 Good morning. My name is Leonard Bailey. I'm from the Department of Justice. I'm not sure I feel about having stormtroopers be my lead-in, but you know that's the way it works as government. So the office I come from works on, well, whenever there's information stolen, a computer broken into, we work with the FBI, the Secret Service, or other investigators to try to figure out what happened. When I was here thinking about like what would I come to roots and talk about, what I thought might be interesting was talking to you about how we work with computer security researchers to take down robot armies. And I'll explain to you what I mean by robot armies in a moment. So to start off with, this is a talk about botnets. I don't know how many of you have heard of botnets. Okay? Certainly the adults have, okay? So if you haven't, the term botnets is actually a combination of the term robot network, right? So this is an army of computers have been taken over kind of secretly and turned into what I would call a robot army. How does that happen? Let me show you. So there are a lot of ways of compromising a computer so that you can create a botnet. But I'm going to talk specifically this morning about fishing. So often this starts with an email. You get an email and it has malware in it, something you click, or it has a link that will take you to a site and your computer will be compromised there. Now, once compromised what happens? Well, the malware will do something interesting if it's working as a worm. It'll start scanning, trying to find other computers that it can also compromise. Now, this is what it looks like on a graphic level. Let me show you what the code kind of looks like. So I've taken some of the code from something very old. It's the slammer worm. Those of us who were around in 2003 will remember slammer. Slammer was a pretty awesome worm that did a lot of damage very quickly and yet it was only 376 bytes long. So the first step was really kind of sneaking into a system. It would basically send a command where the receiving computer assumed that it was receiving a certain type of data. It was going to get the name of a database that was supposed to be only 16 characters long, or bytes long. Instead, what it sent was over, well, actually 376 characters, but over the limit that this computer could really use and was expecting. And so after it got past this 128 character mark, the rest of this data was dumped into the stack. That is the place where the computer looks to figure out what am I going to do next? And it is actually reprogramming the computer to do something that it was not intended to do. So after that, it starts targeting other computers. So it starts generating IP addresses. IP addresses are kind of identifiers for computers and it's trying to identify what am I going to compromise next? And it'll do this in a variety of different ways. Slammer actually used the amount of time it took for this process to run. It took that number and then it turned it into an IP address and generated more and more and more of these. Now once it generated a list of targets, it then replicated itself, copied its code, and then sent itself out again. So this is what it looked on the code level. On a more simplistic level, it looked kind of like this. You have a compromised computer that's just searching for others on a network that it could also take control of. And once it does, once you have this whole network of computers, what happens next? Well, usually there is this other computer that's called a command and control server. Think of it as the brain of this entire army. And what will happen is this whole network of computers that now has this code running secretly in it will dial in to the command and control server and say, what do you want us to do? So the person who engineered this whole scheme will send commands. And there are a few things that this botnet army might do. Well, one, it might be told, hey, send me all of the passwords that come across your networks and all the credit card numbers. And so whoever is running this whole network will have that information and use it to buy things, commit fraud, other types of things like that. It may also tell the network to start sending out spam because the person who's running this may get paid to send out spam and so this is profitable to him. Or, and this is probably the most destructive thing it could do, it could launch what we call a denial of service attack. So this would mean this computer network is not going to start dumping a whole bunch of communications out and target, let's say, a specific computer. And that computer won't be able to process all that information and it will be knocked off line. Now, to understand this, building a botnet is in fact illegal and launching these attacks is illegal. We've prosecuted a few people in the last couple of years for doing this. These botnets can range in size tremendously. Some of them are really, really big. So here's an example of a few. Conficer, 10.5 million computers, right? Mariposa, 12 million computers, Brito Labs which is considered the largest that we know of, 30 million computers that were compromised. But the size of the computer is not itself an indicator of the harm that it could do. And we learned this just this last year with something called the Marai Botnet. So Marai was very interesting. It wasn't a particularly big botnet. It focused on IoT devices, Internet of Things devices. There's a village here. I imagine a lot of you have seen the IoT devices. Unfortunately, one thing we've learned about IoT lately is that a lot of them are very poorly secured. And for that reason, someone developed a botnet to target them. And it focused on things like IP cameras, DVRs, routers, and it collected them. Now it only had to take several, well, tens of thousands of compromised computers. Now we're talking about millions before. So this is far fewer than those larger botnets we saw. And even so, it did something pretty amazing, or pretty awful. It launched a denial of service attack on October 20 for 2016. Now one of the things about this