 The next 50 minutes, me and my colleague will be taking a closer look at what is really going on in the world with Trojans. What kind of Trojans are we seeing nowadays? How do they work? And also see how they differ from what actually most people think they are seeing in the world, what people think the real threat is. So the first part will be more about some more statistics what we are actually seeing. And then in the second part, my colleague Dirk will take a deeper technical look into how a couple of those things actually work. We have a short demo from actually connecting to a real commander control server to just show what kind of functionality those networks really have. So to start with a little overview of history, the problem with Trojans was probably nearly as old as we were using computers. The term was first coined back in 1983. At least that's the first reference I've seen when that one was used to trojanize a login so that actually your login credentials would be logged so that the attacker could log into that later. Historically, Trojans have been used to either get privileged access to machines like keyloggers, fake login screens, etc. And then a different kind of Trojans is then used to actually maintain access onto the machine. Either by hiding some of the files, hiding the presence of the attacker, the rootkit functionality, which is something fairly new on the Windows world. On Unix, we know rootkits like forever. And then backdoors that may be installed to actually reconnect to the machine at a later stage. So to make sure that you again have those kind of access. And the hype around Trojans really started here at DEF CON. If anyone of you was here at DEF CON 7, you maybe remember the announcements and the show from the Cult of Dead Cow team who released back orifice 2000 here, and that's pretty much the first time there ever really was a big noise in the press and worldwide about Trojans being a major problem. Those Trojans then basically were fairly simple, remote access Trojans, where people would actually have to connect to the machine from the outside. So in general, inside a corporate network, you were pretty safe from attackers to the outside. And well, then the hype around that was really started. And currently there are like two major hype Trojans. The first one, Magic Lenten, which is supposed to be developed by the FBI. It may be perfectly possible that they have written something like that. They developed something like that or bought something like that. But that is very unlikely to be a major threat to anyone of us, except if he's committing some really bad crimes. And now we have Magic Lenten version 2.0 in Germany. At the end of last year, German authorities requested that they should be allowed to break into machines and do online searches on suspects. And they have actually budgeted, or at least estimated, the cost of the development for such a Trojan to be around about 200,000 euros, which I think is quite excessive for any kind of Trojan. There are some sites on the internet where you get good working Trojans for much, much less. We'll see something about that. If you look with Google for the word Bundes-Troyana, you will see around about 600,000 hits. And considering that at least as of today, nothing said like that actually exists, that's quite a lot hype. And every now and then someone picks up on the story. Then the Chaos Computer Club in Germany made things a little bit worse by saying that they have detected like the Bundes-Troyana inside an application that pretty much everyone needs to do his taxes. And that's when chaos in Germany around this really broke out. So what is the reality looking like now after we've seen like what is not real? We do see a dramatic increase of the various type of Trojans and also the functionality of the Trojans has now differed. Traditionally, most Trojans used to be like vector Trojans, but that has also changed quite a lot. If you're looking here at these submissions that actually are being sent to us and you look at the proportion between actual new viruses being sent to us and actual new Trojans being sent to us, that gives you quite an idea of what's going on. The last category of potentially unwanted programs is something that is hard to classify as a Trojan, but most people wouldn't like that. Like for instance, stylus and similar things. So here we have the statistics for 2005 and 2006 of what kind of programs were really sent to us. And on the side of Trojans, there was like a nearly 50% increase regarding the percentage of what part Trojans really are. The other area with a major increase was the area of bots. All areas have gone back quite a bit. We still do get things like microvirus and other things, but those are like not really relevant in the world today. So then if we compare the various Trojans we are actually seeing, vector Trojans used to be like pretty much all the Trojans we knew. And there were some password-sealing Trojans, mostly like for Unix or Novel logins, but those were never really widely distributed. They were most likely being used like in one single case, directly written by the attacker and then forgotten about. And now we have seen a major increase in password-sealing Trojans that in many cases just take the information and send it to some site in the internet, dumping it in some directories. We will, at the end, if there is time left, I can actually show some screenshots on how one of those dump sites is really looking like. The downloaders are something that we came across fairly