 Okay, everyone. Welcome to Mailware Freak Show 2. So here's the agenda for you. We're not going to really walk through, you know, each bullet by bullet, but just one thing to note is that this is a continuation from a talk that we did last year at DEF CON 17. And we wanted to dig a lot deeper and expand it to some various different classes of Mailware, but also show you some new things that are going on in the world of Mailware development. So we're going to spend a lot of our time during this presentation during the sample analysis. So just keep in mind, so there's going to be a lot of demos. We have four demos for you this year. It's a little bit about us. I'm Nick Prococo. I'm the Senior Vice President Head of Spider Labs at Trustwave. I have around 15 years experience in information security. I built and lead the Spider Labs team at Trustwave. Some of my areas of interest are targeted Mailware, attack prevention, mobile devices, but really from a business and social impact standpoint. And this is Gibran. Hi, I'm Gibran Elias. I have been in this industry for about eight years. I recently got my master's from Northwestern University. And when I'm not doing work, I'm actually doing work, which is anti-forensics, artifact analysis, and real-time defense. So turn it over to Nick. Sure. So to go over introduction here, so basically, we had a very busy year. As a team, we visited over 200 environments, 200 incidents, and that span about 24 different countries. We had hundreds of samples to pick from. And we worked together to pick what we thought was the most interesting pieces of Mailware that we solved the last 12 months and present those to you for you here today. So we have some new targets. And so if anybody attended the talk last year, we talked about the target environment, showed you how the environments work from a technical standpoint. We're going to fast-forward a little bit past that and really describe just the environment at a high level and spend a lot of the time focusing on the Mailware itself. And with the new targets, we have our First Bar in Miami, an online adult toy store, international void provider, and a U.S. defense contractor. So one thing to note that we realized during the preparations of this talk is that Mailware developers were very busy over the last 12 months updating and making enhancements and making changes to the Mailware that they had been developing. Really, it's many improvements they made to avoid mistakes, and we're going to go into those in detail in this presentation. But we were really chatting and thought maybe they saw our Freak Show last year. We pointed out some flaws and they seem to have improved them over the last year. So what is a Mailware Freak Show? Basically the bottom line question sort of answered there, but basically we have access to breach environments. Now these are actual environments that were confirmed breaches. Very important information, very valuable information, very valuable data was taken out of these environments using Mailware. And so really historically the smash and grab was used where the attacker would break into a website or break into a physical location and steal data. They just take the data and run off with it. Today they don't do that very often anymore. What we found is that they spend an average of 156 days within these environments. So this means that they hack into a e-commerce site and they'll be on that e-commerce server in their database for an average of 156 days before someone catches them. So that's something really, really important to keep in mind. Also when they're in that system they have a lot of time to explore. And so they run into business systems, systems that are not the run-of-the-mill system. They're custom developed and they have a lot of time to develop their Mailware and craft them to target those specific environments. And that sort of leads it to the next bullet there is that custom and targeted Mailware is now the norm. It's not the exception. I think when we were doing cases, so you've been investigating cases like five years ago, smash and grab was the norm. And then we started seeing things ramp up. And nowadays when we go out into the field it's basically every single case has Mailware involved with it in some form or fashion. So basically the reason we're doing this freak show is basically to gather information, perform analysis on each piece of Mailware and then the real benefit is to learn about the sophistication of the authors and learn about the sophistication of the current threats. And so the bottom line goal there is to rethink the way we alert, detect and defend in these environments. So what I'm going to walk through before we get into the demo is I think it's important to walk through what we feel is sort of the anatomy of a successful Mailware attack. Now what we did is we took a look at the Mailware that we saw that was successful in the last 24 months and sort of came up with sort of a blueprint. Like if you were to sit down and decide I'm going to write a piece of Mailware and I want it to be successful not just make a lot of noise and crash things and a lot of bells and whistles goes off but you want to have something that's a targeted, custom piece of Mailware that's going to be highly successful in getting data out of an environment. We put together sort of the steps here that we thought were what the Mailware authors were actually using. So we're going to go through each of these steps here. So step one, the authors have to