NEVER BEFORE HAD STIERLITZ BEEN SO CLOSE TO FAILURE

hello everyone my name is Sergey I work for sophist based in North Sydney and today I'd like to talk about one interesting sample of that our team has come across and this particular sample is it's not about the sample per se it's about the trend that we see that trend is the spilling of the purely malicious techniques that evolve there were so many years on Windows platform into other platforms such as mac OS microwaves in particular the sample is detected by product and it belongs to poor so-called poor that's a potential and water'd application and the company behind this software is a legitimate company with lawyers so I'm not gonna name the name of that company and this

is I'm sorry for this little disclaimer but the actual techniques that they employ are really really interesting before I get to the technical discussion it will be a bit technical as you will see static analysis that emic analysis brief introduction of what we see in field if you think about Mac OS platform and the type of threats that affect it and surprisingly you're not surprisingly but malware is not that much of a problem only 6% of all the detection are purely malicious but the bulk of majority of them actually potential and watered applications if you look at the threat exposure rate what that means is if you consider the entire customer base of surface and our product is installed

and in one approximately in 1% it prevents the infection from malware and in about 16% it blocks the infection or installation of potential on watered applications geographically the most of the we we have the telemetry we know the where the detection is triggered so the majority the bulk of them come from the United States from Europe but if you look at the map fare volume comes from in region and Australia in particular if you look at the top malware threats that the run and that many malicious threats been causing the the headache it's mostly research FK Carrick spiny on but if you look at the poor this field is much more it there's much more

competition here so we you have different vendors fighting for those endpoints and across among the most prevalent families are definitely mackeeper jennie-o advanced mclean install core bundler and soul so here come to the point when will start discussing the actual sample first how is it distributed it comes as a installer so if you think about it to understand the mechanics behind the how it works you have to imagine a developer normal developer legitimate software for mac OS they want you want to get money they want to get some reward some kind of reward so they approached this company the company said ok we'll bundle your software with our own our own software and this is what you're gonna

install this is what we're gonna distribute from your website the so it arrives in all forms on different installations and if you install some third-party software perfectly science bypassing gatekeeper all good there's a there's a high chance that it's bundled with that type of installer and what that means is once people install it on the system they get they get the software they want to but at the same time they will have something else installed on a system which might be unwanted there could be rogue ami products there could be some dodgy extensions for the browser that returns some awkward results and people flood the online forums asking for help how we get rid of it and it's it's a mess and

it all comes from the Installer so how do we analyze it and let's have a look the dmg file that it comes as a and once it's modded you can find the content of that file and amount that content you will find the main executable this is the main executive of macro binary that gets executed how do you know it's a managed equitable if you look at the peel list you will see that that executable is specified as a CF bundle executable and you can you can figure out that that this particular file is the first one to run and in this particular case it comes on the different random names the names are like example fatherless selected - I

can't even pronounce them but these are combination of some dictionary words but each time it's a random name and each time it's signed with a valid certificate with some developer we can pull a couple of dozens of such different samples a day and each time it's signed using different entity first thing we do we'll look at the executable look at the entropy of the file so as you can see here what's the entropy is the distribution of of the bytes if you imagine a normal text English text and probably character AE space would be matte more frequently than XYZ right so the same is applicable to the okk code some op codes are more frequent another

op codes if you look at the entropy of the perfect perfectly valid code if the entropy will not be flat flat entropy corresponds mostly to packed data to compress the data and you can see they're relatively flat entropy for the most of the fall is a telltale sign that the bulk of the file is actually encrypted weights jumping up and down at the start of the file that's probably a valid code at the end that probably that's probably where it corresponds to the digital signature week you can find the information in clear-text next time we do we need to underlies that fall so we analyze it we load it into either the other protein disassembler the golden

standard of these assemblers and the first thing you might notice that once you go into the entry point where the execution starts there is no code the disassembler doesn't show you any valid code they can see this bytes for for a 3e this is not cold so how does it run how to help how can it run without crashing there is no code right so the answer is in the concept of lazy on and non lazy classes this is a concept implemented by Apple for Objective C classes so a lazy class is the class that realized later during the execution as soon as it receives the first message Apple could not find a better term to give the opposite of lazy

