 Today I'm going to talk about botnets, the present day botnets and this is a research that has been, we are like my team and my university, like my department has been doing for the last couple of months. And we came across some of the interesting facts and how the botnets are actually exploiting the integrity of system nowadays. And so we came across with some interesting concepts and techniques that I'm just going to present today. So this has been a collaborative research with one of my team known as like second nature security labs and with my advisor. And just a little background of mine. I'm a 30 year Ph.D. candidate at Michigan State University. Present day I'm working for like ISIC partners. And I previously worked for some other companies and this is some of the previous pie data that I have. And Rohit is one of my great friends. He has done a lot of work over this and collaborative with my advisor here. So today I just want to put a little disclaimer. The point is that like whatever the things and concepts I'm going to discuss today is totally upon my research and it does not relate to any of my employer. So it's an independent research that some of my group members are doing. And I'm also doing as a part of my Ph.D. So today, Jinta, we are going to talk about like bot spreading mechanisms. Some of the things you might be like spearfishing and kind of things like being existing for a long period of time. But at this present part of time, what are the changes that have been come in the field of malware? We're going to talk about exploit packs, try by download frameworks, spreaders, and with some live videos. Then we're going to talk about the post exploration one. Once your system is infected, what kind of things that are bought actually money plates in your system. And to sort of work the integrity. And then we're going to talk about like data exfiltration strategies and the concept of third generation partners. So the various parts are actually exploiting the HTTP communication channel to exfiltrate the data out of the system. So it started with like the present in like last couple of years for like one or two years. It's been started with years like one of the great partner that came to exist. And that actually gave a birth to like third generation partners. Why I'm mentioning here third generation is like the first generation is a typical set of partners which actually uses the IRC protocol. So if we want to characterize these partners, why these are third generation, second generation, and the first generation. So typically we look at two kind of things like the work kind of motivation they have and then what kind of the perspective they have in exploiting the systems. So it started with years, then it came to be spy high. Then at present time we are looking into andromeda. Smoke is there. NGR existed. It existed like six months ago. Still going fine but not that much. The place has been taken by andromeda and smoke and the upcoming which is actually building nowadays. Call us in a U passport. So most of like why hybrid? Because some of the botnets are actually, you know, getting up properties or characteristics of other botnets. Typically for example I spy high actually harness the power of Zeus in getting the web injects concept. And then there will be, there's like an NGR which is also using a similar kind of thing. And then it's like a very good statistic produced by the Microsoft while like the third generation partners infections all around the world. So if you look specifically it gives you an idea how the Zeus spot is started impacting the North America. And that actually gives you an idea like this is just only a one part of the world. And you can expect the infections that occur on the global level. And but this works pretty fine. It gives like things have changed in the world of botnets with an advent of third generation which typically exploits HTTP protocol and the motivation is all about exploiting the online banking to get the money or like a shortcut to success, whatever we say. So the artifact which I want to lay stress is like the devil is present in the details. And we know that. And if you don't know the details we don't know the crux of the concept. It's not pretty worthwhile to spend time and we will not be able to build the defenses. And so we had to do a little offense to get the defense to build the defense according to that. But we need to get to the details, the crux of the concepts. And let's talk about the bot spreading mechanism that are widely deployed nowadays. Some of these concepts have been known for a while but with the change of a lot of technologies, with the passage of time, things have changed. The design, architecture, the framework, how the botnets are exploiting. It has changed a bit. Let's take a look. I want to start with like browser exploit packs. Last year we presented like a complete details of like black hole and how it infects and a lot of details in like virus, virus bulletin conference. But still, if you remember, within the last year, if you were going through a lot of media articles and things like that, even at this present point of time, black hole exploit pack is really running fast. And it's still exploiting the things at a very large scale. So what it actually means, typically, I mean, if you remember, I say a meta-splited browser auto-pond module is built on the same design. I mean, you have to collect and bundle a lot of exploits together. And then what it works like, host it as an web application somewhere on the malicious domain. So what works like your browser sends up a request, it fingerprints it and then gets what kind of vulnerable versions you are running of plugins and other components. And then it exploits according to that. It fingerprinted. Okay, you got a like a vulnerable version of PDF. You got a vulnerable version of Adobe Flash, Selware Light and things like that. Okay, serve that exploit, which has been known. And if you see in the present time Java is the most plugin. Java is like mostly exploited nowadays because it gives you an easy access as a like platform independent stuff. And so it gives you a heavy access to that. So what works? It's an automated framework. The browser exploit packs. And as I stated, like exploits are bundled together. So mostly if you