identify a target and so you're not just going to sit down and write a piece of Mailware with no target in mind. And so there's a lot of information out there. There's intellectual property, there's bank account information, there's PII information, there's HIPAA information, there's a lot of information out there that attackers could focus on. But in the real world or in anything, the end goal is for someone to get money, right? You're not just going to write a piece of Mailware and unleash it. You may, but a lot of the cyber criminals in the organized crime groups want the cash. They want to get cash in the end. So the two big focuses that we see is credit card data that's one piece of data they're looking for and then also ATM and debit card data. Now in the credit card world, in the credit card data world the data exists in clear text in many locations and environments. It's not supposed to be in clear in all environments post that after it's been used, but we often find it is and we'll talk a little bit more about why that is. But basically the cash itself, you sort of see this chain that's on the screen there, that's sort of what I sort of call the Mailware food chain. And basically the cash is at the end, right? So when you have track data which is the data that's stored in the back of your credit card, when you have that data in your possession, you can go and clone a card. You then can go and commit some sort of fraud, right? You go to a store, you buy a plasma TV. You now have a plasma TV in your hands that you bought with a stolen credit card. But then you have to, you could either use that for your own use, but in most cases they want to get cash. So then they have to go and sell those goods to somebody else to collect the cash. And the ATM and debit card world, the data looks very, very similar. There's pins that are associated with ATM cards, but the data itself is basically identical. But the cash is much closer to the criminals. They get a hold of ATM card numbers and pin numbers and they can go to a machine and take out the cash. They don't have to find a buyer for that. And so we hear about large organized crime groups who go and they'll hit a large number of ATM machines all at the same time. And they'll literally suck cash out of those machines and now they have that cash. No one could, they don't have to worry about going on the street and finding a buyer. They have that cash and they can move on to their next operation. So that's where you identify the target. So it may be a bank, an ATM network, or an organization that takes credit card information, maybe your target. Now developing the malware, so really we break these things down into sort of the big three. These three functions are basically going to help you obtain the data in the most efficient way. So a keystroke logger, a network sniffer, and a memory dumper. And so we're going to go through those. I'm not going to talk to detail what those are, because when Jabron does some of the demos, we're going to touch on the network sniffer and the memory dumper. Everybody here probably knows what a keystroke logger is. It records keystrokes, but they're using this, but the attackers are using this in a little bit different way. And so I'll just touch on that real briefly, is that when the data itself is being inputted into a system, the data itself is being inputted via a keyboard type device, a swipe device. If anybody ate here at one of the coffee shops or someplace and you saw them swipe your card, that data is actually being inputted into a system just like you would if you typed it in. It's just being right off the mag stripe and inputting the system. Nothing really special is going on. And so then we also sort of have their sort of disk parse with a question. We often don't see that. Now there is data sometimes stored in the system, but it just be easier to take the file and leave. The persistent types of attacks are going to use things that are going to try to access data when it's being used in an active state. If you think of a system that is obtaining data encrypted, it's releasing data encrypted, it's storing data encrypted, what's the better way of obtaining that data than through things when it's either on the network in the clear, if it's in the memory in the clear or being entered into the system in the clear. Some other design considerations, naming convention. Blah, blah, blah at EXC is not the best name to use if you're trying to be stealthy in an environment. If you choose something like SVCHOS.EXE, that's much better. Most IT administrators that are looking at their task manager are not going to notice that as something out of the ordinary. Also, slow and steady wins the race. The attackers and the attacks using malware that we see are very successful. They don't jump in there and make a lot of noise and start doing a lot of damage. They're going to stick around for a while. The malware is going to run and just collect data and siphon that out of the environment. And then of course, persistency. When they reboot a box, you don't want to have to reinstall your malware. You want to be within that system and maintain persistence through many, many reboots. And then data storage as well. You've got to make sure that the data you're collecting is not going to fill the hard drive of the system. So here's step three. Basically infiltrating your victim. So we have a couple of different ways. You have basically the physical way and we see these attacks. You walk up to a