new. A downloader is like a special type of Trojans that basically just connects to pre-programmed websites and actually downloads normally various Trojans, some AdWare, some Spyware. And those downloaders are what you will normally be seeing in your daily email. If someone sends you some file, Rezip.exe, and it's a small file, then normally this is not the Trojan itself, but just some downloader that then goes and downloads the real Trojans. Some of those downloaders are really excessive and downloading like 20 or 50 different applications and trying to install of them all at once. And then you can only hope that your machine survives. We've seen a fairly dramatic increase in some of those areas from 1997 to 2006. And the number of password stealers is one of the areas where we currently see the biggest growth. And I expect this to be continuing over the next years. If you take a little better look at passwords at the different kind of password stealers, then there's something really strange. Like, well, most of the password stealers are actually targeting banks. And yeah, you would think that is fairly obvious. A bank makes a good target. I mean, people use their computers to online banking. And currently there is an arms race of arms between people writing password stealing Trojans to protect banking sites and then from the banks to create new security mechanisms that are more difficult for Trojans to capture your credentials. Like some of the latest developments is if you're trying to log in, you will actually receive an SMS with additional credentials with a transaction number that we then have to put in online to make it impossible for someone with a Trojan to steal all the credentials that you really need. Most banks are not as advanced at that as this. And especially in the US, many banks still rely on username and password or username and PIN. And once you've got that, you're free to do everything with the money you found. Then we're seeing a lot of various other Trojans and actually a fair number of Trojans do target online games. Especially in Eastern Europe, China, there are many different Trojans that target specific online games and also credentials for games like World of Warcraft and something like that are also highly sought after. And if you take a look around, people sell World of Warcraft characters. They sell items from World of Warcraft or gold from World of Warcraft for real money. They used to sell that on eBay where a special good character was worth 1,000 euro. And so, yes, that is another interesting target for people. And most people may be more suspicious if they do some online banking about something running in the background but just to log into your World of Warcraft account most people probably don't think that they could be attacked at that time. So that was something that really struck me as odd that people target online games in such a big way. What I'm having here is now some real data that was provided to me from one customer who's running something between 20 and 60,000 node company. Actually, I got several different reports but they are so difficult to compare as so many factors make... as there are so many factors where it's dependent on what is actually found. So, well, in the last 18 month detection, the first two detections actually were a mass-mailer with one of the mass-mailers being detected 8 million and some 100,000 times. Then, well, the next mass-mailer, then there is one ad-ware, a mass-mailer again, and then we're already seeing generic malware.a.zip. That is actually a generic detection for us for new Trojans. And, well, Trojans do not replicate by themselves. So if you have a company between 20 and 60,000 machines and you do detect some Trojan in total 200 and something 1,000 times, that may give you a little bit of an idea of how big the current problem with Trojans really is. Then the next detection, new Malware J as Trojan as well, is actually a newer detection. And then, interestingly enough, there's a real virus, a virus that is a parasitic virus that infects other files. And it has, well, got some stealth functionality, uses some root-kit functionality. And it actually also has got a downloaded capability, so that virus will also try to connect to the Internet and download the digital files onto your machine. So that was kind of interesting to see, again, a real parasitic virus is spreading through networks. I haven't seen that for quite some time. And, well, then there are some other Trojans and some viruses to follow later. And then from the same detection list, I've checked only the time from the beginning of 2007 to, I think, three weeks ago. And, well, now the picture suddenly looks somewhat different. Masmailers? No. There is no Masmailer in the top ten right now in that company and actually not even worldwide. So now the top detections. The first one was new Malware J, which amounted to, for nearly half of the entire detections of things they had. New Malware J is, as I said, also a heuristic driver to detect new Trojans that so far were unknown to us. Then there is that virus that I mentioned. And then after that, place number four is a Trojan. And place number five and place number six are actually downloaders. And those two downloaders pretty much straightforward. Go and download and install some new Trojan package onto your machine. So this gives a fairly good indication how the picture has changed over the last couple of months. Yeah, then some questions that come into mind. So where are all those bots that everyone is talking