 So this is Malware Freak Show 3 and I'm Nick and this is Gibran and so let's just jump right in. So instead of spending time on the agenda, we'll just skip right past that. The inspiration for this talk is basically something called System Intruder. If those of you who are familiar with Bedroom Intruder, there was a parody created by this guy we know named Zach and we were going to play the song right now but since we're a little short on time, we're going to save it to the end and we'll play it for you guys. So brief introduction, you know who we are. I'm Nick Prococo. I run the Spudder Labs team at Trustwave. I started my career in the 90s doing InfoSec, started out really doing penetration testing back then. This is my fourth DEFCON talk and I have two more this weekend, one tomorrow and one on Sunday. It's a joy talk and a mobile SSL talk as well. I'm also the primary author of Trustwave's Global Security Report. So if those of you familiar with that, it's an interesting read. And I am Gibran Elias. I am the senior forensic investigator at Spudder Labs Trustwave. I have about nine years of experience and this is my only talk at DEFCON this year. I've spoken at Black Hat Sector and Source Barcelona before and I happen to have a master's degree from Northwestern. So I just wanted to brag about that. So really you want to talk about why give a freak show. So what does this talk all about? Well, we perform a lot of investigations on an annual basis. We go into a lot of environments where there's targeted malware, malware that's not, you know, taken off any bells and whistles from the AV engines that are installed in those environments. And we really wanted to be able to bring live demos to you guys and be able to show you what sort of the state of the industry from a malware development standpoint looks like and what the real criminals are using to exfiltrate valuable data out of corporations and other environments. Basically the real big takeaway here that we see is, you know, the exploit world is basically commoditized. You know, the criminals are going after, they want to buy exploits, they want to be able to use those to get into environments, but they're really putting a lot of effort, a lot of development resources into developing malware. It's become a rather big business. They will put money into that industry. They will hire really highly skilled developers to make this malware for them. And just as if you have a business and you want to create a business piece of software, you may outsource it to some developers and build it to your specifications. They're doing the exact same thing. So really what does this talk about? Well, this is the third iteration of this talk. So has anybody seen any of the other malware freak shows before? Oh, so we got a handful of folks. We got frequent freak show points for you at the end, so just to see us. This is the third iteration of this talk. In 2009, we demoed a keystroke logger, a custom keystroke logger, a memory dumper, an early, early version of a memory dumper, and a video poker piece of malware, and then a network sniffer. Last year we demoed another memory dumper, one that got a little bit more advanced, some login credential stealers, a network sniffer again, and then a client-side piece of malware that basically targeted PDFs. It was a PDF attack. So this year we wanted to bring it a little bit more personal, bring it really home to ourselves and the people who are in the audience. And so we're really talking about some new targets. So this year we're talking about your grocery store, places you shop every day, your favorite bar, places where you like to get drunk, and your work, and then of course your smartphone. So this is all about you and this iteration of malware freak show. So when we talk about sort of the evolution, so what have we been seeing? When you talk about evolution, you typically talk about 50, 100, thousands of years. What we're talking about here is just three, and we've seen a dramatic change in the piece of malware that we've been following, the malware authors, the malware that's being used in the various targets that we're talking about over the last just three years. When we first started following this and putting together this freak show, we saw sloppy malware developers. We saw people that were just literally testing the waters, trying to basically find ways to exfiltrate data, try to automate things that they were trying to do on a manual basis. But it was very, very early on. They were also not being covert, so they were being blatant. We'd see things like NetworkSniffer.exe installed in environments or MemoryDumper.exe. They were very, very early, early on. And then also a lot of noisy output files. They would create these files that would be gigantic, especially when we're talking about the MemoryDumper world. They would dump, you know, two gig files to the drives and literally just fill up the hard drives on the systems. And then they were easily detected. You just look at Task Manager and Windows and you can see them. They were blatant in front of you. In 2010, they started to get tricky with their file names. It wasn't anything that was super complex, but they were trying to change things to make it a little more difficult for administrators. You got to think of a lot of the