 Hey, how's it going? All right. So disclaimer, we're not going to be talking about any government or state secrets here, so if that's what you came for, you'll be disappointed. All right, I'm Val Smith. I run attack research. I've been involved with the Metasploit project for a while. I mostly work on researching attack techniques that different people use as well as pen testing and all the normal stuff. I've done a few talks before about malware, about data mining, various things like this. My co-speakers, which may or may not show up, are Colin Ames. He works for me at Attack Research, really, really smart guy, and Anthony Lai, a guy that we brought over from Hong Kong to help with this talk. He does penetration testing as well as reverse engineering and malware. He runs a company called VXRL in Hong Kong, also a very smart guy, and a lot of experience with the Chinese hacking community. He's actually relatively close, so he may be here. So we gave basically this talk at Black Hat, and so I wanted to throw in here a little bit of note for any media that may be in the room, just based on some articles that came out after our talk. This is sort of a summary of really what we're trying to say, our core message for this talk. What we're trying to say is that China has the same problems with malware and hacking that we do, and that every other country pretty much does, and that we feel that Chinese security research is really valuable, and they follow our research, but we're not really following their so much, and there's a lot we could learn from it. They come out with a lot of zero days and other things that we shouldn't be missing. Finally, we think it would be valuable to start collaboration between the hacking community here in the United States and the one over there to sort of understand the cultural differences as well as the different types of techniques that are going on and help avert misunderstandings, because there's a lot of rumor and things in the media that aren't necessarily based on fact. So that's what we said at Black Hat. This is what the media prints based on what we said. Malware openly available in China, well, yeah, obviously it's openly available everywhere, but specifically calling out China's kind of crappy. They also say that the message of our talk was that they're rapidly emerging as a hot spot for criminal hacking activity. Well, the internet's a hot spot for criminal hacking activity. There's really no need to try to build drama into this, because there is none. Everybody is dealing with hacking, security issues, all of these things. So if you're in the media and you want to talk to us about what we're talking about, that would be cool, but just printing things to make a lot of drama doesn't make much sense. And yeah, that's the article. All right, so we're going to be taking a look at China's hacking community, talking about who the players are, the similarities between what they do and what we do as well as the differences. And then we're going to take a look at some funny, interesting things we found in Chinese malware. Based on what we hear in the media, China is having great success in there, you know, breaking into computers and coming out with new tools in zero days. So we kind of want to understand why this is or if it is. All right, so our basic philosophy is to understand what's going on, not to assume, you know, just based on what we hear. So we've been gathering facts and data, collecting tools, exploit generators, malware, talking to actual people over there that do things and trying to understand the data from all sides. And to reiterate, we're not covering any governments, nation state capabilities or anything political. And in fact, Anthony lives there and Colin and I are headed there today to go to Xcon. And so, you know, the lesson we want to do is bring up stuff about their government. All right, so we're going to cover some terminology. We're going to discuss some famous and important hackers in China, including white hats and black hats. And then some interesting Chinese main malware. So typically, this is the part where Anthony explains it, but I'll do my best. So there's a few key words here, which I'm not going to attempt to pronounce in Chinese. But in English, the top word means chicken. What's interesting about this is, you know, in America, we sort of have this phrase called bring a lamb to slaughter. It's essentially the same thing, but they don't really have lamb, they have chicken. So they use this instead of saying the word Trojan or backdoor. So on their forums, whenever you see this word, that's what they're talking about. The next phrase is basically referring to injected malicious code into a web page like an iframe or JavaScript. And then the final one is referring to like antivirus evasion, firewall evasion, persistence. It's basically a tool that's designed not to be killed or removed from the system. So if you're trying to do research into Chinese tools and malware, these are some of the key words that you can search for or look for on the internet. All right, so next we're going to cover essentially what Anthony informs us of is that there's a genealogy of hackers in China. There's several generations. So the first generation of hackers were almost like the first generation of hackers here. Basically, just smart guys interested in sharing techniques, almost like academic work, sort of like what came out of MIT. And a lot of these guys became CEOs of important technology companies over here, over there in China. Like the guy that runs Kingsoft, for example, which is a big company there. And the person who invented the way of inputting Chinese alphabet into keyboards. So all these guys started off as hackers and then became influential CEOs. So after that, the next three generations that came all sort of have