Hands-on Writing Malware in Go

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers hi I'm Stuart McQuarrie we'll talk about a bit of programming go so background for me real quick I'm Stuart I'm a red teamer at iron net it's a Twitter QR code really what you want to do when a hacker puts a QR code in front of you is take a picture of it written retired net I'm on the UNIX side of things mostly and more and more in the Windows Eastsider excuse me on the networking side of things as my company makes a network traffic analysis product and one thing I've learned when we've

been developing this in emulating various types of malware and various types of activities but not as go is a really great language for writing bad things if you were on a honeypot you'll find a lot of go in there nowadays so sort of github on and so forth I'm not affiliated of Google go is a Google product to Google project I guess I have no affiliation with Google my company would like me to point out that the views in this talk are not there's also I'd like to point out myself that if you write malware and use it or even if you write malware and put it on the Internet somebody might use it so like it's cool

it's like hey I wrote this really cool thing I think I'm gonna send it through Canada that would be awesome please don't do that and when you do it I'm Justin Trudeau pleased to meet you my name is Carson cease I'm a current student at the Pennsylvania College of Technology this past summer I interned with thanks as classmates I interned with sue at iron net and a couple of other folks there did a little bit of go development which kind of sort of led to this talk there's my equally legitimate Twitter QR code if you're interested in that sort of thing my github as well I'm also not affiliated with Google and in addition to my past employers my school

does not necessarily endorse what we're going to talk about today so speaking of talk what are we talking about first of all just a quick overview of go kind of why it's good why it's maybe not so good a little hello world demo and finally some malware bits real quick some notes that you might want to follow along with or you can see that link at the end of the talk it has pretty much everything we're going to talk about linka 5 so to speak so go it's general purpose braces developed by Google it's boring which is nice and at first that term seems a little bit unusual but let me put it this way so you spend some time a

couple of hours writing Lisp and man you just feel great you get all of this code done you you spend like three hours on it and you're just fired up you feel like you're the best programmer ever you just process some strings and you feel great about it well let's go you spend some hours and your codes pretty good you're happy with it but when you step back and take a look you realize hold on wait a minute I just wrote a worm that can actually take over the Internet let's do might know a thing or two about that mr. trudeau right so goes compiled it doesn't require anything you know to be on the target like a Java Virtual

Machine or something with Python some sort of interpreters compile makes a binary it's good for a couple of things Network clients and servers and kind of systems level programming with what's interesting about those three parts is there's all kind of when you put them all together it kind of makes malware which is what led to this talk so so why malware why go to parts it's easy and it works it's easy it has a large standard library there's pretty much everything you need in that standard library when you want to get started however if you can't find something there you might have better luck finding something in a library somebody else made or make your

own and put it on github you can't really get fancy and that kind of goes back to the nicely boring the codes easy to read if you're reading somebody else's code and more importantly it's easy to write and kind of talking about easy easy means fast fast means cheap cheap code to write and that means that when your malware eventually gets caught instead of going through tons of time to make the malware really difficult to catch really hard to interpret you can just keep writing more malware on the note of fast it takes a weekend to learn just a quick side story about that this time last year I think it was in this very room I was sitting

there was a talk still was giving about some go and some other bits and pieces there haha let go seems pretty interesting I had heard of it before but never really followed it but when I heard it could be used for malware and I'm a cybersecurity student I thought I'll check it out went back to school took a weekend learned go and then the following summer I was writing some go for iron net so that's the easy bits and it works and when it works it works nearly everywhere you can cross compiled to a bunch of different architectures and when I say that that means when you have a Linux toaster and it's runs some it running

some obscure distribution go will probably run on it and if your toaster doesn't have all of the dependencies you need to run go that's ok because it builds them all into the binary so you don't have to worry about any dependencies on your toaster that you're trying to do something with finally it plays nice with C ok so that you know that sounds like all kind of rosy things for working with malware but what's the catch what's what's important here and what can be a drawback they're really big binaries if your toaster only has 4 megabytes of storage on there you can't really fit such a big binary in such a small space it's kind of POSIX focused

and it works well on Windows pretty ok that's really the only reason to do can write windows code however you're gonna have a tough time writing me me cats it's mostly cross-platform there are some catches too that might not work on all toasters but for the most part it works pretty well cross-platform there's some different like webassembly kind of things that go can do but not everything's quite there and finally dependency management is still a little bit young and you know and it's in active development there's also one other catch all right so we kind of know what the catches are what's nice what's not so nice so so what do you need to get

