 I would like to introduce, actually from your, from your, from the brochure, then you just find four people per person, but you'll find just two person here. Why, why there's just two person? Because one of the, one of the speakers, Birdman, is just her wife, his wife is just a girl baby, and also ended up speaker PK, simply his girlfriend is just back to Taiwan. So both of them is, the reason cannot to come here is because of women. So, so it's a very happy moment, right? So anyway, this, this time I am Benson, we will take over two hours, but you know, we cannot spend two hours because we are not the style reading the slides. If we go for some kind of reading slides, just, we will not be on the stage. So we have some demonstration, okay? And also some tools for you to, to play with, okay? And some case studies to, to, for you to, to take a look, okay? Maybe, let's start. First of all, I'm Anthony, he's Benson Wu, then also our, our research finders, is Jeremy, Jeremy Chiu is Birdman, he's, he is Birdman, and also another independent secretary, PK. Okay, we need to have a disclaimer, there's no national secrets here. Okay? We welcome spies, secret service, intelligence for instructions. Thank you, thank you, thank you. No, no any Taiwanese spy or Chinese spy, Russian spy, no? No? No? Raise your hand, no? I give, I give a cake, okay? A pony, okay? Okay, there's a cake for you then, okay? Thank you very much, thank you. Adios, doctor. Avertisement time. It's always, you've got a movie, you have Avertisement Unite, right? Okay, I need to advertise truth group members. Actually Taiwan is very famous security and hacking groups. It starts from 2004, and focus on security and hacking studies, and he's just a sponsor, or just a supporting organization this year for Bradhead USA 2011. And also, he has two speakers speaking two days ago, on about exploitation on the document, document, malicious document. Also, there's a, and the conference is a hack in Taiwan conference, that is a larger scale of the hacking conference in Taiwan. Actually talks, war game and food, come on, come here, right? Even I'm from Hong Kong, man. But it's good, I go there for, I went there for two times, but the atmosphere, professionalism, everything is good, and got some kind of anguish interpretation. Then happened on every July, okay? And there's a link for you for reference. My founder group since 2009, since actually I founded this group because I'm inspired by DevCon, because DevCon is really a cool conference with contests, with many talks, and with many people to meet up, you're nice, and also with drinks. So that's really good conference, I could say it's an international conference. So I back to Hong Kong and then hold a group to organize more hacking, security research studies. And we have just published some papers like Facebook forensics, and kinds of web security phantry from Macau and Hong Kong, you know phantry? Do you know phantry? Okay, move phantry. Or put a stone in the door, something like, you make you wealthy, something like that. Okay, don't chase it, I don't know. And also there's case studies about, I investigate into a case about the loss of money for the bank's children, because the title is million dollars loss in a minute. So just feel free to visit outside them. And also I want to promote the WellSmith because he partners with me and Colin Ames, last year to give this kind of talk about the China made me aware, thank you very much, and they have a blog in the tech research.com, then I suppose it's a very insightful blog. That's enough Anthony, right? That's done, okay. Last year, WellSmith, Colin Ames and I worked together analyzing China made me aware. We would like this year continue this effort. This year then we did with many target attacks. Actually, the Benson, Batman and PK come from Taiwan, for me come from Hong Kong. In Hong Kong, there are also some kind of target attack, not just Taiwan, okay. We are not alone, man. Taiwan is also the major, and Hong Kong is also the major being the target, being attack. Then we would like to be happy to be present here, and we are selected in the first one in the DEF CON, but we are rejected at Brathad. Their reason is we are curious about your automatic analysis. Any, we will come to you both in Brathad from here? Because Jeff told me there's a 400 and 500 we will board members, okay. I give the kick to him. Okay. Just a lazy kick. And reference talk is TT, and also Lenaker presented just two days ago about reference of target attack, more than document exploit techniques, and also the next session is my route about sneaky PDF. So it is more than just like a collection. So I would like you to have kind of put it all together to a different focus, okay. Oh, introduce myself. Myself, you call me Anthony, or you call me Dark Void, because just kinds of handle, and was on code audit, penetration test, crime investigation, and being consultant, anything, and teaching something, teaching like in the polytechnic university in Hong Kong, and spoken in last year, and being guest instructor in the technical exploitation in the Brathad USA course. Yeah, I left Benson to introduce himself. Yeah, my name is Benson. Berman and then PK and I, we are all from Taiwan, and we are from the same lab called Secure Lab. Well, the truth that they couldn't come actually is because it's really expensive to come over to Las Vegas. It costs us like, you know, more than 2,000 bucks just for the air flight. So, well, we can only afford one of us to come over. And we studied a lot about APT since starting this year. Before that, we actually do a lot of commercial products, but then we feel that APT is so serious that we want to really focus on APT starting this year. So, beginning this year, you will see more and more stuff that we will develop, and then we would like to share with the community. So, the tool that we cannot disclose here is freely available online. And if you guys receive any sample that you think that it's from APT group, then you can just scan online. It's totally free. I also would like to mention that I'm from an academic background, and even though I have some diploma before, but that doesn't stop me from being hacked. I remember that when I was in university doing my master and my friends in the national security agency told me that, hey, Benson, I found one of your computer in the enemy's CNC servers. And I was really surprised because I thought that I can protect my machine well. So, that actually told me a lesson that diploma doesn't give you anything when it's on the cyber warfare. So, I really feel that, well, you have to equip yourself with some hand down when it's about cyber warfare. That's why later on we end up doing a lot of commercial products and then a lot of research on these kinds of stuff, rather than simply publishing papers. Okay. Thank you, Benson. Actually, he has not introduced himself just academic background, okay. But he is very good at, we will work out for the executive lab in Taiwan, between Hong Kong and Taiwan, would like to contribute this kind of research and service. But, man, you