different characteristics to them. Between 1997 and 2002, there's a lot of what they call conflicts. These are sort of equivalent to our when two hacker groups get mad at each other, you know, LOD, MOD type stuff. This is going on during this time frame. It's about the second generation of Chinese hackers. And they got involved in fights with hacker groups in other countries like Japan and the Philippines. What have you. Some of the standout people of the second generation of hackers are these gentlemen up here whose names I can't really pronounce. But the first guy's name, try to remember that because later on the talk it's important. He essentially spends a lot of his time or when he was active looking for vulnerabilities, locating zero days. Very smart guy. Another really important hacker of this generation's name is Glacier. And he's actually a part of the X focus group. All right. So the third generation, a lot of these guys are famous because of, you know, more cyber warfare, more types of attacking different groups. And there's a whole list of guys here. All of these are pretty much significant hackers in the Chinese hacking community. Flash guy is a very important hacker. He released a lot of tools that are used in the wild. Now the fourth generation has a few people. These are their names. There's a tool called Gray Pigeon or Wig easy. And that tool is very significant. It's heavily in use and it's a really advanced command and control system. We'll go into some details about it in a bit. And there's a forum, very famous forum in China called Evil Octol. And like Sunware and a few other people on this list are part of that group. Evil Octol is essentially a place for sharing attack information, exploits, techniques, methodologies. A lot of interesting people hang out there. So the fifth generation, you know, the most current hackers what are going on today are essentially script kiddies. They rely on the tools coming down from the previous generations and the research done by other people. Their main goals are to commercialize their attacks in order to make money and we'll talk about specifics in a bit. And a lot of these guys basically sell openly on internet forums, tools and attack services. They basically just either steal source code from other people's tools, modify it or they just straight up steal the tools and resell them. A lot of these guys don't even know how to code, but they know how to use the tools. And the other generations don't look down on them often with a lot of respect. All right, so Anthony wanted to point out that there's some vendors in China just like there are here who release tools to help defend against these type of attacks. And essentially this is a list of some of the vendors, significant ones like NS Focus are on here. So these would be useful since us in the United States may not understand their white hat versus their black hat community. So well, understanding these vendors, the white hats typically go into business or work for companies like these. All right, so China also has a cert and its role is very similar. It's basically gathering statistics and information from intrusions and companies there in China and publishing this. There's also an info security, information security organization that is designed to try to help businesses and organizations defend themselves. And then a whole list of websites for gaining information about security. They also have a honey net project. And most significantly is the Xcon conference. This is one of the top level really good research coming out of this conference. And we're going to go check it out. All right, so a little bit about how Chinese black hats operate. Slightly differently from here in the US. In the US, people tend to use, you know, just telephones or IRC, private IRC or silk channels, things like this. In China, they tend to operate more openly in web forums. Some of these forums you have to subscribe to and pay a fee. It's more between 20 and 100 Chinese dollars. The other thing that they use frequently is something called QQ. QQ is an instant messenger, very similar to like ICQ or any of these. And this is a tool that a lot of these people primarily use to communicate. And this gets significant later as we go on. So in a lot of these forums, they advertise attack services. And you can find in search engines like Baidu, you know, if you want to look for, I need help attacking something or, you know, I need a hacker. You can find tons of services that just, they'll give you a laundry list, a menu of what they provide and what they can do for you. Tons and tons of sites. But most of these guys are script kiddies. Typically, you have to pay a membership fee in order to get access to the tools. And often, they'll just rip you off and take your money and not give you a tool or they'll give you a broken tool. Another thing is it's very easy to get like victims for botnets and things like this because the whole concept of hardening and security is not as prevalent or widely understood as it is here. There's not a lot of resources to protect systems there. And so what you have is a large number of computers that are vulnerable to a variety of things and people just don't know. And so these sort of script kiddie groups just can attack wide swaths of the internet over there gathering victim machines that they can use as bounces or as bots or whatever. So the Trojan industry over there is extremely advanced and almost set up like an industry or a business. There are training portals to go and learn step by step how to use these different tools. And everything is sort of provincial. Each province sort of has specialties and people that are well known. Bots are extremely cheap there because of what I mentioned before where it's very easy to break into lots of computers. It's about 10 cents