computer, you stick a USB key in and it basically puts the malware on the system. That's a physical way. The easy way that we often see is sort of remote desktop and default passwords. We see those all the time. Now the malware itself that's being installed has complex properties. The attack factor is very, very simple. It's something that should not be there, but we see that hundreds of times in many environments. And then you have the Uberway. You have basically the O-Day. We do see that from time to time, but in most cases the attackers are going to use vulnerabilities that are rather old. Things that have been around for a very long time and basically there's available there for the attackers to take advantage of. Now finding the data. The software we found holds the secrets. If you're on a system, you're looking to find out where that data is stored within the environment. The task manager is a really good tool. You can see the processes that are very, very busy. That usually is placed where there's data being processed and that's where you can then hook your memory dumpers into. And then the folders, the processes folders, temp files. We still see those containing a lot of data. Configuration files that contain debug parameters. You turn the debug parameter on on a system and sure enough it starts logging all the activity that it's doing to the hard drive. It's typically there for some of the troubleshoot it, but it makes attackers life pretty, pretty easy. And then of course the wire. In most environments that we run into, even financial institutions, the data on a local network is often not encrypted. Now it's encrypted when it goes across the internet to other locations, but when it's on a local environment many organizations don't feel that it's important that they encrypt that data as it's being transmitted between systems. So that's a big place where you can find data. Then getting the loot out, basically once you try to get the data out of the environment, many, most of these environments have little to no egress filtering. So you don't have to worry about just trying to, you know, it's just limited to say, you know, port 80 or 443. But that doesn't mean use 31337 as the port you use to send that data out. Don't reinvent the wheel. Use what's commonly available, common internet protocols. And it, because really the IT security professionals that are going to look at those firewall logs are going to look for freaks. They're going to look for things that look out of the ordinary. If you're sending your data out of port 80, they're probably not going to notice it very quickly. The last step here, basically covering your tracks in obfuscation, we find this is rather, sometimes optional, right, from a successful malware attack. Like I said earlier, we found the average of these attacks lasted about 156 days. That's a long time for someone to be in the environment before someone noticed it. So being, you know, trying to be covert and trying to cover your tracks, not always extremely important, but it can help. Now, some notes though. Don't be clumsy. This is successful, you know, something to take away as far from the successful malware writer has to put within their malware. Basically, you know, crashing systems, that's sort of bad. You know, filling up disk space is really bad. And, you know, we've, you know, filling up disk space, you know, you might get away with, because a lot of the clients that we see sometimes actually aid the clients. We've seen an instance where, you know, the attackers were kind of filling up the disk space. And guess what the IT guys were doing? They're installing another terabyte hard drive. And then another one, and then another one. And, you know, that's not it. So when they, you know, spend enough money, like $300 on hard drives, they're like, yeah, let's delete the 2003 accounting data, 2004. And finally, they picked up the call, the phone, and said, hey, trust me, we need your help. So it's kind of a note there. Yeah, and then just then command prompts popping up. We've seen some malware that's poorly written, it does those types of things. That's just stupid, right? You have things popping up. We actually received a call from somebody who said, you know, I think there's something going on in our system. And it was because the mouse was moving around by itself. So you're making things obvious to the 10 end user. Even someone who's not technical is not a good sign. But then you want to mess with the investigators and the cops, right? So you don't want to make things easy. Mac times, you're going to modify those to match the install dates of a lot of the utilities or the files that are in Win32. We're going to show you this. A lot of these new attributes here came into play in the last 12 months when they started doing these things. Office getting output, we're going to show you that in some of the new malware samples. Packing, basically, you know, packing the bag of tricks using packers. You don't have to pack the custom malware you wrote because EV is never going to detect it. But if you're bringing along some other utilities, you have to actually pack those in order to really, you know, be covert in some fashion. Basically, automating but randomizing events. And we're going to show you some things that are going on in some of the latest pieces of malware. But most of the malware writers today are basically lazy, right? So they're going to install this malware and they don't want to keep coming back. And so they want to