targets where these criminals are going after. We talked about your grocery store, your favorite bar. These aren't sophisticated IT environments. And so all they have to do is fly under the radar of the people who they're targeting. And they're doing a pretty good job of that. They were doing a pretty good job of that in 2010. They were also placing things inside system folders to make it a little bit more obscure. If you place something in the root directory of a drive and you fill it up with a whole bunch of files, someone may find that. The attackers found that if they put it in the system 32 directory, it's going to be a little bit more obscure. Not for most people in this room, but for the people that are trying to target the victims of the criminals who are targeting people. And of course the output was mainly in plain text. You'll see some things in 2011 and the stuff we're going to demo now, but mainly they're just putting plain text files. The data they're trying to exfiltrate was just written to disk. No major issues there. The advanced tools that they were using, basically advanced tools that we would use, could easily detect their activity. They were being a little bit more obscure. They may not show up in task manager, but we can detect them. And then automated exfiltration, that's sort of the key. If you're a criminal and you want to attack, say, 25, 30, 100 organizations, you're not going to manually connect to those organizations every single day and download the data. You want it to be automated. You want it to send the data to you, just sit back, relax, watch TV, and collect all the data that you can out of these victim organizations. So then when we talk about 2011, so this is a little bit, a little preview, so I'm not going to go in too much detail, but we talk about 2011. So we're going to go back to the top. Either that or the criminals have decided to pay more money and hire better developers. We saw some really, really interesting techniques this year. Some zero storage. So we're talking about them writing files to disk. We're going to show you some examples where there's literally the only footprint that's on the system is the piece of malware. There's no evidence of the data that they were actually handling and exfiltrating out of the system. And then when data is stored, they're using encryption to store that data on the system. And they're using more efficient methods. So you hire better developers, and then you stop having 500k executables, and you get them down to just a few k, which makes things much more efficient and much easier to place on systems. And then, of course, automation. So automation is everywhere today. We just started seeing inklings of it in 2010, but now today it's basically automated everywhere on the system. So, Gibran, do you want to take some specific pieces of malware, some of the evolution we've been seeing? So, you know, there are some folks that came to our 2009 and 2010 talks, and you guys might realize the notable features. So, like Nick mentioned earlier, 2009 it was just really basic. You know, we were seeing keylogger.exe, networksniffer.exe. So they just didn't care. They knew that once they got into the organizations, they knew that organizations didn't have enough ID staff to even look at those executables. The FTP credentials were not packed in the binary. So we could just use strings, and we could see all of the malware features, like, okay, well, what it does, where's the FTP, what is the FTP username, and the password. So lots of floppy work. Output was just plaintext.capfile. So that kind of tells you that they really didn't care much. Then in 2010, they actually did one better. They started matching, like, you know, SVC host.exe. Anybody know what that is? Okay. So basically, they started naming their malware applications like legitimate Windows names. And then output was compressed and password protected. But again, the password was right in the binary. You know, you would see something like rar-hp and then the password. So that was still pretty easy. Nightly auto-exfiltration appeared for the first time. I think one of the malware that we demoed last year had that. But the 2011, which I cannot wait to show you guys, you're going to have a ball watching these demos. So there's no output on the disk. Like, some of the sniffers that you're going to see is that there's, you know, malware takes the data in one hand, sends it out from the other. It basically has two buffers. It steals the data and sends it out. And basically, it's a real-time exfiltration. And the exfiltration is no longer on like FTP ports or SMB ports. Exfiltration is on port 80, which, you know, in a lot of even mature organizations, the N443 are a loud outbound. So the malware writers have realized that and they fully, you know, take advantage of that. Encryption and coding are output data. That is like a really, really key feature trend in 2011. You know, before, you know, as forensic investigators, we would do disk analysis and we would search for, you know, social security data or credit card data and we would, you know, just find it in the disk. You know, there would be a file when they're encrypting the data. Those disk sands are useless because all the data that's stored on the disk is basically encrypted or encoded. So that was for this nifers. The memory dumper, you know, in 2009 we demoed the three executable files. There was basically no anti-forensic capabilities, plain text output right on the root, you know, system 32 directory. 