per bot. And so DDoS attacks are really easy. You just search for a forum, pay 10 cents per dot, get access to a botnet and then perform your attack. So according to China cert, there's something like 2.5 million more Trojans this year than there were in 2008. So like five and a half times more. So this is a real prevalent industry. A lot of people are producing Trojans. And the forecast from China cert is that there'll be about 100 billion Chinese dollars in loss due to Trojan attacks, information stealing, this sort of thing. So this is an example of an advertisement. This one's in Chinese. And so we just, Anthony translated it for us. And essentially it's a laundry list of services that they provide. Like they'll do network intrusion, QQ back doors. They'll provide videos for how to use Trojans. I'm not going to read the whole thing, but you get the idea. And they even list the programming language that they can code in, visual basic, Delphi, things like this. So this is a little bit deeper. This is a different advertisement that's been translated. So they'll break into a website or a server or a personal computer. They'll install remote command and control. Oh, and Anthony and Colin are here. So I'm going to turn this over to Anthony because he knows this part of the material much better than I. Anthony, you're up. Hi. I just got a call in two minutes on the stage. I'm on the CTF room to pray that we're reversing and the computer, the games with the Korean guys then. Okay, sorry then. Okay. This is an advertisement, okay? For the cracking. Actually I was translated and the Chinese website then you will see it allows many services, okay? It completes, it covers all the CISP syllabus. First of all, like, cracking website, cracking server, personal computer, install remote control, okay? Cracking mailboxes, every services, diversify, good business. And still be MSN account, QQ church history, cracking cell phone. I suppose a DEF CON could wish them because they're QQ number. Please go to the 859016227. Yeah, good service. The favorite tab in China is most likely is still that QQ, I mean game accounts and QQ accounts, especially for the game accounts with some kind of reference, you know, you could exchange with the money. They are like, they like to generate, to provide a children generator and also like to the children, then you could steal the passwords and also the online game credentials. China made malware actually like a, anyone try to dim some? Yeah, but I believe then in CISAPIDAS, I get it, it's $19 US dollars, but I have not tried, okay? But in Hong Kong, it's $19, Hong Kong dollars. Please drop me email. If you come to Hong Kong, I get you to an excellent team sum. Okay? And, okay, this way. All right, so I'm going to cover a little bit the reverse engineering methodology that we used when going through, we have a whole large collection of Chinese malware and tools. And so essentially what we did was we focused on comparing data between the different samples to try to get a bigger picture of, is there sharing, what trends, you know, do they use specific programming languages, this sort of thing. And we have a whole automation system, essentially virtualization sandboxes that are not based on VMware to avoid being detected. We have a dynamic automated API logging. We essentially log every function call when the malware is executed. And this gives us, you know, what files are written to the system are deleted or modified, registry keys, network API calls, this sort of thing. Then we tap the network outside the system and parse that looking for outgoing, you know, command and control call home or whatever, as well as some automated stack analysis. Okay, it's my turn again. Wow, the first sample. You know some kinds of shell code, I find some boring shell code, 06, 0x, some numbers. However, for this shell code is quite great. A script, you'll find it, it's most correct. Yeah, you'll find that some wordings are in translated in the Cantonese, in Mandarin, like, your Yi Tian is one day, okay? And also like, this one, I need you. Actually, this shell code is with this lyric from Mr. Chow, from Taiwan, is very famous singer. So they are singing songs and code the shell code. I like it. The second one is they put the fingerprint everywhere. Then you could find it like this PDF exploit footprints. And you'll find here, it's very small wordings. Here is Inge. If you mentioned about there's a three, five generations of the hacker generations, then actually Inge is the second generation. Maybe Inge is the idol of this shell code whiter. And also they put the lab here, pan lab. I don't know why it's pan lab. Okay, but it may be the hacker lab. Here, fake QQ. Anyone have the QQ account? Thank you. Thank you for your support. Actually, QQ accounts like this is a fake QQ. When you get it, yeah, your user password, credentials will be go to where will go, go, go, go, go to a government website. Actually, the China government website is Trojan. It's attacked by the criminal. So I simply type in who is in the Google search engine and then wow, this site is Trojan. Once Trojan, you find a list of here, oops, a list of iFrame is injected. Even it's very small, but you find a lot of original sports. And also from the website, and you find wow, there's many Trojan, web Trojan, iFrame injected. And the attack path is like that. Okay, build up fake QQ, cheat your account, get your credentials. At the same time, the return website is Trojan with the different iFrames. Then the most important is you reset the site, you get the exploit as a gift. Then the China government site will always become the target because they have some difficulties. I mean, they have tried already done their best, but you know, from different provinces, they need different control. And as you know, then it is hard