watch a website or watch an FTP directory and just collect the data as it flows in after they've installed this malware in many, many environments. So, you know, randomizing those events can help avoid detection as well. And then rootkits. So that's one of the latest pieces we've even seen in this type of malware is they're getting away from executables and diving down into using rootkits. So now we're going to jump into some demos. And so, like I mentioned, we're going to spend a lot of time, you know, a big portion of the presentation in the demo aspect of it. So let's talk about this environment real quickly. This is the memory rootkit malware. We gave this guy the codename captain brain drain. It is basically, you know, it looks like a normal Windows file name. You know, sort of they get the win for for a file name. You know, choice. It is a target's Windows platforms. Now the key features, I'm not going to talk about that because Gibran is going to demo all of those for you in a couple minutes. But then I'm going to talk a little bit about the environment. This was a Miami sports bar. It was an elite location and a lot of celebrities that frequent that location. The IT operations was outsourced to a third party. This is not uncommon. Most organizations below normal enterprises outsource everything. And so they have really no ability to manage these systems themselves. So they're going to outsource it to another company. When we talked to the owner, we actually, we talked to them and asked them about security, about what they do with their systems. He basically said he was getting notices from his bank about online security and compliance and he basically gave him a headache. So he just basically tossed him in the garbage. He basically admitted that to us. And then the other sort of byproduct here is that the point of sale system was also the sports bar's DVR. It was also the DVR server. So if you ever wonder what goes on in a Miami sports bar after hours, you really don't want to know. If you sit in a bar and you see sort of this long, flat, hard, sturdy bar and you're sitting there having a drink and eating some food, your fry falls off the plate. The five second rule does not apply. So now we're going to jump into some demos. Alright. So everyone hearing me okay? In the back. Alright. So are you all ready for the demos? We've got about four demos and I want you to say, yeah, if you are ready for the demos, are you ready for the demos? Am I ready for the demos? No. I've got to move this couple. Alright. So without further ado, let's go into the demos. Okay. So the first sample I have is, it's called the memory root kit. So as Nick mentioned, you know, a lot of malware, you know, now that databases are getting encrypted, we can't really do just smash and grab. So what attackers need to do now is basically maintain persistency in the system and they basically dump the memory where the data resides unencrypted. So you guys are very lucky you guys are going to see an actual malware that is going to install itself as a root kit and steal data from the memory. So without further ado, let's go on to it. Let's see, is the resolution okay? Yep, it's fine. Okay. So I'm going to go to the folder that has the memory root kit malware. I call it memkit and let's actually see what samples it has. So it's got a loader.exe which is basically a file that loads the root kit into the kernel. Then you've got Ram32.sis and actually you know what, this demo is going to be really interactive. We really planned prizes for you guys but we lost all our money in Blackjack last night so the most we could do is give you a Twitter mention if you answer a question. So Ram32.sis wants to take a guess what this file could be. This is the actual root kit that gets installed and searcher.dll that has the track data expressions and you know what not to enable to search the data on the hard disk. So let's actually see what the loader.exe is all about. So I'm just going to do run a strings command on loader.exe and I'm going to show you what it has. So as you can see the usage of this attackers you know they program really neatly too. So they have like a whole usage area in the program. I is to install the system driver. I must be in the current directory so they're helping us out as well. R is to start and resume the capturing. So if you have the malware on the system if you want to start or you know there's an option right there. S is to stop the capturing and U obviously is to install and they also tell you hey it doesn't install until you reboot so pretty helpful there. Okay so what we're going to do is just load this root kit into our kernel. So as you can see loader.exe I just give it an I switch and it installs Ram32 driver. Now we want to run this and we want to start this right. So loader.exe so far so good. Alright so now we're going to go to this windows folder where malware actually dumps the files. So I'm going to sort my files by date modified you know because the file should be created right now. As you can see we don't see any files so what I'm going to have to do and actually I'm going to let you guys answer this. What do I need to do here? Show it in files. Alright you guys are on this. Okay and I'm going to sort this by date modified again. Oh no. It's not the demo. There's one more thing that the malware has. Anyone wants to take a guess of what that could be? There you go. You're getting a Twitter mention. Alright so we go to view again and we uncheck this box. High