2010, single executable. It was a kernel rootkit, so they did get it, but the output was still in plain text. So, and, you know, the output was if you had to sort the files, you would actually see the latest date on that output file. So you would still, it's pretty easy to detect still. Now, 2011, you know, it's the return of the three executable files. So it's like a full malware kit, you know, one binary does something, the other binary does the second thing and the third binary basically completes the package. Everything is time stomped. So if you're looking for files in like system 32 that most recently accessed or most recently modified, you won't get to see it because the malware writers first time stomped the binaries and they matched it with the system installation date. So, you know, system 32 directory has a lot of DLLs, right? So if they match those dates, you're probably not going to doubt those files. And last but not the least, that output again is encrypted. So you have to actually crack the encryption to figure out what kind of data they're exfiltrating. So what we're talking about the malware landscape today, so this is more continuing on from 2011. So we're seeing some anti forensic features being built into the malware. I think you're just talking about the time stomping component. But we see other features as well. And then of course the stolen data is encrypted. Encryption algorithms are getting more advanced. I think some of the early versions we just saw using like XOR to basically encode that data. So we're seeing things, you know, more sophisticated there as well. Mainly because if you're in attack and you're going after a site and you're harvesting a whole bunch of data, even if you're storing it locally you don't want someone else to come along and grab it and steal it from you. So might as well protect the data that you're stealing from those systems. And then of course malware is a DLL. We started seeing that. We're going to demo one of those as well for you. So now, you know, like we've seen in previous years, we want to spend a great deal of time in this talk, you know, doing five demos for you. So I'm going to introduce each of these demos and then Jabron's going to fire up and bring up the, bring up his VM instance of each environment and he's going to demo those live for you. So basically what we're talking about here, this is your grocery store. This is a place where all of us probably go to on a weekly basis, buy our milk, buy our butter, and buy our beer. And basically this environment this is where we see a piece of malware called Cameo. And we're not really sure why the attackers call it Cameo. We see it called Cameo over and over again in a lot of environments, but we gave this guy the code name Best Supporting Actor. Like Jabron talked about, this is a sniffer and this is something that has very little visibility on the system itself. And so when you think about a grocery store environment, this is actually pretty sophisticated for some of these environments that we've seen, like the grocery stores and some of the retail environments. This is something that you don't really need to be that sophisticated that's hard to get a grocery store. I haven't been to a grocery store that has an IT security person hanging out in the back room. This is just, you know, check cashiers and then the store manager. But we see environments where this malware is placed on either a central system in the environment or on all of the lanes. So when you're checking, you know, you're buying your beer and they're scanning it and you hand them your credit card, they're swiping that and literally in real time your data is going from that register across the network out to the attacker's systems and they're then archiving that into a database and sorting it out for sale almost instantaneously. And part of the things to note is that you know, the grocery stores, they don't, you know, sometimes you won't even see windows computers there. You would see the Ethernet you know, point of sale swipes, right? So obviously they don't have the, this malware is designed for a windows box. So basically all the data that's going across on Ethernet to a server, you know, in the manager's room, they want to place that malware there. So this malware has to be at the aggregation point of the data. So with that, you want to bring up the demo? Yeah, let's do it. Okay. All right, so this is the exciting part of the talk and hoping I think you all will enjoy it a great deal. So what we're going to do, obviously, you know, we have four demos here and have you guys been to a talk with demos before at DevCon? I'm sure there's a very, very low percentages with the success of the demo. So, you know, we're going to do a collective prayer to the demo gods and we're going to do it before each demo. So I'm going to, I have a, I don't know, when I say what time is it, we all have to say demo time. So that will please the demo gods, right? And this room is packed, so I better hear like a huge here. And actually we're going to send it for you guys. So whoever cheers the