to, and still a room for improvement in China. And also the number four is a fresh zero day attack. This is fresh zero day attack, but I don't want to stick it out a lot of details, but you will find here, do you know this wording? And hey, it is in Mandarin, it's a darkness. What is the meaning? When you like that here, your JavaScript, and this is a malicious script and embedded in the .html, then once it is reset, then actually it contains the exploit for the fresh player. At the same time, it contains another exploit for loading the shell code loaders. The shell code loaders is very interesting. It is loaded from another place, I mean, another test files. So you could gain two combined choices, could come back raised for exploit your computers. Then once it's exploited, you get a dropper, the dropper download the password stealer. At the same time, you will get, it is a botnet based, so you get the commands, and then the attacker could get your password, get whatever they want. The ultimate target is to get the game accounts credentials again. Thankful for our team about this detailed analysis. The interesting part is, and hey, what is that? I search again, and hey is, wow, it's a and hey working group here. Oh, here's the cursor again. And hey working group, the latest web children, web children generator, children programming training course is very comprehensive. Then free of charge, all of them I involve, and also calling download it without money, okay? Then you could get it, you could play it, you could try to be in fact, yeah. So once you get it, you have bundle of the latest exploit you could choose, like a exploit supermarket, okay? Then you can pick up your choice, then you don't need to pay the money, but you get the return back. You get the script, your source code, you get the office data script, but you never know, but I just want to get the credentials, and you would like to bypass something like where's the cursor again, wow, your computer cursor sometimes disappear, man. You fix 360, you bypass the 360, 360 is a very famous NTR software in the main one, okay? And then once you're a simple click, simple click, simple click, and then you get the files, and you get the difference, I mean the source code of the IE-TML with the source code and shell code. So then we kind of took several of the main droppers, we just concentrated on an IE7 and IE6, the Aurora exploit as well as this is the XML RPC overflow or canonical size overflow, and we just sort of looked at their actual technology in shell code development. And actually here you see it's fairly, it's clear, it's in clear text, all of their shell code is based upon a dropper, all it does is download another EXE from a website and execute it, quite simple. We can kind of see here that it's not altogether that strong, you have these weird spaces at the end of the shell code, these don't do anything, there's no further obfuscation past just the JavaScript obfuscation because this was in a big blob of unencoded UTF strings. So then we see the next iteration of this code base, it's the same thing but it's much cleaner. It's gotten a little smaller, we went from 814 bytes of shell code to 612, but again it's still very clear, you can follow this, you throw it in a hex editor and just see what it's going to do, you don't actually have to go any deeper than this with this type of shell code. And then they kind of dropped this new one on us and so the timeline between these three is a couple of months between each one and this last one was only a couple of months ago and suddenly, and this only generates shell code, this doesn't tie into any of the other exploit packs that they have because what you see here is just their general exploit pack, so you click the button and it will actually generate a website that hosts up the individual exploits for those things. For this shell code it's much larger, it's a little over 1,000 bytes and it's actually XOR encoded, so they actually have a stub at the beginning of the shell code itself that decodes the rest of the shell code and if that wasn't enough, so after we decode that we can see the standard downloader here, it pulls down your actual EXE, they also have an even more sophisticated structure inside of that that does continual obfuscation of actual strings, so for actually resolving of the DLL functions to do the downloader function and execute, so from the original point which was about three months ago to about a month ago, their level of expertise in shell code drastically jumped and this is sort of what we wanted to expose here is that their level of expertise in this area progresses fairly rapidly and so here are just some more examples from their actual generated web pages, if you really want to look for them you can look at them later, but the interesting thing of course in their actual sprays is all of the identification markings you'd ever want in the whole wide world, their QQ number, which is perfect, you can contact them as Anthony says, good support, yes, yes, so and again you know it's just they, their obfuscation is more of an advertisement than obfuscation, yes it doesn't directly go to actual shell code immediately, but if you come across a web page that has Qt in it how many times, so again just more examples, here's, this is a fun one here where it actually, it gives you a warning in Mandarin that you do not change the shell code in here in notepad because it'll break it due to the actual control lines, which is you know that's nice of them, they want to make sure that you get a quality product right, that's important, you know again just they tested, fully supported, very good, and here's another fun one, we got, we got a you know call out to HD in there, in their page and they obviously use Metasploit, they understand us, they actually, they research