see they're like it's like a mostly written in PHP and MySQL. Yeah, it's an open independent code structure. You can construct whatever you want and then build the codes. I remember correctly like last year we was like analyzing like Phoenix exploit pack. So it was actually using a direct exploit from the meta-sploit, which was written in Ruby. So it's like being a cross platform independent. They can plug in into each other and then can serve the exploit. And things like that. And they implement some sort of techniques like if a particular machine is sending a request to a command and control server that is hosting a browser exploit pack on the same domain. And it typically fingerprints your browser and fingerprints your IP address and sees okay. We got a one request from this IP address. We don't want to serve malware to them. So you get a like a one IP per system. So malware is served to per IP basis. And then talk about like custom Java scripts are there which are used explicitly for fingerprinting. Like it gives me the browser version, give me the like user environment information. And this is very much required for the browser exploit packs. And so whatever the example that I'm going to discuss in this talk is totally on the real-time case studies that we have analyzed. And all these frames are frames and obviuoskated scripts. And this kind of patron that I've been I put on the slides here is being used heavily nowadays. I mean it's a similar set of patron that browser exploit packs like black hole nuclear pack are using. And if you go and find some of the things on like malware domain list and then you'll find some malicious domains. And then you try to find hey where is a malicious iframe is there. So if you look at the construct, like the kind of it has been constructed, you will get these kind of patrons. And it's really easy. You can do some like dirty code tricks. You can you know manipulate things like alert to document dot write. And then you can put alert instead of evil. And things like that to actually render the script. But you can also do one more thing like you can do it like tactically step by step and try to understand how the code actually manipulates. And this actually gives you an idea and that actually obfuscated code when we de obfuscated it gets into this iframe. And it is like this iframe is actually rendered dynamically in the code. That gives you idea like how the browser exploit packs are you know getting used with like obfuscated iframes. And that is how the browser exploit packs actually fingerprint your browser version and the kind of plugins you are using. And these are also kind of like a typical script they render dynamically. So what happens like when you visit a malicious URL you click it then you've been redirected to some part and then this code comes up which finds that okay this is a plugin is vulnerable. And then later on you find that the vulnerable plugin having an exploit that is being embedded in the browser exploit pack and it serves that exploit in that case. And so before going further I will just want to lay stress here. So we were testing something we came across this domain which is actually hosting the nuclear exploit pack. And this is just a statistic space and you can see that when a attacker actually exploits the heavy traffic volume website and injects a malicious iframe which is being pointed to the browser exploit pack and you will see how fast the infection occurs. Let's take a look here. The idea behind showing this is the concept like once the highway traffic volume website is exploited and you put a malicious iframe then how the stat varies and that's the thing is like so this particular malicious domain is hosting a nuclear exploit pack. So when we were testing we get an access to like the stats page and then we typically want to look at how it is working. So a simple refresh and loading the web page again and again keep on changing the ideas like the total and how many loads are occurring at one specific point of time or while it's a video. So I can just like 800 by 600 actually. So this actually gives you an idea so we keep on refreshing and seeing like how many loads are happening within seconds and every time we try to refresh we get like it's really going fast. So the infections are really going fast and that actually gives us an idea how fast this thing is and when you do it in an automated manner. And the exploited domain was like all my videos dot net and the all respective domains which were actually got infected and every user that you know went to that domain access some videos and things like that keep on getting and facting and getting the bots. But that was an actually case study of like how the nuclear exploit pack is triggering up the things. So still black hole exists when nuclear packs are still waiting time. Now we're going to talk a little about like try by download attacks. It's a technique that has been existing for a long period of time but it's still going pretty fine. And it's still very robust in understanding and exploiting the browsers. Typically it's just on a redirection scenario. The user browser is redacted to the malicious domain. It fingerprints it. And the idea is like it's really hard for a user to notice this attack. It's not that easy for the user to you know there's a drive by download you know happening in the system and user can notice that. It's really different for difficult I would say for the user to do that. And that's how it actually works. So whenever the user visits a malicious domain, a typical exploit like browser is like fingerprinted. And then actually the browser exploit pack actually serves the exploit which is actually using like JavaScript heat spring concept. And then you know exploit the browser pretty easily. And it all works in a still manner. So this is an last like three or four months back. This drive by the download framework came to exist is an automated exploit framework that is being used to serve Java based exploits. It's known as like Anand JDB. And it works pretty fine. I mean you got a vulnerable version of Java and there's an all exploit lined up. It gets like obfuscated and that's being served to the users on that part. So you can see like automated drive by download frameworks are still existing at a large scale. And