loudest, not only that we give a spider-lap t-shirt but also a past war party. That's right. Awesome. So you did it the first time. There are four times, so you better make sure or better be awake. All right, so are you guys ready? What time is it? You guys are good in the first time. That's exciting. I think we're going to have a lot of fun. All right, so as I said, this is a grocery store, right? Does it look like a grocery store? Do you see your common things? That's awesome. Okay. So first I want to show you the binary. So the binary is called cameo.exe. I'm going to do, I'm going to show you the size. This is only a 24-kilobyte binary. And if you mouse over this you see keyword sniffer MFC applications. That kind of tells me that this is probably like off the shelf product, but they modified the code and then they made it so that it has some anti-forensic features. So what I'm going to do is copy this binary to the windows system32 folder. That's typically where a lot of the malware run from, right? And then we're going to start the command prompt and actually browse through that directory. Everyone following me so far? Awesome, cool. All right, so I'm going to start, so basically to run, to install this malware, you basically just type the malware name. The malware writers, they actually code it so that it's installed as a window service. Can anybody tell me what's the advantage of being installed as a window service? Yeah, so when you reboot the system the malware comes back. So there you go. I'm going to start cameo.exe. Notice we didn't see anything. The malware is running. So what I want to do now is actually show you you guys familiar with Procmon? It's assist internal tools that kind of monitors the activities of a process. So I'm going to say that, hey, I only want to monitor whatever cameo.exe is doing. It'll apply and this is basically it. So as you can see the malware is running, but it doesn't have any disk activity at this point. So I also want to start my Wireshark because remember I told you that this malware actually sends the data outbound on port 80, so we want to see what data actually goes out of the network. Right? Okay. So even at Wireshark I don't want to monitor the whole network, the whole grocery store. So I want to just filter for port 80. Anybody know a filter that we can feed it to Wireshark that just gives us port 80 traffic? TCP.Port? Yep. Equals 80, right? So that's what we're going to do. We're going to say, okay, you know what? This is me sniffing the traffic to figure out what the malware actually sends out. So I only have one interface so that's easy. And then I'm going to say TCP.Port equal 80. So now the sniffer is only going to show us what goes out on port 80. So now that we have our sniffer set I'm going to jump to my host machine and actually show you a file with credit card data. So that file is basically called check3.txt So as you can see there's not only just credit card data but what we call credit card track data, magnetic stripe data on the back of your credit card. So what this is useful is because if you steal someone's track data, the magnetic stripe data, what you can do is you can code that on your credit card. And then wherever you go, let's say you go to a Best Buy or whatever expensive place, you can buy like a $5,000 Plasma TV and they'll ask you hey, show me your ID. So on the front of the card it's your name and this poor victim is going to get charged. So this is the file that I'm going to send on the network and this is the file that the malware is going to intercept. So I'm going to log into the FTP server there. So I'm going to send the data on FTP server and then we're going to see the data go out on port 80. So this is very similar to what you see in a grocery store when you swipe a card at a lane in a hardware terminal, it's sending that data to a central processing server. So it's basically what Gibran is going to simulate here. So I'm basically feeding the data to that aggregation point. And this happens for all of those grocery shop terminals. So I'm going to say check3.txt just put it there. And then we're going to go back to our screen here and go back to Wireshark and voila, that worked. So the demo gods have answered. So we have this severe looking traffic. Some traffic is going to this fdm.php. So right now our attacker server is the internal IP because we don't want to send the data out even the test data. So this is basically the packet that we're going to follow and see what the output looks like. So I do a right click on it and I go follow TCP stream. So this is basically the packet. As you can see it's a post and the user agent is Kamiya. It's sending it to this IP address. Notice it's an internal IP but in the real world there would be an external IP like in some Eastern European country that I should not name. Content length and then this is the data that's going out. So can you see anything? Can you make anything out of this data? Okay, thankfully not. Alright, so I'm going to copy this output. So this is basically the data that's going to the attacker server. So how do we crack this? So we basically at spider labs just crack the code and we're going to see how this data looks like. So I'm going to go to my Kamiya directory create a new file called malware output. And basically paste