us and they keep track of what we're doing, so, oh Kaba, oh yeah, the other, the other fun thing, I guess I'll let Anthony explain. Do you know anyone installed the Kapersky antivirus at home, your computers? Actually in Chinese is Mandarin is Kaba, and then actually Kaba C gate is like Kapersky, you know, actually is the, this signature is Kapersky, then he may say, he may like to dance to, I mean like maybe the shell code pinpoint for the Kapersky, okay, yep, actually it's for the goals is compromise the game accounts credentials, and export generator is free, and actually the site is live, okay, you've got the computers, go there and try it, and they have got the sales hotline and easily be reached, a prior QQ account right now. Alright, so I find it interesting that in their shell code they target a specific antivirus company, that's kind of cool. So what you're looking at on the screenshot is a collection of the ANHEI exploit generators, there's about 20 of them or so, and they're all distributed in RAR files, and all of these RAR files basically come with like an advertisement page, or many of them do, and in the advertisement page it has their website, so the ANHEI guys also use the name QQQ for their team, I think they either change names or they use two names, but basically when you download this tool they provide you with a QQ address that you can contact if you need support or help on how to use their tool, or maybe other Trojans. The other thing that's interesting is if you look at the file times on the exploit generators themselves, often these file times are before that particular vulnerability was disclosed here in the US, so what this means is that not only do they know about the zero day before it's published, but they have a fully functional exploit generator that anybody can use, it's literally one click generation way before the time that the exploit is disclosed, so that's to me kind of significant because it means that their ODE use is pretty advanced. So we compared about 20 of these exploit generators to try to get an understanding of is like one guy coding them all or are they using similar styles or what's going on, and we noticed that they all use is DLL, SkinPPWT.L.DLL, almost all of them use a specific version of this and then one has a slightly different version. We didn't know what this was at first, it took some analysis to realize and I'll get to that in a second. So what this shows is that they reuse the same DLL over and over again, so we did a little just looking in the resources and these guys are really nice because they code their tools just like professional software. The resources have versioning information, even a copyright, which is kind of funny because China doesn't have copyrights. And they have a website of where this DLL comes from, so the nice thing is every time you get this exploit pack you know exactly where you got it because the resources tell you. This is just another example. So between the two DLLs that we found that come packaged with all of these, there's really not that many differences. They essentially have a very similar number of functions, imports and exports. A little bit of functionality has been added to one versus the other. And it turns out, as we were first engineer this, that it's just a skin building program. If you noticed earlier, all of those screenshots of the different tools look very similar, kind of the same. So they've standardized on one GUI and they just keep reusing that GUI over and over again so that the people using the tool are familiar with it. So we sort of tracked some information in these files back to this company here. This company has two names, Skin++ and UI Power. And it turns out this is a legitimate vendor that sells graphical development tools to tons of companies in China, like all these big professional Huawei and other companies use this tool to build their applications. So these guys either just stole this tool or they bought it and are using it to build their exploit packs. So yeah, there's just some more screenshots of their resources. Another very popular in the China malware history is this quick answer. It's great picture. Actually it's a very famous one because you know, you could get it to get, I mean, the summary, like the capture screens, keystrokes, still user accounts, password, download file, upload file, shutdown services. Then it is written in Table C. Actually the source code is available. And somewhere else then you can search it. Okay, it's in archive, RAR. I got source code, just drop me email, I send you source code. If it is infected by any way, then I don't liable for your infection, okay? Okay, code we will, man. Then it is, I mean, but the time is, it is stopped, I mean, suspended officially because they get a company and set it off, but they stopped it three years ago. However, there are many variants. And you find it here, for example, then you could choose to add the packer or use the packer, use UPX, UPX packer. And this is the screenshot of POND, yep. Then you find the site, quicker.net. It's an official company site, but it is done already, okay? And you will find the screenshot, then capture screen, and capture the video and audio, and, well, then also like to open your camera wherever. It's very complete. Yeah, so that's pretty significant to see a piece of malware that literally just has click buttons to turn on your audio mic and steal any audio that's in the room or turn on the video camera and take picture of what's going on. Literally one click. So this tool has a few different components. There's the HClient.exe, that's the main program that generates the server executable that you use to infect people with. When this program is run, it generates a config file called operate.ini. And there are a few other files that come with it. So