protected system operating system files. We do that. It gives us a warning but what the hell. Just go with it. Okay so now we see a weird looking file. Can everyone see it? 7152 whatever the random digits are. And it's 0KB right now. So why is it 0KB right now? Because we haven't sent any data to the memory for the malware to attack. So I'm going to open this file in text pad. Favorite text editor. Alright are you part of the team? Okay so right now there's no data there because in the memory we haven't processed any track data. So what I'm going to do is I am going to go to my pending payments folder. And I'm just going to open some checks. So these are basically the temporary files like when you swipe your credit card at a bar at a restaurant at a hotel. These temporary files get created but just for very tiny you know maybe a millisecond and then it goes to the database. Or it just goes to the memory and then to the application to the database. So these are some files that I'm just going to load up in my memory just to kind of see what's out there. And basically in my old transactions I'm going to say since we don't have a real point of sale program I'm going to say all payments processed. Alright cool. Alright so I saved this and now we go back to this file and text pad. It's alerting us that hey some application has updated this file. Now we didn't write anything through the file right so it's got to be the malware that did the job. So we're going to reload it and here you go. So we see credit card numbers, the names and this is basically the pattern of track data track 1 data and track 2 data. Now this malware has an additional feature now a lot of the companies like are investing in DLP software and credit card data scanners who can tell me what's wrong with the track data format here. So there's one really tiny thing that this malware does and it's a really neat feature. So if you see here in the first line after these numbers right before the tangent of star tangent we see a percentage sign in track 1 data format in the real data in the real file that I opened we see a credit character. Now this is actually a big indicator for track 1 data and a lot of DLP software they code this into them to be able to detect track 1 data. So what the malware is doing is replacing all the credit keys and replacing it with a percentage sign so if anyone's searching for track data they won't get it. And you guys might be wondering why people don't just search for card order data and that's because a lot of times when you search for card order data you get a lot of false positive, a lot of noise. So a lot of people just search for track 1 and track 2 data. So that's one thing that they do and then also if you look at the track 2 data so in here there's an equals to sign right. So guess what the malware does to the equals to sign. Damn right they turn into money. So that's basically how neat their output is. As you notice my actual transaction file had a lot of other stuff but when the malware runs and it searches memory for the data it basically parses out just the track data and it puts it in this neat format. And the last feature of this malware that I want to demonstrate is that since Nick mentioned they don't want to come in every time and rotate the files themselves. So it has an automated feature so what it does at about 10 a.m. every day is that it changes the file. So let me change the system time to 9.59 and I'm going to make it a.m. So right now we see the date modified 7.31 6.24. So right when the clock hits 10 o'clock this basically becomes 0KB and the new time is 10 a.m. So any guess is what happened to the data in this file. So this is our file and now it's got no data. So what happened was this malware actually rotated the file and it created a new file with today's date. So it says S 2010 7.31 and this is the file that has all the data. So if I just do word wrap you'll see the exact same data that you did in that file. So that's basically it for the memory dumper malware and we're going to move on to the next malware now. Okay. All right. Let's jump back into the presentation real quick. So this next piece of malware is basically Windows credential stealer. So we gave it the code name don't call me Gina and you'll see when we're going through this why the file name is sort of a good choice as well. But again the target platform is Windows. Now the victim here just a little set this up a little bit. This was an online adult toy store. They had about 100 person company. They had some stores as well some physical locations. But they decided to outsource all their hosting basically and development to a low cost provider. And it was sort of a well known provider. They found the information about that company and sort of the back of a tech magazine. It looked really great. And just like everybody else when they're shopping for hosting providers. And basically they found that there was a remote desktop enabled. It basically was a terminal server. And so just to set it up a little bit the attackers were able to get into the remote desktop or system or the terminal server that was used by the hosting provider to get access to all the systems they were hosting. And so I'll set that up for you. And then one other piece is that at the end result the attackers were able to then modify the adult online toy stores website so that it would query the database when you called a certain page and it would dump all the latest transactions into a web page for them to then