about? Well, for one thing, this was something that, well, it was real detection inside a corporate networks and bots do have a hard time to get into there. But, well, some actually do. And in the total list of things detected there were like four dozen different bots SD bots, scow bots, spy bots, and some other things. But most of them only a very small number of times like most of them not even 20 times compared to the 200,000 times that actually some Trojans were detected. One of the main reasons for that is it doesn't make sense for people to write warm or a bot that spreads totally uncontrolled all over the place. People will notice and they will take counter measures. People figured out they can profit more if something new just spreads for a limited time and then stops spreading and just makes a machine available for them. And then there were also some fun detections. In the log, there were actually some old-style DOS bootsector viruses that were still detected in 2007. Then some utility, which actually is detected as potentially unwanted program, P.S. Kill, and I asked the guy, they are not using it internally. So I wonder what 1,000 people inside the company actually want to do with such a utility. And then what the most strange thing was detection 544 detections actually of Zimbo as com warrior. I have no idea how that got into their logs. I mean, it's something that infects mobile phones and shouldn't be on normal computers. So I wonder if there was some idiot that tried to download it and the virus scanner took it away and it tried to download it again or something like that. That could be that if laptops have Bluetooth turned on, that would at least be one explanation. Otherwise, that left me completely startled. Okay, thanks for that. Well, the trends at the moment are fairly obvious. We're still seeing a major increase in viruses and trojans and expect this one to continue for quite some time. And then also like 85 of all the emails that actually hit corporate networks are currently considered a spam. And if you look at the amount of email that is then real spam. I mean spam where actually someone tries to sell you some drugs or longer penis and whatever they try to sell you. And emails generated by trojans are generated to incite people to download mildware, depending on the region in the world where you are. It's actually something like 50-50. So quite a lot of the amount of email worldwide at the moment is being created just to distribute trojans to other people. One of the main reasons behind that is that we have seen money as the driving factor to develop mildware and also to run mildware. When you own a botnet, there are a number of ways where you can really make a lot of money. And most people are talking about renting those botnets out to spammers or renting them out to run distributed denial of service attacks. Yes, you can make money with that, but not really much. It's a couple of thousand dollars we're talking about. We're talking in this case. Those people that really do money with that is they are using their botnet, the machines they are controlling to go to their own website, downloading and installing AdWare. They are getting, depending on where that machine is located, something between 5 cent and 50 cent per installation. And, well, if you've got a 100,000 machine botnet where you install, say, five different pieces of AdWare on all of the machines, yes, that's some serious money. That could be a couple of hundred thousand dollars. So that is where people also try to control those machines for as long time as possible, use whatever means possible to have neither a user nor antivirus software or some other security mechanisms detect that something is wrong with that machine, just so that they can make money out of your machine for a longer time. Here's a short overview over the current price of a couple of items available on certain sites. So, as you can see, credit cards at the moment are fairly cheap, because there are so many, about so many password stealing trojans, so many key logging trojans that actually steal those data, that there are enough credit cards out for everyone. They are being sold in, like, a bike of 1,000 credit cards for 4,000 dollars, and that is with that super secure three digit verification code on the backside. Because, well, if the trojans on your machine you log into your whatever account by something and then you're asked to type that number in. Yes, of course, that trojan is capturing that information. I don't even know why people still stick to that as a security feature. And, well, some governments apparently have very big budgets of 200,000 euros to develop trojans. Some other people offer trojans for much, much less. If someone wants to become a criminal and use a trojan to control some people's machines, steal his data and sell his banking account information or something else, and he's to dump to a program, then he can just go and buy a completely, fully-featured trojan package. This is probably a little bit difficult to read, but that is, like, the basic spider package that you can buy for 650 US dollars. And so that already contains various ways to leak data around firewalls, an FTP server, key logger, an implementation of WebMonkey Keeper League, various direct attacks against a couple of banking sites. And this trojan is, like, one year old. The current trojans offer even more cheaper, but I didn't really want to give you the information of a website where you can download them. You need Google for that in at least 10 seconds. If