can't see his face. He's always like that. Not really strange. I don't know how can get his this kind of hat, but anyway. He very expertise in the RIN32 and in-spec platforms on the Windows programming. He is the first one in Taiwan to spread, not his spread out, but he produced kinds of Trojan, bird spy, and then being manipulated by other people and spread out, spread out in the wide. And Taiwan, Taiwanese police catch it up, catching up, and after a while then the police said, okay, I will release you then, okay. The idea is please help us for investigation in the future. So, three members, three employees, that's good. Do the forensics, assist some kinds of digital forensics and an investigation instance response. He's good for root kit, better design. He's a good man, okay. Even he's doing kinds of a lot of evil design, but he do a lot of training, okay. PK, he is from law enforcement and also he is the independent secret researchers. He's also good at system programming, Windows programming forensics and he has developed a software called MPA scan. MPA is kind of a police force in Taiwan, so it could be downloadable in the Taiwan police website. But I know some kinds of reason, some people target this software for attack, but he's a very nice, very expertise, reverse engineering and system programmers. Okay, start our agenda. I'm sorry then, I spent five to ten minutes to about to introduce introduction then. APT stuff is, actually I don't know the terms comes from, but it is easy for people to say it is a target attack, but everything attack, target person may be quite advanced. But it's specialized target for specific company, organization, and also it's organized from a group organized attack parties. Other than providing the case studies, I would like to present and analyze APT from malicious email documents throughout our automatic analysis, okay. And later on, Benson will present about the DNA custering of different APT task force. For example, you have some batch trials, society like 14K, different trial society parties, then it is the same ideas of this different APT task force here. We have observed there are three major types of the target attack email, for example, the phishing emails, you get a username, ID, and password, and also when you could get an email with some malicious script, when you open some emails, maybe execute some malicious script, or even some documents, and then you will deploy to the malware and become a botnet and contact the CNC server for further compromise. This is what we have observed. The table is damn small here, but anyway, but we have got a difference here. This pen is very powerful, okay. You can hear, right? Right. This column, APT botnet activities, this column is traditional botnet activities, actually for distribution, for the APT, or I talk about, for example, APT botnet activities, more organized run, and also not cause any damage. If damage your machine, they have no games to play, right? And of course, target for a specific group, and also for a particular company. And the effective duration of the attack group is very long, for long duration. And the frequency, many times, because they would like to launch it from different perspective, maybe the same dropper, but in different email formats. Their reference is more than necessary days, and some drop in the embedded malware. And finally, the detection rate in the anti-route software is less than 10%. Okay. Exciting part is coming. Case studies against our political party in Hong Kong. Okay. Recalling from Mr. X, he always makes me up at 6 o'clock. I don't know why he makes me up at 6 o'clock for calling me for help like that. Okay. Mr. X is one of the key persons. Key persons from our political party is like a democracy party. He drop as an email, he feels suspicious like the attachment called meeting.zip, and also minutes.zip something. And it contains two files, one is the agenda, doc, and also minutes.doc. And why he's feel suspicious because he just gave the meeting, yes, before he received the email. And he got this document, I mean, it's very, this is incoincidence. So he looks like a member meeting agenda, however, it targets all the committee's members in the meeting. And Mr. X also said he got this kind of emails before 4th of June, 1st of July, and before any legislative council member election. You know, 4th of June is kind of kind of Tiananmen incident. And 1st of July is kind of a day we turn, Hong Kong we turn to China. So it's very, very irregular. Instead of some October because those guys may be on vacation, on holidays, so they did not launch any target attack because they need to on vacation as well. Okay. So I run a very brief analysis in our XQ secure analyzer engine, but actually it is not a document, it's a PE file. Okay. And also it's a dropper file. And it creates the minutes.doc. And it's a document shocker file. And which is to execute the agenda.doc. Okay. This is our engine, one of the swing shots. Then you will find that from the start up folder, okay, I point here, start up folder, once you execute, it creates another file, i.e. check.exe. And then afterwards, it generates the code, generates the DLL MSVCR. It looks like very legitimate DLL files, but it isn't, right? And inject into the explorer.exe for, for kinds of ingestion, DLL ingestion. Then it collects network different CNC servers here. So let me show you. Yeah. Because of time, there's no time limitation because, yeah. Then you'll find it here. This is our agenda file. And it's a DLL MSVCR. Okay. I want to zoom it because I'm quite sure you can see it in the back. And it's a doc. And I have submitted this, yeah, from Hong Kong. The CNC server is from Hong Kong. Hong Kong is other than shopping center, it's also a CNC heaven. Okay. Yeah. Come to Hong Kong. Okay. Deploy the CNC server. And then you will find a report here. Okay. That's what I captured in my slide. But anyway, here is what we have shown and analyzed. Because if every time you need to put up the VM and get the analysis, then it's very a boring job, right? Every time you put up a VM, every time you run the executable for every samples, I don't think it's a fun, right? So we do it on the automatic analysis. Have you seen it? Yeah, thank you. But it's not our core dish, or main dishes, okay? But just like that. How long? How long maybe just 30 seconds to one minute? It's not bad, then? Then go for a couple of those, then back, then the results comes up. Okay. Back to the slide. Well, here is quite very silent. Yesterday, in my hotel room, there's a lot of rock music underground, and the woman shouts, man shouts over the night, then it's amazing. I don't know. Shouts from the other rooms. I can't sleep, actually. So analyze our analysis, the CNC location. You'll find it from Hong Kong. And the post is 8080. Actually, the case is still alive. The CNC server is still here. So I'm not allowed to here because we are writing a paper, then we'll submit to the forensics and some conference and malware conference, then before the law enforcement just join in to inference our result. Some traditional