go and download. Now the attack itself from the functionality. Jabron is going to demo that. But I just wanted to set it up and show you the first part of how they got in and sort of the end result. But the real meat of the malware is actually in the middle of what they were able to do. Alright so we are ready for demo number two. Are you ready for demo number two? Alright. So by the fourth demo we should be here to track one. Alright so this is actually one of my favorite malware. And actually this relates to all of this because you know a lot of us you know if we don't use Windows XP computers we touch this at some point in time because they're so insecure. But anyhow so I'm going to show you the pieces of the malware. And I don't know why when I do it first time it doesn't do it anyway. So call it Gina and let's actually see what's in this package. So we've got FSGina.dll. Now who can tell me what MSGina.dll anyone have heard of MSGina.dll? Yeah so it's basically you know it helps with the authentication process right. So when you see that screen with your name on it and says hey come enter your password so I can steal it you know that's MSGina or you know a slight variation of it. So FSGina is basically a variation of MSGina. It tries to get loaded with MSGina so that it could capture the passwords upon legit logins. Now FSGina.reg is actually an automated script. If I just run this the malware is going to load in the registry but I'm actually going to be nice enough and I'm going to show you guys exactly which key it changes in the registry. And this timestomp.exe that is actually a piece of malware that actually changes the time of the malware files. So I'm going to copy these two files FSGina and timestomp in Windows system 32 directory. So what we're going to see is that these two files basically you know they show up at the top right. So a lot of times when we were investigating a Windows computer you know for a friend or your mom or your grand mom whatever you basically go through to this task manager of a Windows system 32 folder right to check hey you know what is there a malware infection there. So likewise you know attackers know that and what they try to do is basically try to hide their malware around the time when the operating system was installed. So this timestomp utility actually does that for them. So I have this command here that is going to change it but I'm going to tell you a reason why I chose this time Saturday 4-13-2008. It's not because it's my birthday but it actually has a meaning. So I'm going to go to system 32 folder and actually check the time of MSGina.dll. Now if I'm a good malware author and you know I'm actually on the system I want my FSGina like the fake SGina to have the same time as MSGina. So it's basically 4-13-2008 10-42 p.m. so what do the malware writers do? They do the same time. So if you notice right here FSGina right now has date modified of 6-16 and date created of 7-31. When I run this command here it's going to change the time and look what it changed it to. 4-13- 10-42. So yeah now if you're the hacker you would want to delete timestomp.exe so when someone does this date modified date created sort of by that you don't see any malware right? And FSGina basically shows up with you know all the other files. It's lost in the system 34. So now to infect FSGina and to win logon process we actually need to change a registry key. And the registry key that you need to change is you go to hklocal machine, software, Microsoft and a lot of people would think it's Windows but it's actually Windows NT. So you go to Windows NT, current version and find win logon folder and basically all you need to do is add a string value and you call it Gina DLL and when you add Gina DLL you also have to give a path so I do a lot of typos so I'm actually going to make sure that I just copy and paste. Alright so what we're doing is we're saying okay add another registry entry so when win logon .exe loads with the operating system it's going to load MSGina but it's also going to load FSGina and FSGina is going to be the malware that is actually going to take the data. So how that is here I'm going to reboot the computer and we are going to log on to the system to see if it actually works. So while it's rebooting I guess it's going to take a couple seconds to reboot. We're going to raise the question about sort of third parties. We see a lot of environments, special organizations who don't have the ability to manage their own systems putting a lot of trust in third parties and we see a lot of those third parties letting people sort of astray. I mean they say that they're supporting the systems correctly, they say they're securing the systems but they're actually not and so when we see these environments really the organization was compromised because a third party left their perimeter really really really relaxed and so it should be coming up soon but basically that's the main takeaway from this piece of the demonstration is that once that file is on the system it not only left that one organization exposed but all the clients that were accessed through that terminal server also were exposed as well. And remote desktop I know came out everyone jumped on it and still now we see a lot of the environments that say okay yeah it's remote desktop but it's secure, it has encrypted session but just to get to remote desktop if you're running remote desktop on port 389 your chances are of getting phoned are really really high because what the