 So, hi everyone. We have all the speakers there for this malware track this morning, which was great. We've got very interesting presentations from all around, covering different subjects. And we have, it shows, because we have very good questions on SLIDU. You can still add yours if you want, or vote for the one that we would like us to discuss. So I'm going to go with the specific, like, questions for the specific topic or presentations first. And then we can have, like, broader discussion with questions that everyone can answer. So I'm going to go in the order of the presentation. So we have a good one from, well, all questions are anonymous, but we have a good one for the first presentation about the, just give me a second here. We have the Cashmere Black botnet. So the Cashmere Black bots have some kind of internal kills, which they could be abused for takedown. In other words, if you look into ways you could take down the botnet, and the bot identifies, there is some kind of identification for the CNT server. So we'll take this one. And actually, there is no actual authentication with the CNT server. But we saw that as part of the communication between the bot and the CNT, there were special headers that the bot had to add when he reaches and try to talk to the CNT. And without those headers, the CNT wants response. So we can say it's a sort of a security layer that the attacker added, but it's not a real authentication, like we all know, like, other authentication mechanisms. But the other question, and the one about the kill switch, and we're not aware of any kill switch implemented inside the infected bots. But since all the bots are in the control of the attacker, it can just connect and do whatever you want, like an admin there. So he can do whatever he wishes, and he can even redefine again the Chrome tab. So nothing will appear there, and no one will know that this was indeed an infected bot. And actually, since we don't see any attacks now in our data lakes from bots today, it's possible that the attacker shut down the operation. Or maybe due to the notifications that we sent to all the server owners, maybe the owners took manual action and cleaned the servers. So we don't have a specific answer to that. We don't know exactly if he has this discourse, but we can assume that he might go there and delete it. Hope I answered that question. Yes, thank you. So we have a question for David this time. How hard would it be to intentionally get infected by a bot that gets sold on this market? Do you know the success rate for the credentials? Yeah, so it seems like there's not that many computers, at least in Canada, being infected. So my guess is that if we were to try and do some sort of honeypot of the sort, we'd have to get a server somewhere else than in Canada. There's a lot of, in France, it was surprisingly the number of bots that were for sale from France, US as well. And with the botnet that has over 350,000 computers officially at least, it wouldn't be all that hard to see exactly to get one infected. And then the problem is just finding out or attracting people and having our bots being sold. We've seen from the discussions that we've read that we've read that the bots that have access to, for example, commercial bank accounts, they seem to be pretty popular. So populating the bot with the right credentials. And it seems like many other sectors are looking for these. And we know that there's a very big payday if you can get into these accounts. So that would be one way of doing it. Not our line of business, but you know, if someone's interested, that would be very interested in reading the report on that one and seeing exactly what gets exploited among the hundreds of credentials and cookies that you can find on any of these bots. So clearly something that would be interesting and for future research, for sure. We have a question also for Sam. They were curious about if the vendor, passion vulnerability vulnerabilities and if schools eventually updated their software. And if you have an idea of the time frame, it took to discuss with the vendor. No problem. So that's always kind of an interesting topic. Every time we disclose vulnerabilities to a vendor, it can go one of two ways, you know, good or bad. Net up was one of the good ones. Sometimes people think we're trying to hack them and like, why are you doing this, but Net up had a disclosure or a responsible disclosure process in place. So once we disclose them to our each of these vulnerabilities to them, our internal McAfee's disclosure process is 90 days. However, if we have good communication and they requested an extension or anything, we usually grant it. It's the people that don't respond and then like the last minute be like, oh, can you extend it that we usually stick to our hard 90 days. But in the terms of this Net up Vision Pro software, they got it patched actually pretty quickly and sent us over the patched version and we did some validation on it. And that's pretty much where our responsibilities end. It would be nice if we did have the bandwidth to reach out to, you know, the infected or not infected, the affected school districts and stuff that have the software installed. But unfortunately, we don't have that client data. And we kind of leave that into the Net Ops court. We try to in our publications and talks like this try to highlight on the fact that there is a patch available and if anyone of you guys are a school admin over there, definitely install the update if you have the software but yeah, we don't really control that process too much. Yeah, thank you very much. Thank you. Not always very smooth, but sure, I think it seems to be taking the making this seem to be very responsible about this building these vulnerabilities. So the next question is for our last presenters, Warren and Peter. So they