that works pretty fine. Let's take a look at the black hole exploit pack in action. It's like a complete attack scenario that gives you an idea that how the things work. The only thing that I cannot show here in this particular video is like we cannot show explicitly where the drive by download is happening. But you get you will get an idea when it happens and how the things work. For example a very simple scenario of like spear fishing here. So you get up. So you try to log in into our email account and then we'll see we get some like phishing email. So let's say we get at this email. And there's a compressed URL. What happened in this particular case? Okay. So if you realize here like this particular web page has this compressed obfuscated iframe in it. Which is just really hard to deobfuscate in that sense. But the another way we can do is like we can perform the behavioral analysis. So what we did actually we actually use in a simple HTTP fox plugin here and that actually gives you an idea like how many hops the request are going through. So well actually a design like it's like 800 and 600 but I think it's like not. Anyways so if you get an idea here so what has what is happening here so when you curve and the user clicks on that particular request it keeps on hopping different IPs and it's not like a one single IP like you click it you get a exploit. No it's keep on going from like content delivery network to the another IP and then to the malicious domain where it is actually hosting them. Browser exploit pack. That actually show you that is the browser actually starts to started connecting to the third party domain with different hops. So when you visited like so this was a clean system actually so we performed a little scan on it that's the only way we can show that. That's the hops that actually the browser connected previously when it accesses that link. And that's the URL. That's just got located to this IP address and the second hop is this one. And this was actually the stats page that was like being accessed on the malicious domain which was running like black hole exploit pack. So when we completed the scan of the system it gives like there is a one infection in the system. Then we try to look at the results we find that is like it's it got a signature of Z-Bot which is called as an Z-Spot. So this actually gives us an idea like the black hole like automated exploit packs are really worked in collaboration with the botnet in spreading bots and that's how they work for and the and that's what the idea is all about and this is the this is the obfuscated script which is actually really compressed and so it's really hard to de-obfuscate it easily and we had to do the behavioral analysis and get the things done. So actually that actually gives you an idea the whole complete life cycle of how the you get a spearfishing mail is like compressed using like URL, shortening service, things like that and there are multiple hops that the user has to go through and then it serves with the exploit. That's pretty fine. Now let's let's talk about spreaders and we were analyzing like U-Pass-Spot which is a new upcoming breed of botnet and it's pretty sophisticated and they have implemented a pretty good spreader call us on a USB spreader. This technique worked previously but it's still working pretty fine and they have implemented it really good and we'll show you by going through this case study how we can build signature very easily and so on your in-factor system when the bot is there it actually acts as like a monitoring service it actually you know creates a monitoring service which actually looks for the what kind of USB you are going to insert in your system and whenever there's any plug and play devices actually gets inserted in the system it actually release like register device notification W function which is in a Windows and built API and that works pretty fine. So if you look at the screen shot of the disassembly I have put up there it actually gives you an idea it is the bot is actually taking up in a CLS ID parameter which actually points to the USB device and then if you go down like it's like a registry device notification function so which will notify there's a some devices already been inserted into the system is somebody there and try to give some like a window messages to the system so that it gives us this active scenario. So what happened in this particular cases in the USB spreading mechanism so our bot is usually which is a has to write in a USB monitoring module which actually creates a Windows proc which is in a Windows and built API call and then it actually it actually looks forward for the Windows message device change notification which is being done by the device broadcast header and again it looks for like different kind of interfaces which has so if you look on the downwards so there is an a USB device and it has like a W per arm divide you know specified for the Windows procedure and it actually gives you an idea like there's an a DBT device arrival and okay the device has actually arrived in the system so what is going to do so it actually going to fetch another call in that which is called as an a unit mask which actually is going to be a broadcast volume so what happened in that case once your system actually gets the notification from the USB device like it is in there and the the board is actually going to monitor all these things and it will check like the plug and play device like for example USB is going to get a some hardest notification letter like it can be X Y Z or something like that the volume notification or the volume number and after getting this it actually gets an idea okay now it the board actually gets an idea like the USB is actually inserted into the system so what it does actually it actually calls another Windows inbuilt API called a copy file W and actually creates an auto run file in the USB and how it actually does that the disassembly actually gives you an idea so it actually generates this is an example of the U pass board which actually gives you the point so it actually created a WS underscore WS as some sort of a random executable name which is going to place in the USB and it also going to create an auto run dot n file which is going to put up some parameters in it so it will gives