attackers do these days they're looking for remote entry points they're looking for low hanging fruit so if they get remote desktop VNC PC anywhere yeah believe it or not a lot of people still use it and so they basically write cracking programs for remote desktop and once they get into one it's their way then. So what I'm going to try to do now is try to log on with fake credentials I'm going to say hey Defcon blah blah blah and just try to log on but just to show you that all the fake logins the malware is not going to care about. So we log in with the correct credentials and when we go to Windows system 32 folder what I'm going to show you is that there's going to be a file and the file is going to be just plain text file and we'll see how clearly we can see the username and password so we go windows system 32 alright so you see like on 731 it created a new file users that so let's double click it and see what it has there you go so all it has is my machine name then it has TW that was the username and the password so basically you know you saw me writing Defcon and you know all those other fake ones it only captured the one that it needed to and that was the legit one so with that we're going to go to the next demo and it's called CTA actually Nick's going to talk about it. Okay so in the interest of time I'm just going to go over this very very quickly but basically this environment was a international void provider so they had a lot of customers they had two different methods of sort of taking data into their environment one was via kiosks where people were buying these prepaid cards and another website and so basically in their hosting center they had a server that was processing all of this data now one thing to note about this data center when we went to do our investigation we actually walked up and out came about 20 cats out of the data center because it was really it was at a barn in the middle of nowhere is where this hosting provider was and so we were sort of confused while these cats were sort of living there and living around these servers but then actually just last week I was watching on television with my son and out came a commercial cat versus dogs 3D and I had this revelation and I was like well that's what was going on the cats were running the ISP so we'll jump in to the payment switch demo of the Planet Sky transit authority. Alright so are we ready for demo number 3 Alright you're kicking at this Alright so hey we got a background change so notice how we have this cool background for every little piece of malware so okay so we will go this time it's perfect so I'm going to go to the directory that has pieces of malware I know we are running short time actually malware freak shows never okay so you see Hydra.Sys now if you learn from the fast Hydra.Sys is a rootkit system 32 DLL that has the configuration settings Win32 is one of the special programs that you'll see Win32 is actually the controller so what I'm going to do is I'm going to actually show you the settings of this malware and this is again pretty system 32 here so as you can see the settings are such that the log would be in Windows directory system 40.log here's a command line for a malware Win32.exe with these options now with looking at just these commands can you guys see what it is? Alright it's basically NGRAP so they've changed the name for NGRAP and they're running it's basically a Sniffer malware right so it's going to sniff the internal network for confidential data now this password I don't know yet but host name we had to change a little just for this demo but Haxers.spider.com it has a user name and password you know if we go so and actually run the malware so nothing happened the malware runs pretty silently what I want to show you here is that if you check the task manager you're actually not going to see it and last year I know someone asked me the question you know if you don't see it in Task Manager would you see it in sysinternals process explorer the answer is no this piece of malware you won't even see it because what all this malware is doing is loading the root and actually starting it right so I'm actually going to show you the file that it is supposed to store data in and here you go system40.blog file right now again there's no data because we haven't done any network transactions of cartel data so I am going to go to my fake point of sale application and communicate on port 5500 so I'm going to go to this payments folder it's going to ask me what's your name and password here I'm a legit user so I'm going to just browse to certain checks temporary checks and basically see what's out here so dark tangent he's got his card stolen again spur guy Colin Shepard he's got his card stolen and this guy doesn't need cards because he has a lot of cash and yeah so you know again these attackers are freaking killing it right so we go to this file and as you see our file is updated so when we see the output we see that this is basically ngrep output so if you use ngrep power you see basically the interface name the poor man's regular expression for track data and you know the IPs that it was communicating to so now that file is there what the attackers do to actually get the data now in the previous malware what you guys saw that attackers still had to come into the system to actually take out the data now this is one better and we'll see how so I'm going to change the system time because you know the malware writers that's one of the shortcomings of this