intelligence of analyzed malware, like the capture batch, what files is create, what files is delete, right? And also, like, what can't, yeah, it's a possible, what I've told you about our analyzer, what files is added by the system after the malware executed. And you can prove it. And also, like, IPsec step.DAT is added to the Explorer.exe to kind of encryption for the IPsec channel to back to the CNC server. Okay, some files added. I don't go through it because, but I would like to see that later. They simply generated the MSVCR, but the file is not like that. It should be MSCVR, right? If the file is naturally made and it's approved by Microsoft, it's signed up, Microsoft, the name is quite confusing. And different files are added here. So, afterwards, the agenda doc doc is deleted. We have got some analysis. Okay, he targets QQ. Anyone have QQ? Anyone have QQ? Anyone? No one? I would like to give up the cake. No QQ, okay. But if you go to China, if you need to make friends in China, you need a QQ, okay? The first thing is like the ICQ, like the instant messenger. You need a QQ. And QQ can do anything, including to remote control software, okay? They have some capability to control remote software computer. And also, it could also to capture some screens or send message, send file, yeah. And many children writers focus and take over, take the advantage of the function of the QQ. And also, force mail, force mail is also like here, force mail, it's also like a China, Chilean mail service. Of course, we have our good friends, messenger, yeah, messenger is also our good friends to attack target. So, also then it's proofs the ingested to the explorer.exe. Not a surprise, but I would like to see. DLL, you know this Chinese word, it's kinds of DLL ingestion failure. It's written in Chinese. That's good. They make the programmers give the comment. Give a comment to say the DLL ingestion failed in Chinese. I like it. I like the comments. Well, documentation. And also, as you say, you find it, I got, right, here is the explorer.exe, but besides, there's his brother, SVC host. Why? When I analyze the sample, I can't find any ingestion to the SVC host. I will tell you later. Okay, the agenda.doc is nothing special. It's just a dropper, okay, created IE, I check.exe, copy the files, ws2help.pnf to the application data folder, change the last stat.exe and generate the msvcr.dll, malicious DLL, and inject it to the explorer.exe. And there's a create a new test. It's very strange, you know, they will create new tests, but it's common for a software to create different threads, different threads when running programs. And of course, some traditional checking, like check whether they have a capersky or have any law 32, I don't want to show here, but target the Kikoo, MSN, Sena, Fosmail, and Hotmail. And also, they use XOR and coding only. They don't use very complicated encoding or encryption scheme, because if you do some very complicated encoding scheme, it will be most likely detected by the IPS or some detached by the IPS or network detection monitoring. Let me check. It's here, but you know, it's quite difficult, you know, I'm here, the screen is there, but it tends to point here, but anyway, show it like to, wait, I'm sorry, something that is encoded. This XOR is here, the XOR, wow, you need to have a telescope. Have you got a telescope? Actually, DevCon should supply it, I know. Then there's an encode here, then looping, looping, or looping. And then you'll find the words is decoded here. Actually, every time you send out the traffic, they will encode the traffic, and once they receive it, they will decode it. They don't, they don't do any complicated encryption. Okay, once we have do the, we know, in fact throughout the scheme, then we find out they get the host name and also the OS type and the patch level, then there should be more information sense to the CNC server. And also, this is what, we are, this is the most humble day, most humble of my day, because of the day, because you know, we find that a .bmp files compressed in a .cap file under application folder. However, we are still in screen capture via Wileshark, but it is captured by the, by software and sent back to the CNC server. So this is the, this is the screenshot. We do the saving the network, use the Wileshark, but send back to the CNC server. Damn it. Okay, taking into the tiger's mode. Okay, some, more than that's like, if you do the analysis, most likely you just analyze the chopper, right? You go to the like different, and threads expert or whatever, different online sandbox, they just analyze the chopper files, and they will not carry out further analysis. So we carry out further analysis and try to install the QQ, MSN and see what's going on. And we find that the more binaries have been downloaded to the Windows debug folder. And also, malware creates more files in the Windows debug data folders as well. But those files, when after those files executed, it will move the shortly. Okay? And also they send back to the CNC server in different compressor format. So we find it, those CNC server send an instruction to the Rictum machine to compare the files and send them back to the CNC server. This also quite interesting is the traffic sequence number, this sets by the CNC server. If you have been infected before, you would like to try it out, to analyze, then the binaries will not be downloaded again. But it is not surprised, but they have the sequence number to control. So we need to change the registry to break out that sequence number. It sets in the registry. So it is quite tricky. And also they have put those files in the CAP compressed file, but they put the DLL files, different DLL files, and compressed in CAP files. However, after we decompress the CAP file, we got different SAM system information from the Rictum machines, from those DLL files. Okay, let's see like that. We find this. This, like a drive file in the doccap file, they capture everything, or your files, the path, and also this. Yeah, this password. Donald Chen is not our member, he's just the chief executive of Hong Kong. Okay, we just take him as a fake email address, okay? Then it's better, right? So you find it, they have put it in this kind of test format without encryption. After carrying out the dynamic analysis, we got three more binaries, we got it. With these three more binaries, one is responsible for to collect all the hard disk drive, this is fvcwin32.exe, and create the file drive under C, Windows debug, you have just seen it before, right? And also enter files called svavcwin32.exe, after execute some of our short period of time, it is renamed as svcwin32.exe afterwards, and it put it all of the data to capture all the connect email accounts passwords, like the files I show you, and send information, system information to the app data, time directory, and also the Windows debug data directory under C drive, then. And also one more, one more binary is acwin32.exe is capture the screenshot for every 1,000 milliseconds. The injected ms, it should be vcr.dll, keeps on monitoring the C drive Windows