you the EXE to the USB device as well as an auto run file to the USB device and it actually sets an attributes to that another way of doing is like except from auto linking is called Kazana we call this technique is an malicious darling file infections typically like a one year back Microsoft darling vulnerabilities exploited the most for doing some exploitation at the system level simple it's like it sort of shortcuts it the bot can also create a shortcut in that sense and creating that one the disassembly gives you an idea how it is doing that and it simply places a link in that and even it's in a bot into it so whenever the USB is inserted into another system it checks for the auto run file as well as the malicious link file and then it triggers the EXE file into the system which is like spreading a bot from system to system level and this technique is works pretty fine and it's been a one of the core core technique of the UPa spot so when we connected back to the command and control server it gives you an idea of the USB spreading and that actually show you that how many how many USBs have been infected by the bot and it also picks up what kind of drive letters it picks in the system and things like that so it's like a system to system level infection I mean the bot has to actually enlarge and it has to make the bot net really bigger in that sense so it has to keep on spreading things in that way and this is a one spreader there are many other spreaders like instant messenger spreaders like for example exploiting instant messaging functionality in Google talk MSN messenger and wide variety of messengers another one is like the latest technique has been developed recently in the NGR bot which actually exploits the Facebook chat panel from the system so it hooks messages that our browser actually sends and then inject malicious messages containing a URL to the malicious domain and so getting all that information when we get a detailed information we get an idea like I want to build an alert signature for like the intrusion prevention system and that's how we can easily do got the information and so using these parameters we can build up the signature and that's by doing a reverse engineering and if you use that signature you can get all the infections that you pass by is doing and so that actually works really well I mean if you go to the crux of the problem and you get the ideas and you get the information you want and if you get that information and then you can build these signatures very easily it's not a big task and again and another spreading mechanism like a social networks exploitation I think it's been one of the best exploiting platform that has become and the malware authors and the attackers are really exploiting it and it's not that hard to actually trick users to click as some sort of links and things like that so sometime back we were analyzing the one case and it came to us like it was like a case of like jacking and a click jacking so there was an malicious website which actually doing the like jacking in social network website and when we came across that and it was pretty interesting technique it was there like for like four or five months ago I suppose but it has been seen in the wild so how it works let's take a look at it for example in a browser you have opened your Facebook session and I think many users do that and then try to do a lot of work side by side for example if an attacker can force a user to visit a malicious domain or some like a tricky domain which has some sort of malicious code in it so in this case the user is actually logged into his Facebook account and that is a sort of another malicious web page so if you see exactly you can get a like button the impression of the like button is going along with the mouse here because I didn't make it like transparent I just changed the code to show it explicitly how it is actually working and what happened in that case it gives you an idea now so this is a script that malicious web page is using it is actually collaborative with the click jacking attack and with that click jacking you can hide up the buttons you can hide up the other things on the web page and then you can still issue the request let's see how it works so when the user clicked on this malicious page a request is being sent in the form of post parameter and it goes to Facebook dot com actually so what happened in this case when I log back into the account and refreshed it and you'll see there is in a like link appears call us Robin likes this link and when user clicked that link it is redirected to the malicious domain here which is actually serving a backdoor VMware like a VMware player file and which is actually downloading a malware onto the user system so in order to show it like in a clear manner I have removed some of the stealthy code out of it that actually gives you an idea how the like jacking works so the so it's even if you go to that malicious domain and you try to look into the source code on the client side you won't find anything because the VM file the VM file actually is backdoor and in it there is an malicious code which is rendering an iframe and then downloading a malware onto the user system so this actually gives us an idea how the social networks are getting exploited it's very simple I mean the user doesn't have to do the attacker actually does not have to do anything seriously in the Facebook context but just it has to force the users to visit some other domain which open on the same context of the browser you are using and then from the other tab you can simply send up the request to the Facebook that actually inserts malicious links in it now let's take a look at the post exploitation strategy like how the bot actually subword the system integrity once it gets into your system the very interesting technique that we monitor is like the rust skill it's like it came from it came to exist from a group of warriors in Russia and typically used in the diabol like in things like the Diablo game players to actually show up the you know the power they have while they are playing something and things like that so the rust skill is in a pretty interesting module that is being used by bots nowadays so what it does actually so it actually monitors wherever the new file is downloaded into the