started first of all you're obviously going to need to go compiler it's not terribly big or complicated download it from their website extract it set a couple of environment variables and you're pretty much good to go and if you're not so interested in downloading a big you know binary compiler to actually work with it you just want to kind of play around go has a great website play golang.org where you can run a little bit of everything not quite everything and it's a good way to just kind of learn go experiment goes nice because it doesn't require any crazy IDE or anything complicated to use you just need a text editor you could use ed if you're into that sort of thing

if you're less into that sort of thing vim is not a bad option them has a nice plugin for go and then if you're really soft and I admit to this you could use vs code vs code also has a nice go plug-in finally if you want to use some external libraries that other people created it gets helpful to have hi so I've gotten to a lot of these like hey use this thing it's awesome talks and they're like hey here's like why you should use it it's really cool and then you're like that's nice and then all of a sudden is like and bam we've just got on target and like whoa how do we get

there so we're just gonna take a couple seconds and do a like how to compile a thing it's real simple you write your code in them which is okay nowadays we don't we don't shame people for this anymore you write your code in whatever text editor you'd like and we all tend to use the same formatting style it's actually like everybody does going ports will take care of that for you so you write your code you like a indentation and then you find yourself nicely indented we'll see that in a couple minutes after that go has this sort of like a linter ish thing it's a little like linter plus built in so it'll check and

see if you have unused variables or strange return values or whatnot go vet does that we'll see it somewhere we'll see in a demo later in the talk and then you just build and run it it's a binary you build a run you put on target run it something along those lines so here's a quick quick little demo of what it looks like so we'll pro and cat because um really ed is not cool anymore so alright cam you can see this is not perhaps the way you would like your code to look that's okay so go imports will handle a few things for us handles the package statement so main just like you're like a most

languages nowadays handles our imports what libraries you can use so they figured out we're gonna import something from the format package and it makes it nice to look at well vet it okay clean bill of health that's cool compile it we'll see that it is in fact a nellis be an elf binary it's nicely statically linked which is quite good it has a build ID in there that might make things trackable but it's okay we'll just put on target and run it and sure enough we have our hello world so really easy to do it's also nicely injectable both as a DLL on Windows that works quite well we'll see it on Linux here but it's it's pretty much the same thing

Co has this concept of build modes so you can build it as a binary you can build it as a go archive like a like a C archive ish and we'll just we'll inject it however you don't really inject things so quick demo there by the way if anybody can tell me how to get rid of this black bar it's like six conferences in a row now and try to figure out to get rid of this thing I'll buy you a beer here did not turn it off and on again peanut gallery hits so here we have a little program it'll it'll take and write a file temp X with you know a little hello from a pin message go grunt

go imports it's nicely formatted notice we have main here that does nothing just like in C where you have attribute constructor and go because we're gonna make this a library we have in it which is a constructor function so it'll run before before the main function or before whatever function is exported it's good for malware you just inject it and then you have a thread going you're like man cool got a callback Sears go vet in action up here is hello from hid and I got a formatting directive but I didn't put anything in there and it's print up forks like Esper enough and see hopefully using some better an esper enough but yeah so hey we need a percent

V which is just you know any any verb at the end little go change that real quick yeah I find the line where we goofed was line 11 it told us and we'll add a get pin in there to print the pig so you know ports gives us clean bill of health nicely formatted so on and so forth we got our little import line taking care of us nicely which means you don't have like a billion includes like you haven't see really I really need all these is that debugging so piles nicely turns out it's a shared object but heads-up it's dynamically linked you can statically link shared objects gets a little wonky so I'm special if you're cross compiling

put on target shove it in noticed we got a bunch of threads now and that's pretty typical to go runtime it's not an interpreted language by any means but it's garbage collected so you do actually have a runtime there and then we got the threads started and then we get deal open mode returning so racy ish but it's threading for you it's kind of normal and yet we got our hello so there you go so the first little bit of malware we're going to talk about is domain generation algorithms they're DGA and sort of the high-level overview of this idea is you have a defender and you have your malware inside his network and your defender blocking couple ip's a