this one here is literally like the EULA. They have unofficial EULA for this backdoor, which is kind of interesting. They have a disclaimer saying that they're not liable for any bad things that might happen if you use their software. And they call themselves Gray Pigeon Studio. All right, so they even have a change log. So you can track improvements to this backdoor as time goes on. And it's really pretty a detailed product. They're doing this as professionally as they can. There's another file sort of buried down deep in the directory. That's kind of interesting and we're not we haven't been able to figure out what they do with this file because we haven't really seen it be read yet. But in this file is these huge lists of things like EarthLink, Genuity, Marlboro College, Bellman College. There's all these universities and companies, Hewlett Packard, just listed in this DAT file. On the other side is a bunch of other things that look like numbers. We actually started looking up some of these numbers and they're electronics parts numbers. So I'm not sure what this file is for, but it comes packaged with this Gray Pigeon tool. Kind of interesting. All right, so now we're going to move on to the banquet of malware. We're basically going to cover a selection of different malware samples. So the first sample was actually found in an intrusion investigation. It's called SVO host. I've got some file details here, which I'm not going to really read, but you can grab the slides later and take a look at these, see if maybe you have this on your system. But actually, believe it or not, ClimAV picks this up as MS as the exploit MS 08 067, which is because the actual exploit is packaged inside of the EXE itself. It can deploy that exploit. Yeah, for like lateral attack. So we de-office-skated this, took a look deep into the exploit and found the string here, phantom, spelled in leet speak, as well as an email address. So we started searching around and actually there's a Chinese security team called the phantom security team. So this tool is highly likely to have been written by this team. It looks like they've sort of given up the team here. But yes, it's interesting that it's pretty easy to find who develop the tools if you find the tools. Another example is a tool that we have here. This tool wouldn't actually execute on my VM. I think it had VM detection, but it would execute enough that I could grab it in a debugger. And it actually titles itself with the website of the organization that built it, dark team. We have another tool here that is an SQL scanning tool. So you have a whole variety of options. It's really advanced. And we just went ahead and scanned ourselves with it to see what the output looks like. You put in the target. You put in some parameters. You tell it what kind of scan you want to do. And if you want to obfuscate your scan, and then it just attacks the target for you. So another tool that we found was actually packed with armadillo. It's just sort of your typical attack tool. It generates a lot of batch files. In the course of reversing and understanding a lot of the malware samples, what we found is they love using batch files. They scatter batch files all over the system. In this case, they use one called winnet.bat. What that basically does is it generates an internet link underneath WinRAR. So if you have a WinRAR installed, it'll stick this in there. If you don't, it'll actually create this directory and put this here. And then, you know, add everything you need to add to the registry to operate this and then start an executable. So we took a look at that. And what this internet link does is it executes this program that drops a DLL on your system. The DLL happens to be named mchicken.zp.dll. If you remember, we said what chicken was earlier. So, you know, it makes another startup.bat, which essentially injects this mchicken, sets it up as a service. And there you go. Your box is owned. So the next example, actually, ClangMavy picks it up as Trojan Online Games, which fits with what Anthony was saying earlier, which is that the target of most of these attacks is to capture game accounts. This is another tool that we located that's an SQL injection tool. It functions similar to the previous one, except it has way more functionality and is very, very useful and very easy to run. So we got about five minutes left. Our conclusions are essentially the Chinese hacker community uses forums for communication as well as QQ, versus here we use other methods. They very rapidly can deploy simple standard GUI tools for the latest zero days, even zero days we don't know about yet. And the tools are full of all kinds of identifying marks, as well as the output of those tools that we can sort of signature on or look for. And just like us, we have criminal hacker problems over there, like we do here. We both suffer from the same kind of problems. And it's interesting to see how rapidly they jump in their shell code sophistication. And the use of zero days is very prevalent. So we really want to do more collaboration like this, maybe have a China track in the future, bring more researchers over from there to sort of help us understand where they're going in their community. And we found this to be very valuable collaboration between the two of us. And I'll let these guys comment if they have anything further. Yep, actually later on, we'll be much more cooperation between our team then, about the, may aware about it. Do you want me to talk about it? No, we don't have time. Yep, actually I've got a slide about the downloaders of the China downloaders, but the time is insufficient right now then. Maybe I will put it on the web, later on share with you guys, and also in the Q&A room, then we could brief it to you more. Questions? Any questions? Thanks for waiting. Yep, thank you.