denial of service attack is one of the things that was in the way of this attack was a company called Dyn. Now I'm guessing that none of you have ever heard of Dyn. I have to admit I hadn't heard of Dyn before October 21st. It turns out Dyn has an important role. Dyn provides DNS service, domain name system service for various companies. Now the DNS system is sort of the look up system, the phone book, the contact list for various spots on the internet. And in this case, Dyn provided services to some very, very big companies. So Twitter, Spotify, Netflix, PayPal, CNN, all of these high traffic sites were in the way of this Dyn attack. So what do you think happened when this hit Dyn? Any guesses? Yes. That's right. It actually wiped Dyn out for part of a day. The result of which was all of these businesses that were connected to it were inaccessible for that day, resulting in, according to them, tens of millions of dollars of damage to each company. So this was the largest DOS attack that we think we've seen online in terms of the amount of packets that were being sent. So how does this tie back to what happens here? So, and by the way, there's no clip art for FBI, so we had to create this. So we actually come to this community in various capacities. People think of this perhaps coming and asking questions about things that have happened in the past. More recently, we actually are coming to the community with malware. And we're asking for help. And we're asking for help because people in this community have skills that we actually don't. And we are hoping that they will help us out with what we're doing. And generally, frequently, the answer is actually, sure, we'll take a look at what you've got and we'll see if we can provide you some assistance. Now, what do we get from this? Well, sometimes we learn the type of malware that's involved. And we may not know that without having experts take a look at it. Other times, we may learn something like maybe who the author of the malware was, giving us some hints about who may have caused this problem. We may also go and we may learn the location of those command and control servers. Remember, I was talking about the brain of the botnet. If we know where that is, we can go there and we can take that offline and take control of the botnet. Or we may learn what we call counter measures. These are things that we could do to counteract the effects of the botnet. Now, obviously, malware analysis doesn't really look like this. Let me give you a quick example of what that might look like. So, for example, here, this is data that was in that told us a bit about the botnet. What did it tell us? Well, you can't see it very well, but those two boxes are words in Russian. So, what we learned from that was there was some nexus to Russia. Now, this doesn't mean that Russia was responsible. It could mean that there are parts of malware that were taken and used here that were Russian in origin. But it tells us something that we might be able to use going forward. Location of the command and control servers. Here, for example, the code identifies a domain name, which is where the botnet was looking for its information. So, what we knew is we could go to whoever actually hosted this domain, we could take control of that, and we could do something to the botnet. And what might we do? So, if you wanted to stop a botnet, is there, what command might you issue to the botnet to make it stop? Self-destruct? Pretty close. So, what we learned from the malware analysis was that in the code of this botnet, this was for core flood, if you issued a sleep command to the botnet, it went dormant. So, it was a little bit like Star Trek the Borg, which none of you actually really remember, probably. But for this old folks, it's just like that. A sleep command made the whole thing go dormant, and that was helpful. To close out, let me say this. What you're doing here is great. I think tearing down and putting back together, you know, code, equipment, things of that sort, it's how you learn. I had a father who was, I call him a destroyer-selfer. He would tend to take things apart when they broke to see if he could fix them. Often we couldn't fix them, but we learned something about them, you know, in the course of doing that. It's an important thing, but I do want to give a shout out specifically to Roots, which is, you also have this honor code. And let me tell you, it's very well written. And if you do what you do, and you, you know, follow this code, you will learn a lot, you'll make the world a better place, and you'll do it in a way that won't injure anyone or harm any property. So, with that, I have time for any questions anyone has. Yes, sir. I believe the question was if the malware was so smart it actually took over all the computers, what would ultimately be the result? Fortunately, one thing that we have found, and this has been with the help of people in the community, is there has always been something that didn't quite work perfectly. Thank goodness, because we always had a way of stopping it. In other instances, what we learned was we couldn't, I mean, again, in Star Trek, there was this thing called the board, which was a collective of, okay, you knew this. Okay, so each generation of the board, which were kind of these automated bio machines, would adapt and become better. And that's exactly what's happened with botnets. Every time we've taken one down, the next generation has adapted to prevent that. But fortunately, each time we found that, for example, you know, they became something that actually didn't use command and control servers. They didn't need a brain anymore. They just talked to each other without us having a central node to take out. What we learned was we had to find a way of injecting into the network some sort of command that would redirect them to a central node where we could take control of it. So this is where breaking down the code, understanding what it means has been very, very helpful and very important. Any other questions? Great. Well, thank you very much. Appreciate your time. Thank you to Roots.