couple of domains couple thousand IP as a couple thousand domains how did your malware reach out so one way of doing this is sort of predictable domains that the malware reaches out to and then you the attacker will register a handful of those that the malware can eventually connect to it can still be blocked and there's different ways of doing that but for the most part it's a little bit harder to get around since it's just random however it's not totally random under the hood what you're doing is you're using something like the current day which might involve the year the month the day some combination you might have a seed you might have an additional

string in there and at you the malware author it's predictable to you you know what to expect the defenders don't necessarily know what to expect it's pretty easy to implement and it's hard to detect but what does it look like so here's some of our domains alright we use our DGA algorithm to generate a handful of domains a couple for Monday Tuesday Wednesday and our malware he's gonna try every single one doesn't know which ones registered which ones not B is gonna try them all and we're gonna register two of them one on Tuesday one on Wednesday so when our malware reaches out on Tuesday it gets in touch with that domain and same for Wednesday our

poor defender though he doesn't know what to block he sees all of this getting reached out to and he can block some things but he can't block you know a seven letter string you know for popular video site YouTube so it's it's not exactly easy to get around and it's easy to implement so what's going on here under the hood first we we have our in this case our string of our year-month-day and then some sort of counter to make it change for all the domains you want to generate every day we hashed that in this case md5 and then we use that we append our top-level domains for com we append that to that

string and then we return it I actually wrote a DG a library in go both sort of for the purpose of this talk to show how easy go is and also to kind of put this and say hey look we can get a time we create and create a new domain generator using the Year month the day we give it our our top-level domain and then we just call generator next every time we want a new domain and we can use this on the malware side that's implanted somewhere and then we can use this on the other end to create a whole list of domains and pick the ones we want to register alright so what does this look

like just a quick bit of code already formatted we have the domain generation library that I wrote RS DG a imported we're just grabbing the current time we're creating a new generator and that generator is using current year-month-day com the thing here is the way the libraries written could be calm or calm and of course this isn't exactly what you do in real malware but just to give an example we're just gonna have a for loop run five times and print out five domains so we're on our go imports looks good we run our go-go vet it looks good we build it and we run it and there's our five domains so there's it's a great

way to establish your c2 now you've got coms usually HTTP sometimes HTTP is not quite what you need either it's heavily scrutinized maybe they do some TLS man in the middling or something you're like it's not a great way to go so another easy thing either easy way to get data off of the network is DNS you can always trust HTTP HTTP and DNS to get out of a network DNS is often a little less scrutinized so I don't like control playing stuff I'm not gonna watch that too much or hey we've encrypted all our DNS we can't see it but we encrypt it so it's cool so easy way to just say take a

bit of data I'm not too much perhaps it's just chuck it encoded encrypt it and stick in a DNS label if you were on the DNS server you'll get that query because if you're doing it right it's gonna be a never-before-seen query a couple of caveats here a DNS packet usually is about it's supposed to be under half a kilobyte ish usually you get like 100 bytes ish if that it's actually kind of a big packet so it's not it's not fast also it's case insensitive so if you're playing with this expect cases to change in your queries as they go from implant to server it's it's kind of one of the cool things that's used nowadays so so

it looks like graphically we have our implanted victim machine and it says hey on the network and says what's internal DNS server probably it's DC had like this ridiculously long thing please and the DC is like oh that's kind this guy's like I don't know that's this guy at the upstream Deana so your info blocks or something typical normal DNS recursion goes on and at some point you go and boring CDN kamo bad guy and you get this long query like I'll just decrypt that and now I have a bit of exfil so a little more concrete example grep out our routes hash from Etsy shadow this is made up from a dummy account by the way see people like on

their phone was based 32 encoded base 32 is like they 64 ish there's one fewer bit per byte you get but it also is case insensitive so it doesn't you know case changes on the wire won't affect it and servers do change case so we'll take this nice encrypted with large thing we'll just chuck it into bite-sized chunks put it on put it into Cree by the way it's good to have a bit of randomness so that no caching happens so you get everything to your server um it's being an example speaking from experience and then we'll look fill it so this example will just say we've done some host survey we've run a net staff and we

have enumerated the drives and we've looked at the process listing and whatever else Chuck that stick that in some variable it's just a blob of bytes I'm will truck the bytes and these typically are not just a function call but you know will chuck it into some bits and then each chuckle X Phyllis so we'll take make sure to chunks thank you cool those those helpful make sure our chunk is small enough and we're just yeah you just call the the you knows look it up as an IP address like you'd look up any other IP address except will hex encoded stick it on our domain MEK sample dachau boring CDN whatever just registered and