directory, this debug directory, if there's any files there, they will send it out. So this is the summary, this is the summary then. Actually, it targets the political party in Hong Kong, and the CNC server is in Hong Kong, but this China-made APT is, I could claim, this case is long-advanced persistent threat. Why? Not very advanced, because it contains some old baked routines. RIM95, RIM98, the programmers simply just add the new features. Maybe the boss asked him, okay, add one more features for Windows 7, okay, add one more routines. The old routines just left behind, just left aside, okay? And also there's a, the dropper is the same to another sample. I've got a .shm sample, and then the dropper is the same. Oh, I forget to show you something, like in my, here. It's my first time, not first time, it's very rare to open the IDER in Mac, and also I have not renewed the license, yeah, expired it. But anyway, then you'll always use IDER in the Windows environment. This DLL is the, is the MSC, MSCVR.DLL, then we could find it. It packet the file as cap. I need to use this one. Put it at the cap file. Yep, and also it's very interesting. They put some different extension, like .v2. You never know what is .v2 is. Another interesting stuff is the, not cap screen, but connect password. Can you shut it off? This one. Gap password, for example, the Gap MSN, Messenger MSN password, also for Outlook password. Yeah, they're quite good for collecting different passwords from different software. So if you want to jump from IP APT, simple log, try to use this one, this software, but you can't do that, right? And yep, to do a password. And also, let me check some very interesting, yep, this is called a password. And one more is the, like the cap screen. I need to show it because it used some old damn screen capture routine in the visual basic. So that's reason why I say this is not really, really advanced. Sorry then, I need to here. Here, right? Create some, create DCs. I think it's traditional, but it's very old. Some kinds of capture the screen or write the bitmap stuff. It's already very old. Okay, so that's reason I already show you about that. Okay, let's continue. And the agenda doc, the doc doc is just packed with UPX, XTRAW is used instead of some complicated encryption. Then download a payload in different stages. The most important is they use some unpopular file extension, like K2.v2, you never know. And I suppose the IPS or IDS, they don't recognize this kind of weird format, right? And they simply built in, like dependent on the built-in libraries. And I find that they use the proper sequence set up by CNC server to manage the rhythm. This is the, we could conclude, I have got two samples and I find that their droppers are the same. You'll find here, this is the agenda doc, this another one is another executable for my collector sample of docCHM sample. You find it, they're here the same, except this fork. Okay, so I suppose they will just use the same droppers for different teams or even the same team. This is the timeline. My fellow Vantu has drafted. Actually the green one is the sample docCHM sample, the wet one, oh sorry, the wet one is the agenda doc I present here, the case. We find that the PU build time of the docCHM sample and then we could find the agenda doc, the build time is near the same, near, is around the time, it's April between April and July. And we find that also the phishing males and also the phishing males received and the build time, the MAC time and also report time, it's around the time, around the same, near that period in July, between July and June and July. This is my docCHM. So we think this is from the same dropper, same generator and also Mutex is, Mutex name is also is good useful to identify the APT sample or version and this case analysis simply supplements the tracking ghostnet reports and also the median report because they do some high level just describe the process but we do the reverse engineering and the further analysis then it's much more good, we give more details to you. And afterwards as a malware analyst we will find that do we need to analyze 10,000 samples from the single task force? It's too time consuming. Can you back to the office and say, boss, I got a sample, I need to close the door for three days and analyze the sample like that? I suppose you should be fired, right? Three days and analyze it? No, you should know that how to respond what's the characteristic, right? And also do you think about whether you you get a sample and you think that you are already target? No, then this is kind of traditional thinking or international before because when we receive the malware we don't think it's target or not. And the case two is calling Mr. X again, he's very free and always checking email and always get this kind of target attack but I want to help. And there's another file name called official reporter list from the legislative council news. These are official email. This is the party extension. Then the Chinese is very official. The format is craft and the most important thing is if you trust Gmail, you sucks, okay? No problem. This is the name is kind of official reporter list of the legislative council, though you will open it. However, I need to analyze, right? Because he wakes me up in 6 o'clock, he needs to treat me drinks or dinner, okay? And also then need to say grass root horse then. Do you know these two cute, these two horse? Don't know? Anyone knows? Oh, you know it? Yeah, okay, get it. But don't speak it to the to the Chinese, okay? Okay, oh no, just come here. Yeah, because I can't throw it. Yeah, okay. These two lovely animals is a, this is kind of a motherfucker, okay? Okay, but it's broken in the China Internet because they use the grass root horse instead, okay, in Chinese and also English, okay? I also throw this kind of doll last year. You could be back to my video. And after the analysis, we do the DNA analysis. This is what we want to do. I find the samples, the Excel samples, I upload to our engine called APT Disser. We find that these samples, it belongs to here. You find this is a evil central, evil circle. Very evil, you know? If you find you're target by this evil circle, please take care. Extremely, extreme care, okay? This from China, okay? This also from China, okay? But these samples is from here. We group the custard from here and the different color means different years, different kinds of year of exploit of the build time years, okay? The detail analysis will be from Benson. It will be much more cool. This is the old version. Then we got the exploit name, the build time and the group C, yeah. And this is the analysis. You, you see that before? I don't want to, to take over it. This is about the group, the APT group, it's about, it's the chopper. Always the chopper. Analyze the chopper first and then inject the DLL. Inject the DLL to the inject the EXE to the, no, DLL to the EXE, ispore.exe. And this is the location of the CNC servers. 