in fact in machine like being an attacker I actually give a command to the bot okay download a one particular file that is a malicious executable file from the third party domain it downloads it and it executes it but after that what rust skill does is that it removes once it executes that malicious file it removes all the fingerprints of that particular file from the system to avoid detection and it's a very it's it's a some sort of showing up a power of a particular bot right it has that kind of functionality to download a third party executable onto the in fact in machine then executing it and then completely removing all the instances that actually shows that this file has been executed on the system so we saw that when we were analyzing NGR bot which is like a dog pod existed earlier and it actually uses this technique and it worked pretty fine and that word rust skill actually did and is still is still going pretty fine in that sense but the the whole concept of showing the rust skill is here is that how sophisticated the bots have become I mean previously if you look at the design of IRCB B spots and now the rust skill kind of functionality and they are they are getting more dweller with the passage of time so let's see when so when we do some like disassembly of the rust skill module it will give you an idea that the rust skill is going to detect a particular file if there is made modification in it going to detect if there is some sort of DNS like settings have been modified in the system and there will be like detecting any some sort of registry manipulation in the system so this is a very interesting thing and it's in a sort of like really stealth technique and let's take a look within example of hybrid bot and what we did in lag we get a sample of NGR bot we just did some reverse engineering we made it work in a control manner and we set up our own IRC channel so that it connects back to it because NGR bot is in a hybrid bot and it has some sort of functionality with third generation bot has possess so this actually gives you an idea I connected back to the here the IRC channel I just on the NGR and in our virtual machine there is a NGR bot here so what are we going to do we're going to execute this bot and our control virtual machine here so it melts itself so this functionality of bot system is melting is like a self destructive code like try to remove like the dropper protection it has and so that it can install randomly somewhere in the application so if you see now the victim machine is actually get connected back to the IRC channel so this is like NUS forward slash XPS and Windows XP machine and there is an a CAU GFEF which is in a random name of the bot so well in order to produce this demo what I did actually previously I actually get a link to the like the putty file somewhere on the internet and I execute a command that NGR uses call us in a badger and when we paste up and I exit and I started the rust skill module within the hyphen R option and you see what's happened so this file is actually get executed on the victim machine and that actually gives you an idea the bot actually fetched that file execute it and things like that so you can you can execute as many times as you can and since it's just like for this particular demo what happens once the file is executed after that the rust skill will remove all the instances of that particular file even the file itself from the system so you got it again so it works pretty fine in every case every time you want to execute a third party executable on the infected machine and that actually gives you an idea what what the rust skill actually did in this particular demo and I think like the the big problem nowadays is like a DNS changer so DNS changer can be an individual malware it can be a part of some malware or it can be a different classification of malware we can do but according to us what we have analyzed is just a kind of functionality of a malware what how it going to exploit the DNS settings in a system so it works and it has been a great problem because using this technique it's pretty easy to actually redirect users to any place and things like that let's take a look DNS changer I mean with this technique you can you can try several different ways to actually manipulate the infected system the very first one is just put up an entries in somewhere in the host file or you can simply change second you can do like you can simply change the DNS server entry with a malicious IP address there's a very simple one I mean once you do that what happened in the context of system is that the DNS won't allow the system to connect back to the some of the various security websites such as Microsoft to download the updates and things like that you can do much more with that and that's what attackers are doing nowadays so there are different ways one can do that we can produce like DNS amplification attack DSCP server which actually gets your connections at first rather than the legitimate DSCP server do and then it goes for DNS querying and things like that but that's fine there's a very normal way of doing things changing and manipulation the DNS entries so how the bots are doing it so bots are actually implementing in any way what happened in that case it works dynamically so the bot actually so the bot actually hooks the DNS API provided by the Microsoft that's very good so there is a function if we know correctly like DNS query which is being imported and some sort of exported by some other DNS call as DNS API so we understand the concept of hooking inline hooking then you can do a DLL injection creating remote thread then you can do like set windows hook and there's other ways like you can create remote thread function and different way of performing hooking but what is the stilt ways like inline hooking where the actually bot the malware authors when they design when they write a bot and they redirect you to the hook module and it all happens dynamically and that's what the real crux of this DNS changer is like things like that another way of doing the hooking is you can exploit the DNS cache resolver service and try to check whether the send to function has been hooked or not and these two things even implemented by the Conflicker virus too but it's still doing it let's take a look and