put your name server records I mean probably will do some sort of encryption with it encryptions nice by the way dad's entropy so we won't get cash it's actually doesn't make that grade a demo so I didn't record one so apologies however that said go playground not really a demo this link you can see in the the notes that'll be linked at the end but also in the slide deck not a great demo but it does kind of show what's going on here as far as hey you can hit play and go playground and you can see here's your input and here's the output and then here's how it decodes it so just something worth mentioning it

also a nice library carson's put together to do exfil over go and take care of some of the boring bits next thing talk about that go makes particularly easy is domain fronting the main training it's kind of a hot topic a few months ago maybe here so ago and and really under the hood is it's just your you have your TLS connection that says hey server I wanted this I want to make a connection to this thing that's just like an encrypted tunnel basically and then you have the HTTP under the hood and HTTP is just HTTP wrapped in TLS it's all really is an HTTP already has this like hey I want to talk to this

thing so you have to two sets of hey I want this and normally they're the same and sometimes they're not and if they're not on the wire all you can see unless you do TLS man in the middle II on the wire all you see is the outside the TLS s and I the server name indication hey I want to talk to YouTube and then you know it's whatever provider and the providers like oh I have this HTTP request I know how to route this awesome and it's they don't really always check the major providers Google I think Amazon now they've they've made this hard or impossible but you know some of the smaller ones works pretty good and

it's it's really quite hard to find on the wire unless you're doing some really cool endpoint stuff which that works it's pretty easy to implement if men in the middle TLS man in the middle happens oftentimes those two streams are not reassembled there's no like correlation between the TLS and the plaintext and it's pretty much every tool nowadays supports it because it's just simple this is what it looks like graphically I'm you got something implanted victim box and he says hey I'm gonna make this thanks all right we'll work we see now I can't see that it's gonna say hey I want to make this TLS request to kittens da boring CD end and XYZ it's normal

under the hoodies can be a I want I want a bad guy the bad guy that boring CDN done XYZ in the fire was like yeah cool kids are like nice I like kittens I was told to watch out for this bad guy thing but yeah that's not there can I see the TLS a web server that serves all of the the CDN and CD ends do this pretty well it's like yeah sure here's here's the cert going this way for kittens and I'll route it to bad guy going this way so we have our nice T to that uses whatever we've set up on the back end but one of the wire it's just kind of cool it's a

couple ways you can do it and go so one way it's like this you make your nice HTTP client struct and it's you make your HDB client and you say hey for anything when we connect TLS make the s and I something benign looking and then you know when we do our get request get something sneaky but on the wire it'll because you just saw the TLS configured I'll do that you know you get your response and do whatever you do with your response thank you that's cool we'll just print it out I totally pipe it to a shell or whatever another way to do it just like this quick detour one of the cool things

about go is you can change variables at compile time so it's really good for like an implant ID or like you know I know there's this particular thing in this box just declare them globally so the s and I will keep as this benign domain fronting demo thing GA and we'll play with a host header in a bit there you go so we'll just work the other way to do it your all a request just like you you know say hey I would like to make this HTTP request but you set the host here and you set the host to something that is not the SN I so in this case by default it'll be a DF demo

GA and then you knows make an HTTP response and this is as easy as it is actually and I will just in this case we printed a standard out we could totally have piped at Rachelle when we run it so running it looks like this clean bill health good ed sure arson is DF demo ta our host headers DF demo GTA and it was not found because the the we go back the you know request for tasking you know yeah this ain't running demos not gonna give us any sort of tasking if however we said that host header could I compile time to something like a bad move stodgy a something something good is gonna give us tasking violet run it

there we go so I go hey that's kind of cool and you totally could just pipe this to a shell Linux lady did something like that it's just like Carl piped SH and cron it actually works pretty good so is domain fronting and go it's really quite easy it fits in a tweet I found out and good luck catching it so unless you do a TLS decrypt tell us man in the middle and it works okay sometimes last thing we will talk about propagation dssh dssh worm these have been around since mr. morris got himself in trouble alright so i was telling it or something but it's been around quite a long long time it's the same ssh we use all the