malware actually they basically transferred the data at around the same time every day alright so 59 and I'm going to give you 10 seconds to pray for the demo to work so so this is our fdp root directory this is where the malware should dump data and this is actually you know we're running a local fdp server on the local machine so it's one o'clock let's see one two three four five six oh the demo is not there oh it's am okay good call alright so we're going to change it to okay perfect so this time I'm actually going to do a good job so hit apply and let's see now we got three more seconds to pray one oh oh keep praying keep praying alright we got it now there's this one last feature that I want to show you now if I try to extract these files this is what the attackers get right so I tried to extract it here oh there's a password now remember we had this one config file a long time ago slings.exe and I'm going to just there we go so we had this weird looking password it looks like someone from UK but we're pick a dilly and we try this and boom it works basically the same file that system 40 file that we had over there so that's about it for this different malware now the last piece of malware is the most awesome so you better stick around for that Nick's going to tell you about the background but that is going to be super it's called Dwight's dooper so alright okay so we have a couple of minutes I think we have like six minutes so we're going to go through this so basically to really set this up this is a client side pdf attack now the difference between this environment and the previous three environments the security posture in the previous three environments was basically horrible this environment is a US defense contractor they have a very high level of security they had nothing allowed inbound the only thing that was allowed outbound was port 80 and 443 and everybody had email access and so just really set this up the employees of this organization received an email they had an attachment and everything else sort of went from there now we didn't really use US defense contractors details and things like that in this demonstration so we chose a different company so let's go to the demo now alright last one are we ready for demo number four so okay so basically yeah so we couldn't choose a defense contractor so this is the company that we chose and again so this is basically Jim Halpert's desktop so who likes Dwight you guys are going to love it then alright so this is basically Jim's mailbox and basically you know he's got emails from his company mates right so first emails from Michael Scott you know he finally got the lost ending you know then we got a weird one here from Kelly Kapoor and that's 194kb and that says continuing from lunch conversation alright so let's see what it's about oh that's that's a pages full of rants again alright and this last one and you know a lot of people a lot of us get these announcements right HR announcements and we you know without thinking twice about it we just you know click on and this looks pretty real you know it looks it has a disclaimer it says that it's going to be released at 9 o'clock so you know before running this PDF file I'm actually going to show you the temp folder that it actually has so if you go to this temp folder what you're going to see what what actually happens behind the scenes when we run this PDF file so here we go it's an announcement Jim Halpert opens up his PDF the PDF closes for a second and it opens up again and now the file name is changed and as you can see Dwight Shrewd has finally been awarded the official position of assistant manager but Jim Jim has been pawned right so as you can see there's a folder called gold mine and you know there's a raw file you know raw file they're usually sent out so let's see what's in the gold mine folder bank account details bank statements client lists and commissions oh if Dwight's looking at it Dwight Crank logs it and with that it's got Firefox passwords IE passwords and just about everything else and guess where it comes from it's basically what the attack is doing it's basically taking all the files from the my documents folder it's roaring the folder into gold mine and sending it out and this is basically you know the FTP server again this is where it sends out and again you know there is a password on the FTP server and so Dwight gets his data and he basically has all of Jim's information so guess who's going to win the sales prize here Dwight Shrewd and that's about it for our demo this was our fourth demo and thankfully all of them worked yeah so just to sum it up so you know what we learned here is that customization of mailware is the key right so we're seeing customized mailware targeting environments like you saw in the US dimension contractor example that's very very customized targeting that environment specifically crafted to basically own those employees at that company and instead he wins the race and basically you know you saw the anti-forensic features they don't have to but they do it anyway just for the brownie points automation is another big thing and you know what they're not slowing down and you know the funny thing Nick mentioned at the beginning of this talk last year we gave the mailware freak show and the shortcomings that we gave last year they basically went ahead and corrected the mailware so you know if you come next year we might have DEF CON mailware freak show 3 and thank you guys for being our audience. Thank you.