28.5% CNC servers are located in China for this sample, for this group. In Hong Kong, as I said, I always support Hong Kong as a CNC central center in the Asia. So, they got 28.57%. Okay. In Canada, it's not bad. They are on the front page. So, we will soon, we will soon give you more about the analysis, about our DNA custering. For piece or warfare, pan one. For piece, I would like to, putting thousands of points images as a cap file and put the debug folder and show my sincere, nice, peaceful mind to the CNC writer or the, or the secrets on the task force, task force leader. You know, I'm very, very nice man. Okay. Okay. To enjoy the points and find me funny. This is what's most important thing. Fight back. Okay. Set up a CNC server, portrays malware pack, putting malicious PDF, document excels in the cap file and they must open it. You, they must open it, right? They will wait it, right? To see what's going on. It could be fun, excited, but I've not tried yet. So, we have the prompt from Chinese. Cooking beans on a fire, kingdom of beans, beanstalk. The beans whip into the pot, originally born from the self-same roots, why so eager to torture each other? You know, we can't do it the same against them, but we would like to see what could help to analyze and to see what we could help to this community, community. Special thanks to my reexperts, is Wantu and DDL and analyze these samples for me and here, Wantu is very old guys, but he is very passionate to over the reverse engineering and analysis of sample and write a detailed paper, then please stay tuned. I will publish it and let you know. Okay, Benson, your turn. I prefer to use here. Yeah, I'm sorry then. I just leave out without taking care about it. Okay, my part will be another 30 minutes. As you can see, Anthony is so, his personality is so aggressive and I'm kind of the opposite. That's why when we work as a team it's so fun to work together. Most of the time, Anthony enjoys doing a lot of manual analysis over these mailwares and actually in Taiwan, lots of researchers, we have been receiving tons of mailwares every day and then we do a lot of these manual work on a daily basis, but this is really time consuming. As you can see, mailwares are now in mass productions, so if you are doing this manually, then you are definitely falling behind. So this is why we really want to come over automatic systems so that we can easily classify whether this is made by automatic tools or it's actually made by human beings, APD groups. They are only being used once only and then throw it away. They will never show up again. If that's the case, then how we can go beyond these situations and then try to understand who are behind these samples. So we want to automate all these processes rather than doing this manually. And you guys might recall this slogan, well, this is not goes in a browser. Well, Google says goes in a browser, so they are good at goes in a browser but not goes in the networks. And this is what we think. APD is actually goes in a network. Once they get into your network, they try to stay there. So they are not like, you know, fast in and fast out. They actually try to get into your network and then they try to stick there and then they never want to get out. So they try to stay inside, hide and seek and then try to steal everything they can steal and then try to escalate the privilege until they can steal more sensitive, more confidential data. In Chinese, that's how we written it, Wang Duli the Gui. The term was first defined by the U.S. Air Force. They call it advanced persistent threats, which we think is very appropriate because by being advanced, it's actually relatively compared to the victims. So it's not necessary that I have to use the most non-passed zero-day exploit in order to invade your system. As long as I know that you haven't patched these exploits, then I can invade you successfully. So this advances more or less in a relative manner. Well, being persistent means that I'm really determined because I'm being supported, I'm being funded. In order to invade your network, it's actually part of my ear projects. I really have to get into an air world. Otherwise, I will be, I will not accomplish my missions. So that's how determined I will be. So all these victims, victims, we can see that oftentimes they are, they always have good security controls, they have a good sense of security and all these employees, they actually have good eyes. You know, they know how to see errors in these spellings, errors in these social engineering, social engineering emails, but still they still get APT attacked and then successfully because there's really no way you can get away when you are being targeted by these APT task force because they are so determined and the emails are written so well that they are, they look just like exactly from a genuine person. That's why you see Google are being on eyes as well and then many more. The reason we mentioned StocksNet is because in order to launch the StocksNet successfully, they they actually attack the several industry, several companies in in the science park in Taiwan in order to get a certificate so that they can sign these drivers and then once they get these drivers, they sign these mailwares so that when people get attacked, the windows will not alert when they install these mailwares and also comodals, they invade comodals to get all these certificates. So later on when we actually get these APT emails, a lot of these APT emails are being digital signed and also verified by comodals. So well for these companies we never want to be, they never want to be the headlines in these kind of situations and of course everyone knows this and this chart is actually from Mackenzie. They actually analyze a lot of data from IDC and also a bureau of label statistics. From this chart it's actually telling you that a lot of these large enterprise they own lots of data. So much data that they never knew that they have this amount of data. For example large enterprise typically own more than a terabytes of data so that's hundreds and thousands of enterprise in the States and in fact also hundreds of companies more own than a terabytes. So you have so many data that is so juicy these hackers they just want to target you and then try to see how they can do APD on you. So if you have too much data then you have to protect it well otherwise what situation like Sony would happen again. So this is some samples that we share here what we receive in Taiwan and this is from real case. For example a lot of professors in school they would receive these on annual basis for example receive these kind of call for papers and also acceptance notifications from people pretending from the National Science Council sending the malicious PDF to them and this is from a genuine email accounts but that PDF it's containing a malware inside but that couldn't be identified by any antivirus tools on the market because definitely these APD taskforce they would do these QA before they release these efficient emails. So it's really hard to teach how these professors can get away from these targeted emails because there's definitely no way they can get away with their good eyes because that's a very genuine emails