time it's same even even windows is getting ssh nowadays ish kind of really what they did was they just took linux unfolded on one was like a way of ssh now so what this one will do is they'll just try a set username and password or everywhere and and then you know i always get your app but in our environment you can't do that because everything has a unique password and you're like oh sure about that buddy so um so curiosity how many of us have seen somewhere maybe creds we use like crazy there's like a lot of people who are like kind of what's your company also path right password off is pretty common

it's actually watching watching honeypot once was like man everything is trying password you're not trying any other authentication mechanism ssh supports sudo will do we will take a tcp port and we'll just listen on it's kind of a mutex kind of like a hey we only want to implant once what mister one of the reasons that morris got in trouble with his worm is he kind of brought the the little nascent internet to his knees there's no like okay that's enough so you know wouldn't win this thing implants a box person to lose try and listenin if it can't listen it'll die and then i'm just take this creds pair that we built in and it'll try it

everywhere it can i've written this one to only go after ten wack eight turns out if you put a worm on the internet people we use it and then it turns out people notice that people use it and ask you about it so don't do that so yeah if it all succeeds it'll take its lytic specific so we Tyree Carson mentioned like hey sometimes it's not totally cross-platform will go even worse and we'll just read for proxy self exe which does not exist not on Linux that's okay we'll copy the worm we'll start it the next box we'll just drop a binary and then we'll pull hitter eight there we go so you can make nice

command-line arguments and if your if your software is meant to be used by users is a nice thing to use the flag package to build command line arguments the other way to do that is just to have this massive var block at the top and say hey this is this is the config and do compile-time config if you want to change it so you know simple things set the creds the first octet of all the it the hosts we're gonna go after so on and so forth except the byte it's what the binary names justing a little thing that we won't see in this demo but won't see in the slides I don't have demo for this

one but I was like hey cool so I have this like network of 100 VM set up which is really good for your processors heat by the way I have 100 VM set up and I was like I wonder if it's done it's like I should have it like talk to me so it don't just make a query kittens calm I mean I could not find a good way to record a demo other than like watching DNS queries come back and they're all for kittens oh yeah that's kind of boring so we'll just look at chunks of the code if you would like it's on get it so I think it can have just I put it

in there so the mutex the preventing multiple executions listening listening and sees great you asked for a socket then you bind to address then you call this and then you call accept then you maybe do a bunch of guy op tools and all sorts of great stuff here listening and go is sort of a one-liner and this is like a go one-liner go is a very vertically long language but it's it's a go ish one-liner one-liner ish but anyways if it fails then we're like Oh probably gonna listen on that and life goes on making an SSH connection is you just make it config and you tell it to connect almost like command-line SSH except in code so you

just give it a username you'd like a list of authentication methods it actually lets you validate the host keys it's really nice some sort of connect timeout and it's Thanks yeah we should have gone with a PDA yeah yeah I totally should we were giving the talker like hey PDF for Google slides yeah that's that by the way if you replace SSH to dial with net dial it's how you make a TCP connection so it's go is a pretty regular like boring boring language and will propagate so we'll take you you have your SSH connection we'll call it C thank you SSH is a multiplexing protocol I guess it's really if you boil it down to it

it's just a tunneling protocol and it makes like channels inside of it so we'll make a channel test session channel and what connect standard into that channel to the worm we'll have read the worm in from proc self exe and then we'll just say hey in this session run this R in this really massive command and rolled that payload bin from like three slides before it's like yeah we'll call it cron D cuz you know what's gonna kill around here it so we'll write to cron D and temp because Conde always runs out of time he'd be surprised like actually this word like hey don't we go ahead sneaky yeah totally should use the PDF and

going back to hope the whole easy thing that combined output thing you place s session with like OS dot NS H or something or s down command I've been SAT see what it is I mean that's how you run a command so it's you know that theme in variation is kind of it it's really not the most exciting language to write but then you do awesome things with it so that's that's in a nutshell some cool things you can do with go if you stitch them together you have like some pretty cool malware there there's all sorts of stuff there's a lot of frameworks out there that use go under the hood few few things I found from

just from experience it's much easier to write if you have some sort of editor plugin it doesn't particularly matter what enter to use because you can of it you're gonna format it the same anyways using vim there's vim go if you're you're using GS code some people use the PS code Microsoft has a library out there plug it out there Kirsten mentions both the tour and the playground before the tour is really nice it's like you're like man how do you program I'm like here take this to her and like two days later the programming we don't have a repo and go it's a compiled language it compiles really fast like I've not seen anything take more than a couple minutes