the information that I saw in the TCP stream. And what I'm going to do now is basically copy a script. It's basically a Perl script called Kamiya decoder. Put it here and browse to this directory. Okay. So the way to run it is basically do Kamiya decoder.pl that's the Perl script that we wrote to crack that data and I'm going to feed the malware output.txt. So that's the file that had encoded data. And then I'm going to say can you please put all that data in decrypteddata.txt? Okay. So the script runs and it basically decrypts the data. Now we have this file that has the encoded data and now we open the decrypteddata and what do you see here? It's got an IP a source port then it has that full credit card number, actually magnetic stripe data that we saw earlier. Got it? So that's how sophisticated the malwares are getting. As you can see, there's no storage on the disk. It basically takes the data on one buffer and then every 30 seconds it sees, hey, is there data on my right hand? If there is, then I'm going to send it from my left hand. So it's kind of like charity. But yeah, so that's it for the cameo malware. I'm going to turn it over to Nick Pericoco and he's going to show you about the second malware. So before we do that we're going to do a snapshot. Okay. Let me bring up the presentation. Yeah. Okay. So let's go into the there we go. Okay. So the next piece of malware that we're going to show you, this is targeting your favorite bar. So obviously I would think everybody should have been to a bar before and when you go and you buy a beer you start up a tab, you hand your credit card to somebody your card is being entered into a system and then it's being processed. Similar to what we saw in the grocery store but that's happening in a bar. So the type of malware here is different. This is not a network sniffer. This is a memory dumper. Memory dumpers are designed to obtain data while it's in memory as the name sort of tells you but the big key factor there is that we see this being used in environments where data is being encrypted to a system. It's being encrypted while the data and then it's being encrypted while it's being sent to say an upstream processor or upstream system. So the criminals sort of scratched their heads for a little while and thought how are we going to get access to this information and they started developing a memory dumper and so we call this memory dumper the son of brain drain because last year I think we demoed brain drain this one's a little bit more advanced and so to not steal any Gibran stunner talking about the key features I think you're up and ready to go for the next demo. So you want to do your chance? Demo gods we're very, very, very happy. I just got a message. So we're going to do this again but this time we're going to do one better, right? We're going to raise our hands and say demo time when I can chat. What time is it? You guys look fantastic. Thank you so much. All right. So we're going to start the same way. I'm going to show you the binaries. So this is the memory dumper malware kit. So as I mentioned that let's see what agent film looks like. There is windboot.exe so this is basically the controller this is like the master malware I would like to call it. So this is the one that gets installed as a window service and we already discussed what window service does to the malware. It comes back every time system boots up and when it runs basically the only job that this malware this piece of executable has is basically starting the two other binaries. So this first binary is csrsvc.exe that has a list of executable names that are known executables that handle credit card data. So it has the name of the most common point of sale applications. So when you go to a restaurant you go to a hotel, you go to a bar you see a typical kind of systems. I don't want to name any of the software but the attackers know at least all the popular ones. So they basically say hey you know what rather than dumping the memory of 4 gigabytes of the whole computer we don't want to create that much noise. So what we're going to do is pick those processes and just dump the memory for those particular processes so the footprint is less and then they delete that dump too after they parse the data out of it. So the csrsvc again it dumps the memory of a particular process. This last piece iNet MGR that is the piece that actually looks at the dump so if a dump is 500 megabyte attackers don't want to transfer 500 megabytes because guess what at a grocery store or a bar the bandwidth is not that awesome. So they don't want 500 megs of data coming for like 4 credit cards. So what they do is they write this application which is like a plural application they've converted it to with plural to exe and this piece actually looks at the dump files and parses out only track data and then this is the piece that actually does the encryption and some other features which I'm going to show in a minute. So without further ado we're going to run this memory dump or malware okay so see these files winboot.exe so this is winboot.exe so basically the malware writers they actually followed a lot of good coding skills and the installation for this malware is basically an install switch winboot.exe and guess what you see windows boot loader installed I want to show you