are other groups like less artists and kids to key who are financially motivated. And but also, and I'm going to add it allegedly to this question. So allegedly motivated to make money to benefit to the North Korean regime. How would you classify between second year actors and APP in this case. Thank you. Thank you for the question. So, when we think about tier one APT we don't, because they, well, the main criteria is that they are associated to directly associate to some crime, some state organization. Okay, so they're in for that reason the motivation of what they do. It's not really as important as on on the second on the second tier. Usually we use the motivation more to distinguish the crime where groups from the tier two, not necessarily tier two from the tier one. In this case, these two groups are allegedly directly linked to state organizations. So that would make them a tier one groups. You want to add something for me take myself off mute first now would help women. Like Lazarus and chemistry have obviously been long, long attributed to North Korea by multiple intelligence communities around the world and most of their attacks are very, very financially motivated. And the understanding that is to obviously move forward in North Korean regime and move forward with what they want to perform. So for us, they would very much be a clear cut first tier APT they are doing something that directly impacts the motivation of their state or the motivation of their leadership, whereas some of the second tier groups don't necessarily do that because of the overlaps that we tried to describe on our talk. However, there may be a supporting group that obviously back up the likes of Lazarus or chemistry. Good question. Sure. I have the thing frozen for a minute, just at the right moment again. So, while we are in this discussion, there's a very good questions and I think everyone can jump in and. And how and the comments on this and is how can you assess the motivation of a threat actor. If the visibility into their operation is is biased. I'm pretty sure that every every time we do some malware research we are biased by our visibility. Are we perhaps wrong sometimes when we try this to assess or, you know, confirm their motivation. So, I don't know, do you want to go forward? I don't. I was just going to say yes I think we are. I think the reason that we are sometimes wrong is the sensationalism that comes with it. Everybody wants to say it's country a or everybody wants to say it was definitely country B. I mean, a prime example that obviously Vitor and I have sort of worked on and tell us was a limbic destroyer. The limbic destroyer came out happened and there was a paper said it was China. There's a paper said it was Russia. There's a paper said it was someone else. Like it all started to come out that way. And I think the problem that we have is, yes, our information is obviously biased to the telemetry that we have as companies. I'm sure Semantic, McAfee and impervious that have different telemetry that we have at Cisco and that's just the way of the world. That is how it goes. I think what we've got better at doing in the community with some of these bigger taxes, we've got better sharing that information, which I think does help us as a whole be right eventually. That's not to say we're not right first sometimes because sometimes all of us are and that is the way it goes. But yeah, there's absolutely a concern there that needs to be addressed because too often we want to jump in and be sensationalist about it. And I think part of that problem also as well is some of the journalism that exists in our sector. There's too much journalism that wants to be sensationalist about who they pick and who they select. They don't often care about some of the actual researchers that did the work by the guys on this talk with us. They don't actually care about some of the information that they have and want to talk about. But in short, yes, information is going to be biased to the company kind of. But yes, we absolutely can't be wrong at times. And I think there's an acceptance in the community that we all try and be right as much as we can. And on that just that's why that's also motivation for us to try to make this new concept to actually we are not. So we have we have given a few examples, but we're just trying to define to help define a criteria that will help everyone to better align and have better answers. And of course, that will always depend on the information that you have and how you fit into the criteria. But our intent is actually to help to make maybe the lines less blur and have a criteria that will help to understand the different groups and how they operate within our threat landscape. So separating between crimeware and APT is something we've very well not very but it's recent like it's we've been doing it for maybe 10 or 15 years when we sort of classify APT and crimeware for financially motivated groups. Do you think we were wrong to make this kind of classification before. No, not not not wrong. This classification made sense back when it was first started and makes sense now what we need what we are proposing is that we need to evolve this classification and maybe distinguish within the states. Related groups, the ones that that are more related than the others. You know because there are groups that are clearly aligned with government organizations and there are groups that are aligned in the interest but not necessarily in the government organizations. And that's what we want to distinguish and the second group that have certain characteristics that blur more with the crime where than the first one. And that's that's with, it's not a single criteria that's why it's not single right you need to have several things to help you distinguish. It's not a question of being wrong, but we