and also these attackers they will send you invitations asking you to give a speech asking you to give a talk and then these people are also real people some professions that really exist and then again you couldn't find all these malicious documents with existing antivirus tools and these are the statistics numbers that we are receiving on daily basis in Taiwan roughly 20,000 suspicious emails are sent to GOV.tw on a per day basis and then out of these every month about 4,000 to 500 APD emails and these are couldn't be identified by any antivirus on the market. So we can say that every month we can collect this amount of samples. So this is our research motivations. In the past we see that these APD incidents happen again and again. This really implies that we need a better security controls because this is out of control. Existing tools doesn't help. That's why incidents happen again and again. So we have to turn the table around otherwise it's always the attacker in the dark and then the victims in the light and we have no ideas who are attacking us and then people also saying that APD is the new term but all problems and yet inevitable. Then that's really a very ironic situation because if it's an old problem then we got to have a way to encounter it but then it seems so inevitable that we couldn't do anything with it. So we are thinking that actually we have so much security control right now but none of these are designed to fight against APD issues. And then also because APD is highly targeted it's very hard to collect these samples from the way how we collect our viral samples. Right now viral samples are being collected through a honey pot or honey net but these APD samples will never reach all the honey nets that you deploy. So the only way you get APD is either through intelligence exchange or by really deploying some devices on these classified personnel's email box otherwise you would never get these APD samples. So there is a Chinese saying that we must first sharpen our tools otherwise you wouldn't see the text going on. So our research direction is that we want to analyze these samples so that we can see the groups behind these samples. In the past it's always receiving the viral samples and then we determine whether it's malicious or not then that's it. We never try to see who are behind these viral samples. So we stop at determining whether it's malicious or not and that's really a PD. And then from these APD samples we also want to see if we can find out what's their plan. So what's the correlation between these samples and probably we can associate all these APD samples seeing that oh they are actually all targeting at this particular group. So we can probably come up with their year plan who are they targeting with. And then also from a single one-off attack we also want to see the trend because by seeing the trend you can see how advanced these APD task force are. You can see what kind of weapons they have been using because the weapons they use they have to spend money to buy it. So you can see how well they are funded and also you can see how persistent they are. How many years they have been in this cyberspace and how active they are. Sometimes you see them being so active maybe for one year but then they stay very silent for another year but then all of a sudden become so active this year. So you can see all these trends very easily if you have automated tools. But if you only have one antivirus on your hand then you can only see one off attack once at a time. So we try to do digital forensics on all these APD samples and these are some of the attributes we try to get from these samples. Just to name a few for example mailware features what exploits are being used. So usually we associate these exploits with CV numbers so that you know exactly what CV exploits are being used and also the CNC networks that are being leveraged because these CNC networks they usually imply the stations that they deploy in different countries and also the emails who are they targeting who are they pretending they are and what's the content inside the emails and also the victim's background and also the time of attack. Usually the time of attack would matter because they try to do social engineering so for example when they send the meeting notes the meeting notes will be associated with will be very close to the meeting time so the time of attack it also matters. And how are we different from mailware study in the past? Study in the past they have an assumption that all the information they analyze are very 100% accurate. For example if they do signature based detection they do exact match. So if you if you doesn't match this signature the pattern doesn't match the signature then they will say it's not malicious so that's how antivirus does. And for behavior based profiling if your behavior doesn't match the profile they did then they will say you are not exhibiting malicious behavior. And if you are not exhibiting your malicious behavior in a sandbox environment or you pretend not to exhibit the malicious behaviors then they cannot profile your behaviors at all. So they they have an assumption that they can they can see through you and they can observe the exact behavior you are exhibiting. But what we see is that mailware doesn't behave that way because they are usually packed they are usually encrypted and they are designed in a way that they don't want you to be analyzed easily. So you have to tolerate some errors inside and that's why some of the theories that we use they they allow some errors and then allow some information being loosed. For example we use some rough set theory. So rough set theory is almost like the opposite of fuzzy and then we also use data mining so that we can easily associate all these different attributes and then we also use clustering so that later on you can see how we cluster all these different APD groups and then etc. So we use a lot of mathematics to help us analyze our data. And then of course we we not only use a static approach in case where static approach doesn't work we also use dynamic approach. Our background comes from dynamic approach so we we we know very well how to observe mailware in a sandbox environment. We we know very well how to trigger them in a dynamic environment but we know that it's very time consuming and you cannot replicate you cannot replay the required parameters to trigger them. So dynamic approach is really the last actions that we will do and so we will apply a static approach first. So it's a multi layers of technology that we will apply and some challenges for dynamic analysis for example they they will do encryptions they will do anti sandbox they will do domin functionalities so they will not exhibit the behavior they will sleep they will detect if there's a mouse movements or they will even try to communicate with the external networks and if they couldn't communicate with the CNC server then they will not do anything. So in in those case you have to you definitely have to do static analysis and then on the static analysis part we we actually we also implement lots