something really cool which I love about these malware writers they they try to freak you out so what you're going to see when you see the service windows boot yeah so this is the one so as you can see the path to the executable is the path that we were in winboot.exe and guess what it says it manages the loading of the Microsoft windows operating system right and better yet if this service is disabled the Microsoft windows operating system will fail to start so you know this is the first year that they've got all the spellings right they usually mess up on the spellings so it's a huge share for those writers here so now that this malware is installed as a service we have to run this as I said they wrote the code brilliantly they also have a debug feature to this so I think someone was queuing their code alright so we're going to run this in debug mode and what you're going to see here is basically these two pieces haven't started yet so when I run it in debug mode there's going to be two new processes and you're going to see that right on the system tray here so winboot.exe hey I want to see debug so now as you can see there's a new process csrsvc and also the inet mgr right so I don't know if you can see it that far it's saying basically it says state loading please wait state monitoring so the malware is kind of saying okay you know what I'm ready to do the dirty work but you gotta do something for me to do anything so right now the malware is just sitting idle I mean it's monitoring but it's not showing any output because we haven't processed any of the sensitive data so as soon as we do that you should see something here okay so I need a volunteer here who's going to come to our bar and as you can see we have a pretty cool bar the whiskey bar so who wants to come to the whiskey bar there you go we got a brave soul here yeah come on up okay so while he's coming because this is not a point of sale application we don't have a payment processing application here so we're going to trick the system we're going to say you know let techspad be our payment application so instead of techspad.exe I'm going to say become PBTSRV.exe so techspad is our payment application we're going to open this and now I'm going to ask our volunteer to actually swipe a card actually what kind of beard would you like this is a bar so so he wants bud light and sorry I couldn't provide a cuter bar tender but okay swipe the card I'll help you out so I want to show you that this guy wants a lot of beard this is a gift card okay go for it there you go alright there we go what does it say a gift for you okay there you go thank you very much we don't have bud light today but there you go you get a t-shirt thank you so much for volunteering okay so now we have got this data obviously PBTSRV now if we watch these processes it says hey can anybody read it it says hey in this memdump folder there is a dump file and in that dump file I found track one data alright so we're going to go to our folder which has so now notice there are two new things here memdump and inet info see that okay so one thing I want to show you this is a really really key feature inet info is actually the malware output file but notice that the time on it is June 1st 2005 right and not only the modified time but the create time is also June 1st 2005 so if you're looking for more recent changes to your system you're not going to detect this file and basically we just wrote data to it so as we modified we didn't see anything here so let's actually check this out the data in this file I'm going to open it with nodepad and guess what you see it's just you know that data is encrypted so what I'm going to do is go to my spireless script file and basically show the desktop so I'm going to run the decrypter oh got them all selected well there we go freak tools maybe there you go spider loves are not decrypt I'm going to copy that to memory dumper alright okay so this is my script that's going to decrypt the data that we saw and let's say I want to feed inet info.chm file and then the output file the name I'm going to give is decrypted data.txt okay so let's see what decrypted data has so basically that's how neat the output is it basically says memdum pbtsrv.exe 2992 that's the process ID and actually you know what I'm going to open it for a better viewing there you go alright so basically you know it's not the hacker saying trustworthy spider laughs 2001 that's our script and memdum and then pbtsrv.exe 2992 Mr. John Smith's credit card is here not only track one data but track two data as well so that's about it for the memory dumper malware and we're going to move on to the next one okay and when you talk about these hitting you personally I actually once got a call from Gibran who asked were you at this club in Las Vegas last July and is your credit card ending these four digits and I said well why your credit card company your credit card was exposed in this breach so that does happen from time to time so the next one we have here and I think we're running a little short on time so we have two different demos that are remaining we have this web check DLL and this is basically targeting your work and this is basically an example of how you hear about critical files being exposed when corporations are having data leakage problems a