you need more than a minute, then you need some Google training. There are so many sites that offer similar malware for download to anyone. And then there is, well, currently a fairly new trend of how to get malware into people machines. Typically, people use to, like, send you an email with maybe an interesting attachment, maybe an interesting text message with some attachment where they would ask you to, like, double-click on that attachment and then something would install. Then the next step was the attachment was much smaller, but they still ask you to double-click on that. And that's then a downloader that goes to some place and downloads the real trojan package. And now people figured out, well, most of those emails, they don't get through. They're being blocked. In many companies, email is like checked for viruses, then it's checked again for spam, and then there may be additional checks for phishings, et cetera. And if someone just use the web browser and go there, there is nearly no check done in most companies nowadays. So what people are doing now is they just send you an email, like with some link where you then have to click on the link, or they tell you you have to, like, take that link and copy and paste it into your web browser for security reasons. And then they take you to some website. So, well, surfing to websites at the first glance sounds not really that dangerous, but we have seen a lot of also ODAs being used on those websites to then actually attack people browsing there automatically. And there are also a couple of automated packages that are currently being heavily used. Where with such a package, MPEG is currently probably the most misused one, where an attacker just has to insert an iFrame link into some website he hacked into it, or he had another way to put that iFrame into. And that iFrame points to the server where the MPEG part is really running on. The MPEG toolkit will then check what kind of browser is connecting, what operating system, what versions, and then it will choose and exploit that it's likely to succeed. So, if they see, oh, he's running QuickTime, then you're being served a QuickTime exploit. And if that is successful, then you actually, again, a downloader will be installed. It will download again and the game starts from there. We have seen a massive attacks using MPEG over the last couple of months, and there are also now some other packs that work in similar fashions, IcePEG, and some others. So, also in the scene of cybercrime, people are basically copying each other ideas. Some of the banking trojans we are seeing are taking a big effort to make themselves, invisible on the system and grabbing the information that you enter to a banking site. Most of them are actually installing themselves as a browser helper object, and that also means for such a trojan, all the time it has got all the access to the information that you're sending with a web browser. So, even if you have a secure SSL connection to your banking website and you think, well, I'm secure, nothing can happen here, the trojan itself still has complete access to all the information and will grab them and will send them out. Some trojans then go so far as to actually intercept the first time you try to do something with your bank services and only the second time is successful, and normally those trojans are also doing a screenshot of the entire site that the user is currently seeing, and then also screenshots of the area around every single time you use a mouse click to make it more easy for them to get behind some other new security schemes. So then, how do then people actually succeed in making trojans, well, difficulty, difficult or not detectable by antivirus software? Well, there's a lot of money involved, so people do spend the time to create the trojans and modify the trojans in such a way that the current version of a pure signature-based antivirus scanner simply doesn't detect it. To do that has become very easy for an attacker to do. For one thing, all the current virus scanners with all the latest signatures are available, well, more or less free to download. So it's easy for the attacker to have all the current versions of the various antivirus scanners, and then he just need to change the trojan so it's not detected. Well, that actually does take quite a lot of skill, but as most people aren't skilled, well, there is another way to do that. There are various runtime packers that are just there to make something look different so that it's not detected by the current version of a virus scanner. There are various packages that you can download whose only purpose is to make something very difficult to debug and very difficult for a virus scanner to actually look under, and we've seen cases where several different packers have been applied after each other. I think as many as eight different packers that have been used to hide something. Well, and at this time, I actually hand over to Dirk, who will now go into more technical details about all this. Yes, thank you, Turov. Yeah, all the packers are giving me a hard time, so I'm one of the researchers from McAfee working on the customer escalations and creating signatures for our AV products. The problem with all these packers is that you can apply several packers quite fast to a file, to your sample, to your Trojan, and you don't have to recompile, change your source code, or do any modifications to it, so it's quite easy for them to produce new malware within seconds. A few samples. This one is downloaded at AAP, which is quite