of parsers lots of lots of static analyzers on our end so we we try to analyze all these PE codes all these share codes and then all these known packers so we implement all these well known stuff and then we do the static analysis part by ourselves. Later on you can see the demo our performance for analyzing one APD samples using one computer is like five seconds to seven seconds and then we can finish the analysis and the the middle part is the the data we cannot extract it from these mailware sample you can see that if we can identify what exploit are being used we will give you the name for example the CV number and then what share codes are being identified and then what kind of CNC network are being used and then also are there any suspicious structures so we will also walk through the suspicious file structures and then we will also try to locate any known mailwares that are being used so for example the PE and also these code snippets and then if if we try to run it in a dynamic environment we'll also try to say that well when it's been executed where it would hook in the wrong time environment what registry key you will try to modify then if you are being compromised then how you can try to remediate yourself and then once we extract all these data from the samples we will try to normalize it into APD attributes because now we will try to do the clustering so we'll do the do the normalize first and then this screenshot is actually to share the the beauty of extracting all these stuff from the binaries of course we can easily get all these binary doing it manually but with a system we can get this data very easily and some of the interesting stuff we get from these binary strings is a new trend like this anyone use plug before? plug is very famous in Asia but I'm I think Twitter is more famous here in the States can you guys make a guess what these are? what this person is talking about here? this is definitely not a human language right? this one is being encrypted but we actually found out all these conversations from the APD samples that we analyzed we noticed that from all these APD samples they tend to communicate with the plug so if it's in the US case they would tend to communicate with Twitter's and then they would communicate with different Twitter accounts but they speak similar language a language that we couldn't understand but a language that they all encrypted with the same key and if you decrypted the text you will find out that it's actually a CNC info so they started not to put the CNC information inside the sample they put the CNC information on these web applications websites so that they can easily get it through port 80s and then they can easily redirect all these partners activities easily once we get all these normalized data we do the clustering and when we do the clustering all the mathematics methodology help us for example to to pick up the important attributes before we apply for example before we apply rough sets all these attributes are equal significance but then after we apply rough sets rough sets will tell us that for example mailware type is more significant than exploit type and CNC server is even more significant than the other attributes and what the coefficients should be so we get a very nice formula for these attributes and then based on these nice formulas we come up with a good clustering on these APD task force based on the samples and then we call that a fingerprint for these APD task force so they distribute so much APD samples to all these victims but they have no idea it's actually they are also disclosing their fingerprints so to to make a common basis when comparing all these data we actually use a common common samples so we use the sample from MEDA it's it's a public data Contagio dump so they are about like 242 APD samples so if you guys are interested you can also download it from the MEDA's websites that's the sample that we use and we also compare our detection rate with antivirus but before we we mention the detection rate let's see how the antivirus perform when they are scanning against these viral samples collected from honey pots as I mentioned earlier APD samples will sell them reach these honey pots these are all made from automatic tools so as you can see all these antivirus perform very satisfactory right all almost like 100% 99. something and this is from shuttle server they update these on a monthly basis but then when it's applied on APD samples antivirus really doesn't work well because they never get the signatures easily from these honey pots they deploy so these samples hardly enter their laboratory so usually the time when they get the signatures takes much longer than usual so these data is what we tested two weeks ago as you can see on most of the vendors they fail to qualify more than 60% and the one that we're gonna share with you online the APD Deezer that you can try online and it's free available this one has a detection rate of more than 94.6 and of course it's not only on meta samples once we announced this so many people began to upload their APD samples as well and you can see the graph becomes bigger and bigger the community really contribute a lot and then the overall APD task force graph becomes much larger than the original 200 something so this is the clustering results after we analyze all these samples we actually can see the task force behind these samples if you only analyze these samples individually you have no idea which groups are behind these samples but then when we use all the methodology that we mentioned we actually can see that there is one group that is very big which we call group A of course we also have the geographical location but it's too sensitive so we don't mention it here so you see group A which is huge and then you also see a second small one is group B and then you see group C so we will take the top three here and then give you more detail of data and the different color here means that when these APD emails or these APD samples are being collected or hit the victims so you can see their active time for example you look at the group A you see that most of their active time is last year 2010 and then for this year they only have a few this is based on MEDA sample so it's 242 but later on you will see that after the communities submit lots of samples you see the graph change dramatically you see new groups coming up so these are the top three so for group A you see they actually leverage CNC server like 23 and these are the weapons they have been using repeatedly some are pretty new for example this one this one is the one that has been used to attack RSA and then this one is group two and then this one is group three and then if you know the market price for all these exploits then you can see how well they are founded and this is the CNC servers they try to abuse and you can see the countries are like Taiwan, US, Hong Kong so these three dominate more than 50 so I would say that the reason Taiwan is being abused a lot is because the bandwidth in Taiwan is very stable and reliable and geographical is very close in Asia and also