probably to evolve our, our community definitions with what you're seeing in the landscape and I think that we all think that that is evolving. Anyone wants to jump in, or otherwise I have another question. It's very highly voted and if anyone can answer this one. How do you think buttonhead developers debug their software like software engineering is really hard. I don't know if you've tried making malware before. And it's true that it's kind of a pain to debug we have the same, like malware authors have the same problems as any software engineer problems. And do you think they do debugging your experience and how good are they with the quality of their software. So, I will answer this, at least from our point of view of the Kashmir black botnet. And so, we do think that they are like actual developers we saw a lot of mainly Python scripts and we can assume that the attackers or hackers behind this botnet actually have development environment, and they even debugging their code. And they can do that, like inside the some environment that representing like, I don't know, a CNC staging CNC, you can call it and testing bots and stuff like this. Also, they can test it against the production infrastructure they don't have to have all the environment in staging. And I think that's it. Do you think they also use like by charm and intelligence like their developers for like, like all others. You don't need to check that their code actually works. Malware is hard like it's very hard right even shitty malware is hard, like crime or stuff especially I don't know how much reverse and everybody on the call those but I hate reversing crime where samples, because they're they all fiscation that generally comes with them is much more advanced and much more thorough than you get in some of the best APT actor malware as well as yeah that they're actually they're some of them are great they are geniuses there is no doubt about that. They're not their own field of work unfortunately but some of them are geniuses. Anyone else want to comment on this one. I just want to say something. I believe that there are a couple of store. I believe there are a couple of stories where the developers have in fact themselves, infected themselves, and then someone found their information when they somehow get access to their control panels. That's also a couple of stories that I've seen in some presentations so I guess they just don't themselves sometimes. Maybe I can add I mean, I come more from the study of you know, a mindless of markets and some of these markets are going to have you know hundreds of thousands of participants and at that point, you're managing, you know, so many connections, you have to have your development server your staging your production servers. These markets have to also handle cryptocurrencies encryption. So it's pretty impressive kind of what they're developing and the number of people that they have to service on every single day is pretty impressive. And not sure how much I'm supposed to talk about this but you know I saw kind of the, the, the map of the server the infrastructure sort of these big you know dark web markets, and it is pretty impressive just to see how it's connected from all over the servers they have for dedicated tasks, even you know for communications between the administrators, and clearly these people you know know what they're doing. But at the same time if you've been around the dark web a little bit you also see kind of one of the you know, the worst website you haven't seen since in 1994 it seems like a kind of frozen in time, but there is there is some impressive work being done there with all these technologies combined together so yeah there is definitely some some good bad actors. Thank you David. Well I have you there's a question that for you. Well anyway can answer it but I think you may be the right person is how long does it take for an actual button infection to be listed on the marketplace. There's a moment where a computer gets compromised, and then someone probably manually assess its value and then added the marketplace. You have an idea about how much time it takes. So I saw a question that was just looking in the case of you know Genesis market, the market I talked about in my talk. You have botnets that have you have bots that have been infected today, and that have been updated today that are for sale. So basically our guess is that it's all automated they end up in there. All their credentials are kind of organized and presented nicely in the in the platform. And it seems like the turnaround is pretty quick so a matter of hours probably between the infection. And, you know, they're only giving you access to the information so there's no, you know, encrypting terabytes of data which can take quite some time. So in this case it's pretty quick and this makes it one of the biggest problem. In this case is because you know the buyers are looking for new bots that were just infected. And so kind of if you get infected, the time you have to protect yourself appears to be quite limited. But then if no one buys your bot, then, and it stays there for a while, you kind of, and that's such a bad position, but it's kind of the first days are kind of the critical days you have to go through and hope not to get victimized basically. Yeah, that's pretty quick like hours. They must be like someone almost not 247 of course they must be sleeping but I don't know if they have ships or probably I mean they are organization like you know work organization right so let me see. There was one for about the academic software for Sam. And it was if you looked into the exact software for doing exam. So look into those kind of software or that the because perhaps they want to verify that, you know, the person behind the keyboard. Yeah, to them and not so they must be like, perhaps