popular in Germany. Turov has been talking about the Bundes-Torjano. So this one was one of the emails was sent out pretending to be sent from the police. And attached was a zip file inside the zip file and executable, which was the downloader AAP. Once the user clicked on it, first the files got downloaded, another files for spying the user, stealing passwords, information, and other stuff from their local machine. Actually, after the double-click, the Trojan just downloads a small text file. This text file contains encrypted URLs, as you can see on the first part. It's simply X-Ord with two. So once you decode them, you can see on the blue screen the real download URLs. These files, as in this case, downloader SPI-HNBA, excuse me, which is just a dropper for a file IPv6, and this is a browser-hypo object focusing on user credentials for German financial institutes. Finally, this Trojan just sends out an email back to the attacker, where the information, which got stolen, are listed. So in this case, for each victim, the attacker gets one email report, and it's not that easy to parse for him. So another example, the MeSpam Trojan, this hooks on the windsock, and whenever the user sends out an email or uses instant messaging, like AOL, Yahoo, or ICQ, it adds a link to the message of the user. So for example, if you're chatting with one of your friends and you receive a link from within his message, you're likely to click on the link because you trust him. So this is one of the nasty ways this Trojan infects other people. Excuse me. This Trojan has a quite nice statistic, a command and control page, where you can see statistics on which way of propagation is successful. Split it up on spam. You're okay? Yeah. Okay. Our email, ICQ, it even can add links to your content that you add to web forums. So you just post whatever you like to do, and if you just go back afterwards to the page and have a look again, then you will see that another link got added to the post you just did. Additionally, you can see here some information of where the victims are. In this case, many of them are in Germany. On this web page can easily configure which files should be downloaded by the Trojan. So it's quite easy for an attacker to coordinate his files to publish new versions. They get updated, so the Trojan downloads another version, deletes the old one. Another way to escape detection of AV products. And even nice statistics are served by the command and control page. So you get an overview of how successful your attack was. So in this case, on this page, you can even see what kind of message should get appended. Either appended or prepended. In this case, it's only a URL. You can also add some other text messages. You can specify text messages for each country. So if it's in German, Germany, you'll probably like to have a German text. In the United States, you can take an English text or wherever else. So it can be configured for each country separately. This was a nice analysis from François Pagé and Elodie Granger. This was a Trojan, a password-stealing Trojan. More the old-fashioned way where all the stolen data gets posted to an FTP server. Each computer has a unique file name, a unique folder name within its own country. So when the user gets infected, the further files get downloaded. It's a little different. The GOIP site is used to determine where the victim is. So the reports get sorted on the FTP server in the recording folders. In this case, you can see here the folder of François with a few victims. About 400 in this case. In France, when this Trojan came out, it was about the time when they had to do the tax income online. So the stolen data were quite... Interesting. Interesting. It shouldn't be on the server public available for the bad guys. We tried our best to work together with the federal... federal departments in France to get the server down and to protect the victims. This is an overview where the victims are. So it's spread all over Europe. Not only in France, so it's not targeted on a specific country. We used the IP addresses to draw the plots on the map. But it's not only in Europe, it's also in North America and even in Asia Pacific. So all around the world. And this Trojan wasn't... wasn't up for a long time, I think. Probably two weeks. So this was snapshot after two weeks. And yeah, quite a few people around the world. Another story that I've been working on recently was the new war sell-it-in postcards. I guess you've all seen those emails. This one just arrived on the... yesterday in my email box. It's a standard spam text. And if you click on the link, no, you don't get... you don't get to a postcard, you get to a Trojan. And... so I had a look at the Trojan and my code network. And this Trojan connects other... other bots on the net. So they're using a peer-to-peer protocol, which may look like the eDonkey protocol, but actually it's not a complete implementation of the eDonkey protocol. Maybe likewise. I noticed some interesting UDP packets coming in. As you can see at the bottom, this one is now looking for a file called 24942.mpg with a file size of around 70K. Well, 70K for a movie file. Now I think that the content is something different. And... I'm not only looking for that number on that file size, so there are different packages coming in. These are usually search requests where they're looking for further information, so the botnet is updating itself. I'm still working on that, so I don't have a full overview about the protocol and how it's working. But you can also see other