piece of malware that actually will attack that and gain access to it so we have that demo and we also have a mobile demo and I think the mobile one is pretty short we can show you that demo in three minutes but this malware is pretty malware because it only has a DLL file so notice when you mention that a DLL can do a lot of damage you're going to see that here so let me show you the malware it's called the web check DLL it's called this malware with a simple registry hack and I'm going to show you what this registry file has so this is basically the folder in the registry that it tries to modify so I'm going to do it manually so you guys get to see it so what I'm going to show you here is that the name of the malware is webcheck.dll which is also a legitimate Microsoft file if you mouse over that you basically see website monitor and it's only 10 kb local machine software I'm going to find this registry key okay so basically the legitimate file Windows Explorer whenever it runs it basically loads this file webcheck.dll but it loads it from system 32 folder what our malware what we're going to do is we're going to copy and paste this file in the windows folder and we're going to tell the system to run this file in the windows folder rather than windows system 32 folder so it's a pretty simple hack I just placed a file here so this is the legitimate file so I'm going to tell the system to basically load the webcheck.dll but from the windows folder so obviously if you had time we would have restarted the system and showed you but I think the quick hack I could show you is if we just close and explore and reload explorer should work if it doesn't we have to share louder okay so basically now when explorer.exe has started notice we did the hack so now explorer.exe has to load webcheck.dll from windows folder so the malicious one basically this malware stores the data in the root of the drive but it has the hidden attributes not just the hidden attributes but also the system attributes so we have to we have to uncheck this button which again is the windows no no so notice you have this file page file what's page file in a windows system virtual memory right so you're going to see an additional file if everything goes right so we're going to go to our company intranet right and it says intranet.mycompany.com so and we're going to try to log into this folder and then I'm going to type in my password and it sends me to the intranet folder so in the confidential folder I'm going to upload a file and that file basically you do a lot of activity from your browser right so basically this malware is targeting your browser so anything that you're doing in the browser better watch out because it's trying to steal that so I'm going to put this document there so let me show you the contents of this document it basically has some confidential information it says president arrives at DEF CON on August 5th we'll attend spider's party so we're going to process that to the browser right I'm going to upload this file and then go back to my c drive do you see page file there basically 18k so right now it's not Xvill trading any data because the malware writers have coded in the malware itself the time to Xvill trade data we've kind of passed a malware so that it sends the data to an fdp server but I'm running it on the local host so this is where you should see data around 2 am so I'm going to change the time to 1.59 50 am so that we get 10 seconds to pray and basically the minute it hits 2 o'clock we should see something okay it worked awesome so we have this file now notice the page file disappeared now it's only page the page file is going to come back but in the meantime there's a zip file here so we should be able to extract this file here so you say extract it says hey no archive found you're a sucker because this file is not a zip file so basically what I'm going to do is copy this file and I'm going to go to my ruby folder because that's where we wrote the code and this is basically the decryption script so I'm going to put it in the bin folder and pretty quickly I am going to run this so you guys actually get to see the data before we have to leave so see ruby so I'm going to say ruby decrypt this and the data is like something open c29 there we go and I'm going to say decrypted data again decrypted.txt so the script runs it tries to decrypt that data and then we go back to the same folder to actually check that and here we go so what was the keyword in that file that we can look for in that file upload but all that data malware basically captured and you can't open this file even if you wanted to open this in textpad you would see garbage so you basically have to write a decrypter to actually see any sort of data so just imagine what we do in our browsers we pretty much do everything in our browser and if the malware is only 10kb and can take stuff from the browser it's pretty cool when you get this t-shirt all that it's pretty so I think we're going to wrap up for building number 4 we may be able to show you some of the last pieces of the demo during the Q&A time we have a mobile mail we're demo as well we're trying to fit into this presentation so basically we're done and basically the closing things here is next year we predict new more advanced activities and thanks for coming