when we disassemble the bot and we get an idea how they're doing it and this is a functionality being provided by NGR bot so it can block the request it can redirect the DNS request and do certain things like that and how does that let's take a look so in this particular demo we are still going to connect to the IRC channel and then throw away some of the commands like change DNS commands and then we'll see how it dynamically hooks the DNS API libraries and you know block the certain set of websites in the context of in-factor system we're still connecting back to the NGR and if you see clearly here the bot is still there it means the system is alive and it's activated in order to show that let's start opening pretty fine or not so at this point of time we are able to open Microsoft.com and then we are able to open Facebook.com that's fine so we close the browser and then I get back to the IRC channel and I issued a command that is being written in NGR bot doing the change DNS and then I did for the Microsoft.com it blocked it and I again did it for Facebook.com so now that's the example user gets back onto the system try to open some website for example Microsoft so it gets blocked again the Facebook actually gets blocked so it happens because of NGR bot actually implemented the concept of DNS hooking it's not exactly like it's manipulating the host file or doing some sort of other things like that but it actually implemented hooking or in some sense and that is example here so when we redirect Google to some malware domain and the system is giving up like no found and then you still look at the URA it's just a mismanaged DNS query but this actually gives you an idea like DNS manipulation is still works pretty fine in the in factor system like these kind of designs really hamper now we have gone through like a lot of things we took a look at like how the nuclear exploit pack is working we had a look at like how the black hole exploit pack is working then we look at some of the techniques like Rust skill and then we looked at DNS DNS exploitation and then factor systems now here comes is like how to exploit browsers like once your system is infected okay that's what's actually designed to accelerate data out of the system and with the third generation partners FGTP is the protocol what they are actually doing it and in order to do that just a very simple things most of the malware actually implement these things like try to manipulate the zone entries in the internet explorer and then manipulating fire fox entries by configuring some parameters in the user.js file notifications I mean for example over the SSL they want to remove all those kind of notifications and they want or they force the browser to send data over HTTP channel rather HTTPS because sometimes browser gives you a warning okay the channel is being changed from HTTP to HTTPS so in order to remove all those sort of notification bot actually manipulates the user.js file and this is one of the interesting technique that being existing now and this is actually another replica of like man in the middle the only problem or the only differentiation is that it actually works inside a system and man in the middle works between two end points in the network so the bot which is actually get installed is a like a is a user land route kit actually because the browser process is running a user land system and the server so this diagram actually gives you an idea when a user actually accesses a legitimate web page and when the web page is sent back to the to the user machine in the form of HTTP response the bot actually hooks that response and try to inject something into it and then it actually sends of the the manipulated web page back to the user feels that and user provides all sort of information sensitive information and things like that and then it is being sent back to the server but again going back to the server the request is again hooked by the bot and the bot actually redirects back into the command and control server picking up all the information in the post request and that is actually a conceptual man in the browser the MITB agent as with the end point it actually monitors it and try to manipulate it accordingly let's take a look at this example I'm not sure but if you go to the chase.com bank website nowadays and you try to look at types of online fraud and you will get this explicit image out there and they put that in like virus and malware sample kind of thing this is an example of web injects this is an example of MITB attack and how it works let's take a look at it as I stated earlier it's a technique known as web injects I mean since the bot is inside your system it can do many things accordingly and whenever user sends a request gets a response and before the response is actually gets rendered in the browser the bot actually injects some malicious information conducted against CD bank and how they wrote that particular web inject construct but this actually gives a I mean a lot of power to the bot to manipulate the online banking and to manipulate a lot of functionality of the web pages in the client side but this this is a really interesting technique and we haven't found any good defense since our team is working over it and that is actually gives you an idea how the example look like so that is a set URL data before data inject and data end is like a parameters in the web injects file it actually used to construct a one rule so if you look at the set URI parameter there so it is being defined so the attacker has to define a URL there so any bank of America dot URL if a machine or a browser sends a request whether it's a get request whether it's a post request or whether it's any H request so there is a lot of there is an explanation out there for L and H but typically it is against get and post request and then you will tell that in a particular web page I want to inject this kind of data before this stack and what after that so this is a real time web injects and this attack was conducted against city bank it's like a forceful cookie injection and so the bot actually injects all that code in the web page and if you see on the data before it is being data before after that and then put up a script tag at the end so this payload actually looks inline to the user I mean user is