packets like this one. This one contains some more data. The size of this is more than 234 bytes in the UDP packet. Several other packages are exchanged and I assume that's the way how the bots get controlled and how they receive their commands. Those are able to send out emails, spam emails. They can also do a denial of service attacks. So while doing this I suddenly noticed in my honeypot that there are quite a few emails in and I wasn't expecting them. So I had a closer look at them and... Okay, you can't read anything. Sorry. So these... We saw in the last days many... spam of emails containing a zip archive attached. And if you open this archive inside you find a raw archive. So only the file name, the attached file name was named zip inside was actually a raw archive. Once you unpack that archive you get to a simple bump and dump spam message saying you should buy some stocks. Another look in the Hacks editor shows you there's a big amount of correction line feeds to disguise the... to disguise the... to separate the spam message from some bogus text at the bottom. And there are two different types which just got generated in my code network within I think about two or three minutes. And so few of them had about 80K profile, the zip attachments. Others were rather short. In this case the same thing. Another raw archive in a file named something.zip and inside the same spam message and the same line breaks to disguise to separate from the bogus text at the bottom. So I'm still working on researching the protocol and learning more about this Trojans and maybe I'm able soon to monitor the spam tasks or even the denial service tasks to take counter measures in time and to let other people. So that's what I'm currently working on. If someone has some experiences with this Trojan or with the protocol it's used please contact me after the presentation. And I'd like to give back to Torelf. Thank you. For the various types of attack we've seen. Well actually it's getting back on that new bar. That outbreak as Dirk mentioned it happened basically just yesterday. The new bar those virus or while those Trojans are using like some kind of peer-to-peer net to updating themselves. But we've also seen like the latest spam wave that at least really hard being initiated by that Web by those Trojans. So if you've got an email like with an empty subject empty message body and then some attachment that is supposed to be a zip but if you just have Winzip installed and not Winrar it will just throw an error. Then this is actually something that you have in your very inbox where someone infected with such Trojans actually then send you that email. For a short wrap up for the different types of attacks that we are seeing to get users to get machines infected. There are two very different techniques. One thing is like brute force with as much high tech as possible. Brute force where people browse the web page the browser get exploited or something else is getting exploited on the machine something installed and takes control. We have seen a couple of targeted attacks whereas in cases well related to corporate espionage handcrafted documents with ODE exploits inside office applications have been used to send to people to directly installed Trojan on their machine and very often those attacks are combined with a very high social engineering factor creating for example an email that looks as convincing as possible so you have been added by your friend to this and that email list please confirm. There is that very great website I found or simply offering you free porn, free downloads the stuff that everyone normally likes and we have recently seen that there is also a trend to go into the other direction where there is no exploit at all involved where there is just like one example is an interesting looking email with some generic text and then you've got a document with more information in it when you open the document yeah it opens fine there's no macro there is no macro code there is nothing wrong with that document and then somewhere inside the document is click here on this icon to learn more about that and well if you click on that icon then it is a simple normal Trojan or downloader that is just embedded inside that word document so this actually goes past a couple of technical defenses that people have put inside their networks now things like intrusion prevention systems have become common people are suspicious when someone sends them a document by email and that document then triggers the email warning so the attack is simply avoid all those technical mechanisms by writing something as low-tech as possible and just leaving everything else for the user and actually this is fairly successful at the moment as right now everyone is looking for something that tries to exploit his machine attack his machine or attack him directly another thing that we have seen lately is like you receive either the link to or directly as a detachment some kind of media file and many people still think media files yeah that's kind of harmless the JPEG exploit like two years ago changed that a little bit but most people that's okay I can double click on that or they play try to play safe and save it on disk and load it from there and then they get an error message like there is some codec missing to display this file so they better go and search for that codec and install that and then actually the codec is the Trojan that then takes control over the machine that's another attack that we've seen used quite a lot in the last couple of