overprivileged to get that information. I can really see why this could this would make it the door for other kind of. Yeah. Yeah, so we, we definitely threw that idea around. And sometimes we get to, you know, play a little bit more on our like our side that we want to choose targets based on what we like. And one of the guys on our team thought that that software is kind of overreaching especially now everyone's taking exams from home There's been some some articles where people like have failed their exams because they like looked away for too long and some people think like that, you know, with your eyes. So it was one guy wanted to look at those but we actually kind of looked around on the different kind of schooling softwares and kind of realize that a lot of those are like cloud based. So we're doing security research offensively cloud based research gets a little iffy because we're then doing stuff over the internet on to remote servers and and you know production systems and if we granted we're trying to do it in the interest of of good and to like you know just close anything we find to these vendors. However, you know if we still drop all in their database or whatever like that's not good so we try to kind of steer away from the cloud based products as much as we can, unless we get privileged beforehand so a lot of the target and we only disclose to the vendor that we're looking at it if we found a vulnerability or after the fact. I have a few times people have reached out to us to actually look at things and so in that case we would have probably had to reach out to them to the exam proctoring company and and they have the full right to just say no we don't need to look at it and you know like things like that so it was an idea and a good target. However, we decided to focus on something that would be installed kind of on the machine that we could look at with more angles. Definitely. I have a broader question so we have the lot of the malware that we looked at today is targeted to the endpoint, except for the first one which is server side malware, where there's a WordPress being compromised and so on. Do you think we lack visibility into those server side malware compared to the windows or endpoint software and do you think that there are more server side malware than we think there there is? Does anyone else want to take that? I don't know if I'm the most qualified for that question. Okay, or I can give another question. I can try to answer so for one it kind of goes back to the debugging things for me I know that it's trying to design things you know to exploit software and whatnot it's easier to set up an environment on as an endpoint than a server. I'm hitting back on that previous question so for me designing malware I guess I usually try to do end points first and there's usually more of them but then also you know the server I guess has it's it's a good question but I don't know about the numbers though that's just kind of from my experience being an offensive researcher. So I don't think that anyone can say something about numbers you know but for servers and so there are a lot of Linux servers that for example using Linux so they have installed Python by default. It's like increasing the attack surface and we could see it in our research that they just use pre-installed stuff that they know that coming installed by default. Yeah, Perl Python and specifically version a 2.7 which is not supported anymore and yeah I think that's it. Yeah so basically interpreters are sort of a problem because of their you know they can execute code and it makes very portable code as well I guess because a lot of the servers run by different operating systems but if you use Perl or Python you know that it's going to run pretty much anywhere. Exactly. And as well a lot of people assume that their servers are safer because they're in different environments so they don't worry so much about them. Obviously inherently that's totally wrong and they're not but maybe that's why we get a lack of visibility. Sometimes like I know I've worked in organizations before where they won't have things like end points or AV on large this is a large financial company store for they won't have AV on it because it's not worth their while. So that's the criticality of the nature of that production server which I totally understand and totally get but yeah that does mean obviously as a threat research team needs to start to lack visibility on that side. I think from a WordPress and a web server point of view I think we've got mass visibility on all like across all the companies that we see because any major server side malware like it's based on WordPress for example it's generally fixed or looked at fairly quickly. There are guys like Sam doing hardcore offensive research on these things and finding them publishing them and releasing them and letting people know so it doesn't always rely on a single competitor or a single and a single vendors end point either as well with great guys like Sam and and some of the other people that have talked throughout today as well who are doing work on that stuff to try and push forward to the community as well which I think is really important it's really critical. Yeah, I agree so there's, I think they're my question is was someone bias I agree yes. Idea about it but I think you're right. Underestimate the number of server side threats are there are there and you know we spend less. The whole industry spending less resources and looking into those those threats. We have five more minutes. And we are all looking at the different position we're all like private. Companies with we're not public services or anything. And I don't have been discussed a lot before but I still think it's interesting to bring up is the question of whether attribution is important or interesting for