not going to look at that JavaScript code but this will get executed in the inline when a user accesses a city bank website let's take another example this one is for like a bank of America dot com again for all get and post request and again it works inline and if you look at the sample example downwards it again was like against Wells Fargo so we got this like web inject sample somewhere when we were testing something and that infected machine has all these samples and so any user on that particular infected machine if it's going to open these websites like bank of America Wells Fargo the bot is going and how it looks like it's a very stealthy and inline so in this case like web injects isn't a very interesting technique on that part let's take a look at the form grabbing isn't actually very it's an advanced level technique but it works very well with the present day botnets how it works like garbage data and things like that they have become more sophisticated so what they are doing like they are hooking the browser inbuilt dll's and then try to hook certain functions inside it and once they hook the functions they extract all the information out of it and the form grabbing is one of that technique so in form grabbing whenever you submit anything like you put your the information back to the server the bot actually hooks that information that's why it is the technique is known as form grabbing and when it does that so this shot has taken some I have taken it from the internet but it was like a pretty good explanation of the form grabbing as well as like web injects so with the web injects you can inject like your number your ATM number and things like that and when you submit that information the bot inside the infacted system hooks that thing and send it back to the command and control server and how the harvested data looks like it gives you an idea right here and this is the whole set of information you actually get from the infacted machine anti-virus license key entered by the user and it was retrieved on the command and control server and in order to show that how it works this is the last demo that I have and we constructed this using I spot which is actually considered as a descendant of Zeus because it's using a lot of source code from the Zeus in order to work so again when we do that it again implements the concept of melting and we try to refresh it the bot actually goes away because it has to destruct the dropper and so considering this scheme you will get an IP address of the infacted machine and we are logging back into the command and control server a controlled one that we used for testing so this is just like a bot that are connected back to the command and control server here and if you go down this is the system that we have and if you map up the IP address this IP address maps to this one so it means like the infacted machine is connected back to the command and control server and the bot has really taken control of that system so that's fine the website it opens here I'm not using the real-time credentials or things like that I'm just using the wrong credentials here but just try to show that how this technique works and we're also opening like a facebook.com just try to show that this technique not only works on the banking websites but lot on the other social network websites too so I have a system the system is so when we get back to the command and control panel and look at the reports so if you go down then you get like there's a request has been locked from the chase.com let's see what we have this actually gives you all the information about the bot but if you go down you actually get the whole of the post request here so you have a user ID you have a user ID and you're all gone so the similar thing works with the facebook so actually the bot implements a bit of delay in actually picking up or in actually grabbing the request from the client side and so when we submitted it again and we get back to the command and control panel and search for the things and you find so you get like all the information in the post request in the command and control panel and what you look like this data is not yours like once it is being extracted from the system it's not yours and it has been sold into the underground marking and a lot of things like that so the conclusion is that like looking at this kind of scenario like kind of techniques that we use browsers provide an app window to the internet so it's always good to exploit them SCTP has been used as an preferable protocol for data exfiltration and at the end I would like to say like botanists die hard and they are still existing and they are going to exist but just the thing that we have to do we had to come up came up or like we had to come up with the new production mechanism then we can still done with a lot of things so any questions? actually yeah so he actually if I got it correctly so he actually asked like so we are using like command and control panels and things we are doing research purposes but when it's going to be like companies like others or the research labs some of the small groups that we are doing to you know bust these command and control panels and to remove these botanists out of the system again I mean actually if you asked me on this part like these botanists are actually exploit the default design of technology basically so when we analyze something we try to implement a concept of infiltration because if we don't know what a technique like rust skill does we are not able to build some bugs in like spy command and control panel where you can use that bugs to actually gain access to the CNC because these guys are not very much interested in building a secure command and control panel to some extent for them it's all about like selling and purchasing of data and extracting the things and it depends on a lot of things when you're doing research you might have some gain I want to say it's a problem it's a choice what kind of defense mechanism do you want to walk you want to go and bust the command and control panel so you want to go ahead and build defense mechanism on the system side or building a secure browser and things like that that's interesting so you can continue the question answers over at Q&A for room number three and that's it yeah thanks everyone