years last couple of years last couple of months really then for some other technology that we were expecting to see much more rootkit functionality and Trojans well there is a raising number of rootkits for the Windows 32 bit world and there are quite some systems that are actually affected by some Trojans but we have not seen Trojans being we have not seen rootkits being used so far as so much as we have expected it most Trojans nowadays still don't have a real rootkit component but the number that has it is increasing it has now become becoming at least fairly common that Trojan also installed some rootkit to defend itself to pretend to make detection and removal more difficult and then actually both detecting and removing of that Trojan really requires two step the first one is to detect the rootkit itself normally before you detect that and disable that there is well not really much you can do with a Trojan so that is then the first step that the rootkit must be disabled and removed the second one then would actually be to remove the very Trojan itself actually I am not quite sure why people really would want to remove a Trojan personally if my machine would be infected by Trojan that offers like some full remote control power over my computer I would never trust that computer again and simply reinstall from scratch but there may be two different things that should be taken into consideration for one thing like the availability of an operating system and everything else to recover from that situation you may be travelling somewhere and you may not have your installations with you and we have seen another thing that affects that well I have talked about that one virus that uses rootkit functionality and also downloads stuff that has spread to say 500 machines in your organization and you suddenly have 500 computers to set up again that is quite a lengthy and quite expensive task so that may be another instance where you may actually decide well detection and removal may be the better way to go but well that is really up to every single case one thing that we actually did release last week is the free tool to actually detect and remove rootkits at the moment especially as it is fairly new and rootkit autos autos didn't have the time to come up with something to to fend that off the rootkit detective is extremely effective so that is maybe something that you want to try out a download and try out actually the author of that one that is around here at DEF CON so if you want to talk to him about that that can probably be arranged then for the last thing that we have seen and changed a lot is the communication of the trojans with the various command and control servers one year ago 99.999% of those command and control communication used to be over the ISE protocol fairly often over public ISE service sometimes over private ISE service being configured to run at port 80 or port 22 or port 443 ports very likely to just let that traffic through we have seen a shift there that now many of those trojans are actually using pure html and also other increasingly other protocols sometimes encrypted to deliver the information from the trojanized machine to the command and control server and vice versa well alright so then I've come to the end of this presentation itself I'll also start a quick demo of one of those control and command servers if there are any questions we will still be here like 2-3 minutes and then we move on to the question and answers room which is like I think directly it's on the other side of that hall so this is another command and control page we just have a small walkthrough as I mentioned before some trojans are just sending emails with all the captured data others just uploading files to an ftp server and someone has to grab all the files which is not very convenient and if you have a large database it takes some time to download all the stuff and to get the updates in this case you have a nice web front end where you can define different kinds of plugins that can be applied to the trojan you can like this you can see an IE grabber, certificate grabber so even certificates from your machine get stolen and get uploaded to the page it's not only working for internet explorer even plugins for firefox are available on this nice overview about countries which are infected by this trojan although they have to work on the statistics, 118% that's a bit much they also offer they also offer socks proxies you can choose the country choose one of the wake terms and we'll get checked online if they are ready and then you get the IP address and the port number and you can do it for relaying but more interesting is the search function so you just enter on the web page what you're looking for like bank information, click on do search and then you get a report of the victims and the stolen data you can click on each of the victims and get separated reports online or you have been visiting for each of the victims you can specify your own profile saying which applications or which plugins should be applied just select one of the links and so finally you can even select for request information for big range and then click on the save to disk option in this case all the data will get stored in one zip on the FTP server or on the server where this command control page is located so you just need to download a single file which is pretty convenient saves you a lot of time so we are running out of time well actually we are finished now so thanks a lot for your time I hope you could try out something else please