:38,200 --> 00:48:44,410 with an interest in this kind of stuff 1348 00:48:39,880 --> 00:48:46,089 into InfoSec rather than blackhat stuff 1349 00:48:44,410 --> 00:48:48,490 which you know ruins our career prospect 1350 00:48:46,089 --> 00:48:50,740 and times their life and our losses all 1351 00:48:48,490 --> 00:48:53,430 so tweeted me and thank you very much 1352 00:48:50,740 --> 00:48:53,430 for taking the time to listen 1353 00:49:01,079 --> 00:49:10,960 are there any questions before just for 1354 00:49:03,309 --> 00:49:12,099 a high like it makes up for the involved 1355 00:49:10,960 --> 00:49:14,650 in Syria no not particularly 1356 00:49:12,099 --> 00:49:16,509 but again like because of its 1357 00:49:14,650 --> 00:49:18,519 versatility and the kind of like the 1358 00:49:16,509 --> 00:49:20,710 kill chain of in faction like it's such 1359 00:49:18,519 --> 00:49:22,508 a versatile to old I'm very I'm certain 1360 00:49:20,710 --> 00:49:25,720 the yeah I guess you're talking about 1361 00:49:22,509 --> 00:49:28,119 Isis right yeah so I mean like I'm sure 1362 00:49:25,720 --> 00:49:30,868 they do but unfortunately like this is 1363 00:49:28,119 --> 00:49:33,930 so vast that yeah yes the answer is yes 1364 00:49:30,869 --> 00:49:37,550 hi any other questions 1365 00:49:33,930 --> 00:49:42,129 okay go well thank very much Chris 1366 00:49:37,550 --> 00:49:42,129 [Applause]