but playground is pretty close to that and actually a lot of the plugins at least ungood editors well there's some things to play yard if you ask so a couple more things trim paths when you pass it to the go environment everybody fastened to go compiler will trim the path of files out up to some name Spacey thing so you just have something sitting in your home directory a single file and build it won't put your fire your home directory in it was my boss at one point was old job was like kind of giggling it was like okay your girl man why are you giggling he's like hey this is your malware isn't it yeah it's like well I

strings didn't I found your name I'm like yeah he's like there's an incident spun up because of this merrily if you leave things for months on a domain controllers people notice but they don't notice like strings it and find my name good stuff and the last thing if you use Segoe enabled equals zero it's an environment variable a pass to the compiler dynamic linking won't happen every so often the static thing is it's like hey win this one environment we're gonna use you know this box is DNS or something so I'm usually if you're writing malware you want to get as little as possible so that's that's the bulk of the talk we're gonna open it up

for questions before we do from giving this talk and smaller and larger and so on environments have learned a couple things that are better for Twitter or meeting us in the hall or IRC or something along the lines so asking how to just like hey how do you get started with the tour that answers that and then invariably somebody's like hey I tried go and I hated it because I had a bug question mark so whatever you talk about go also if you used OpenBSD you ever get to talk about that you'll get this to somebody always says something to the tune of hey my my thing uses this language or design choice or editor

except maybe the s code or paradigm or this is the best power ranger question mark so yes I'm happy to talk with you in all so like to open it up to questions there's QR codes there's those notes again and then if you really don't like QR codes from hackers there's a October user names I think it's the first time I've ever put the slide up that somebody is like taking a picture of me so yes so the question is if go is statically built by default they'll stack binaries by default why would you think about this an answer is it's almost always statically put built by default but in there's a the one I remember is on Linux

if you're building on a Linux box and deploying to a Linux box I think if I recall correctly it'll call get host by name or get address info I think and not just make a UDP socket enroll its own packets Ralts on UDP someone you have a few things like that here and there and that might be cool and maybe you don't want that so I find it's a little easier that I just I don't have to worry because live seed like your G Lib C likes to change get address info like subtly any other questions yes hi so almost bad I'd say most of the time when we go to a client site we're not my

company does network stuff right so mostly we're worried about what network defenses are gonna catch us and we tell them hey dudes like feel free to disable your AV or whatever and they kind of like snicker at us like yeah okay buddy we're gonna disable AV with some random stuff on our computer and then you just burst up and github then we pulled it down from github and it works and we're like hey by the way this is malware no no that's not malware cuz you wrote it it's like got a shell so that's my experience if I forgot to repeat the question I'm sorry the question was how much does AV catch this kind of stuff

and generally if you roll your own whatever language if you're rolling your own nobody's going to notice though so I've asked a couple and I've got a question was using go preventing present any real challenge to reversers and I'm not one so I can't really speak hugely definitively on that like Carson was like yeah and then the catch your stuff which is right more I'm although just write more side of it but I've asked that to a couple dudes and I've got a couple different answers one guy was like aw man I hate it when I get go because it's such a weird format and all the strings are funny then another dude was like dude I love go they have

debugging information everywhere so I don't know the other questions yes no question was have I ever seen sophisticated malware and go and the answer is I've not there's some open source frameworks that are pretty slick out there the malware that again not being on the defensive reversi side of it I don't see a lot of my timão aware but there's no reason you wouldn't catch it but if it's actually really sophisticated you know probably not getting kind so there's no reason you couldn't write it for sure the things that I've just fiddling out of honey pots or I mean not great but you know I haven't reversed them so sorry red teamer in the back there

so the question was since go brings everything and builds a massive binary have I run into any issues with binary size being a problem paraphrase yeah I've not been in that situation no I've not yet found a toaster to to implant but I back when I was fiddling with routers Soho routers it would have been a problem if I were putting go things on there some of them really only have a couple negative memory to fiddle with and memory and RAM disk ish yes they're like four five Meg six Meg if you put a lot of cool stuff in there seven eight ten Meg if you're if like the worm if you're building another binary into your

binary they get you know six Meg plus six Meg and yeah let's take actually get kind of sizable so but nowadays I mean it's not that usually big an issue yeah so any other questions all right well thank you for coming to our talk hopefully it's useful for you

[Applause]