for our industry it makes a lot of the good stories. Which is which is very nice. But does it really matter where those the attacks aware now or develop where they're operated. I'm going to use that last five minutes to discuss that. Maybe I will go first. I will just start by saying attribution is this is a mud hole. That's that's the principle the basic principle that we need to start from. Now that being said, I do believe that it matters. It matters. Maybe not specifically who's behind, but it matters for you to attribute a campaign to a certain group. Because that will allow you to profile the group. The next step which is most of the times the one that everyone wants is who is behind that group. And there, I think is where it may be there may be some dot if it's important or not. But of course, if you know who's behind that group maybe you will understand a little bit better their motivations. So in a certain in a certain aspect, it will be important. But it's it's it's it's not just about technology. It's about technology. It's about a lot of other information that you need to understand in order to do proper proper proper attribution. And sometimes you just don't get that information as private as you start by saying we are a lot of us are private companies. And we need to acknowledge the point where sometimes we just don't have enough information in order to make attribution. We may you may be able to align it into a certain group or a certain spectrum, but you may not be able to actually may not have all the whole information to attribute it to a specific group or specific country. And on the other hand, on the other hand, the non privates organizations that may do it may not provide you with the information to double check that. And whenever we talk about attribution, we need to live with that fact that we just don't have the whole information to do it. And hence it will be on one side may be biased on the other side, it may be completely wrong because it's incomplete. I think you also really think about it as an industry. What what do we achieve from it? Ultimately, we all work for companies, whether it be my career in power or power sphere we work for. We all work for companies to protect our users. That is why we all do the job that we do. I'm pretty certain and confident that if I went to my neighbor next door and asked him if he cared to install malware on his computer, would that make a difference? He probably look at me and go, I don't care. Can you fix it so it stops stealing my money? And that is the ultimate goal here. The ultimate goal for us as technologists and within this research industry is to stop those people getting compromised. Now, the flip of that from probably a much higher level here is attribution is important because as Vitor said, we want to track it and we want to understand PPPs that relate to actors that we as an industry care about. But Dave Downstreet has no notion of caring if it's country A, country B, or whoever you want to call out or whatever. I think again, and I know I briefly touched on this, I think journalism has been a part in this being a whole game as well that attribution has suddenly become important. I know for a fact that I can't go and kick the door down and arrest anybody. Like if I knew Sam was building the biggest malware botnet, the word that David was about to buy on some underground forum. I know who they are, but I can't go and kick their doors down and arrest them or do anything about it. So in reality, as an industry, I think attribution is not really important directly to what we all want to do. But if I was to work for, say, a large state organization, I would probably have access to the human and sign technology that I require to be able to do that final stage of attribution. It doesn't matter if I can relate malware A to malware B and say that they're the same actor because that doesn't tell me who it is. But ultimately, I personally think that as an industry, we shouldn't care. We're there to try and sort of protect our users and ensure that we try and get rid of these dredges of society from the internet. Now if we can work with law enforcement to direct them to someone, awesome. Let law enforcement go and do the job that they need to do. If maybe I can just add just to finish us off just in a few seconds. This is where my background in chronology kind of provides me with a very different answer. But we understand by now pretty well how you become an offender like school connections with deviant peers and stuff like that. But with hackers, with online crime as well, we have a very poor understanding of how you go down that path and kind of what your criminal career is going to look like. And that's one of the things I think that having attribution, understanding who these people are, what their story is, is really important because the goal of chronology is going to be to do prevention and to prevent people from getting there. And when you're looking at nation states, these people are going to be enrolled, they're going to be paid for this. Sometimes it's some patriotic duty, so it's kind of a different case. But in terms of for-profit hackers, I think there's much research that needs to look into how do you turn into these hackers. And then how can you deploy these prevention programs so that people don't end up doing that in the end. So by knowing who these people are, I think is extremely important. And there can be some fundamental research that can lead to programs that can be implemented everywhere around the globe. Thank you, David, for providing a different view. Sam, do you want to comment or? No, that's fine. I don't have anything to say, but I really liked that. I agreed with both of you guys. Totally, that was great. All right, great. So thank you very much for all your presence and very good presentation.