Hong Kong, Anthony mentioned Hong Kong they respect your privacy so much that when you do something evil they don't even try to disclose your privacy when you have a when you host a machine in ISP so and then more than that is you can also see the attack graph for every mail where they are being used so you can see the what happened when you double click the attachment and you can also see what happened when you got infected and even the bug comments that are involved inside these APD group and these bug comments are very helpful in identifying the APD task force as well and if we only look at APD group A along you can see these group A highly rely on CNC server in Taiwan so if we look at three groups together Taiwan is only like you know 20% to 30% but if you look at group A only more than 50% like 50% of their CNC are located in Taiwan and this one is interesting now this one is group E and this one we also identify it's actually from it's from Korea the reason that we can identify this is from the language the language they actually compile it with and then the interesting part is that all the samples that we receive from these are being signed by comodal certificate and when we submit to virus total only one antivirus can detect that so it's a very low profile APD attack so later on I will do a demo of the system so that you can have a feel what you can expect when you do it online and also something that we are still working on so from the meta sample sets we can easily identify the major task force behind these samples so the more sample you submit then you can easily identify how many different groups are actually behind all these samples and then you can easily identify how many weapons that have been purchased how many different exploits they have been using repeatedly utilized and then one interesting thing is that they keep on changing the exploits they use but the embedded malware tend to stay the same so the inside these exploits are the malware they use what we call remote administration tools they tend to use the same IAT tools so these embedded malware is limited to a few one so for example in the States it will be probably like a poison IV will be a very famous one and then we also found out with these APD samples we actually extract hundreds of attributes but among these attributes very very significant ones are CNC servers and malware use and less significant ones is the exploit type even though APD task force they will use a dozens of different exploit types and if we look at the language used in these APD samples one thing that we can say is like one fourth of the samples are from China and then some samples is from Korea and then we also have samples from Russia and France and then if you look at what CNC servers are being abused the top one will be Taiwan, US and then Hong Kong and then this one is readily available online where you guys can try it's when you upload a binary it will give you a graph and then it will also tell you whether it's an APD file or not or it's only a normal virus so if it's only a normal virus then it will not it will not put you into the graph so this graph will only draw an APD task force graph and in this case you see that gradually we see more and more APD emails are being signed by Commodore certificate so you see emails have been digitally signed and then verified and then this is from a very new group previously we mentioned that green color indicates it's this year so this group starts being very active from this year and they don't exist in a mid-last sample they just show up after the community start to submit their APD samples and then so I will demo this one here so this one is also an APD email same from someone I would trust because it's same from an academic institution and basically it's saying that greeting something and then it's also a PDF and as you can see that Google doesn't alert me with a virus emails and also when I save this in my computer the Microsoft antivirus Secure Essential also doesn't alert me as well but then this is the APD diesel that you guys can try I then can upload this one okay it says that your sample is of APD grade so it's a good quality means that it's not a normal virus sample and then it's from group A so it not only tell you that it's malicious remember that when we try to open it inside Google Google doesn't tell us it's malicious and also our antivirus tool doesn't tell us it's malicious so this free tool of first it tells us it's malicious and it also tells us that we are being targeted by the biggest APD task force so since we are part of their plan they will never give up until they are successful and as you can see this graph is much much bigger compared to my previous slides because the more the community contributes the bigger the graph will be and then we we also have what we are still developing is we try to put this together with like a dashboard so that you can see a more holistic view to see the trend and then we also try to associate with Google map which is very fun for example we try to see Taipei and then later on we try to make it together with the street view so probably you can see a hacker is sitting there on the street yeah real time and this is something the US can do easily right because you guys got a satellite okay yeah pretty cool right actually if you begin a CNC or a deploy CNC or you're located then actually it's my honor to work with Benson but man pk to be a former secure lab than to give this research this like that actually for me you know as I as Benson said we every time we do the manual manual analysis is quite very time consuming and even from the same generator we can't expect respect what is the task force behind we need to identify the evil is behind you know otherwise you never just every day you take a routine job to analyze is meaningless we need to escalate the analyst analysis level one up more level to so you can make your plan strategic plan on your how is how to respond to incidents and how to make the controls instead of just buying different events different bosses firewalls IPS and you say you have done the control this is not our story in the future oh yeah actually actually I simply get a how to get a power point yeah I have not used the windows environment for many years oh final worst then actually we could reach us at www.secure-lab.com and we keep connecting samples and enhance the capability to analyze and observe APT DNA family in more accurate manner this is what we want to do and deep technical analysis of the sample is still needed right but it's helpful to DNA footprint analysis it's incremental efforts we wanted to make and we would like to publish our we will publish our follow-up message at DevCon speaker corner and together we make the homeland secured and also special friends to our members and also like Benson PK and also Birdman and other fellows in secure lab teams and ship groups members and UXRL members and our family and fellows this is our email address and also our broadcast our broadcast and one more thing is perhaps we will broadcast members are you convinced yet thank you