class as non lazy they called it non lazy class an on lazy class is the is the class that have the plus load method and that method will be called first thing so that method is actually told before the entry point gets controlled if you look but now how do we find the non lazy classes in this executable and it helps to have a look at the actual source code of the objective seeing run time by the way I don't know why but when I did these slides it was available online but now it's off its pulled offline I don't know why but it can still be found in the history so if you look at this code right here you can see

that there is a class list right here and the class list opt is obtained by calling the function called get op C to non lazy class list and that function by itself is a macro where it reached the section called underscore underscore op c ml c LS list that stands for Objective C non lazy class list so it takes that section and from that section within the executable file it obtains the information about the non lazy classes now that we know the name of the function the name of the section we can go back to either and say okay jump to the segment and it gives you a list of all the segments and in that list we choose opt C and LCLs

list and down the bottom you can see that there are two non lazy classes declared right so the first one right here it's listed you pay three but each time it's a random name so we proceed to that not lazy class and what we see is this you have the assembler code in it let's have a look at this assembly it's how don't have a pointer but let me so you can see al gets C character right stem C character gets into RB x + 8 r bx pointed to the buffer + 8 + 8 bytes forward so it pushes the c into that location following that it puts the underscore follow that it puts the o so what is

does it do it compiles the the string from these characters and let me run it to simulate the debugger so how would you do it in the debugger and you can see C character underscore o 0 termination 0 R M then T then V and so on so it can pulse that name the in protect why because it doesn't want us to see that name in clear text follow with that it calls deal seen method to obtain the pointer into that function within the library that's loaded into the address space of that executable so it calls it by the pointer this is what what the name the way it's constructed reminds a ransom note now let's have a

look at what it does next how does it call the in protect function the function itself is used to assign certain flags to a memory region so what it does it needs to take the code section of the main executable and assign it write access so normally it has read X's and executed X's right because it needs to be read and executed but it also needs to give it write access because it wants to take so let's have a look at the parameters passed to the VM protect function it uses that the method reduce it takes the killed section finds the text the address of the certain area in the inside that section which we can call

encode and subtract the offset of that npower in the code section and then take the whole size of the code section so imagine a street that there are 13 or 15 houses on that street and imagine it takes the house number 3 subtract 2 houses and then take 15 houses that's how it's doing that I don't know why but that's the method it's using and if you look at the main collocation in the memories there are some gibberish bytes like 23 - boa okay so this Manila's bytes following that it decrypts the whole text section by using the 32 bytes or key and let's have a look how it happens in from the debugging point of view so

right here you can see ida disassembler using debugger in that disassemble to decrypt so now i'll run the loop and while the loop is running let's have a look at the location of that encode in memory that's the location right now it consists of zeros and if I start the debugger simulation you will see that the entire code section gets decrypted with that encode as well so while once it's fully decrypted you can see that now it contains some some recognizable text

so the text is Maxine Maxine what you solve does anyone know who that is so Maxine Maxine which is okay I'll get to that later but for now what happened now so the the account section now is dead disassembled and you can see now valid code in that underscore discotheques code section the anko itself this is how it looked like before it was encrypted this how it is now fully decrypted and if you are curious who that person is that's a real name of skill list who's the my full name is Mac Mac's auto function till it's the lead character of the popular Russian book and moving its you can think of Phyllis as a Soviet

James Bond so I know that night because I was I was born and I grew up in the Soviet Union so immediately it's just wow why don't why he uses that hidden marker I don't know I don't know I have a I won't speculate but it's there now I owe you the explanation what the title of this presentation means they never be thought before which still has been so close to fit it's a common phrase in Russian language it's used to describe a situation when someone's cover is about to be blown not to Sarila spies okay let's continue so string API obfuscation the all the strings all the api's that's relying on are encrypted and let's have a look

right here you can see there's a 16 byte integer declared on top that's encrypted string and it takes that puts that into the buffer and appends 2 bytes here and then it calls the crop function decrypt function itself takes each character from that encrypted string and saws it with the specified mask incremented by the specified constant if you think it's the only decryption function you're wrong because there are as it turns out there are more than 1,000 unique decryption functions that encrypt 1228 strings and api's and that executable so decrypting them manually even a single one it takes time but imagine decrypting more than 1000 so you need to build a tool that can do it

automatically once it's fully decrypted that string car responds to a mess implication main so that's then as an example in starting from around April 2019 from about fifth of April they have changed they have added new york post occasion layer by the way they have changed it right now again just a few days ago but the implication layer that they've added is the number that you saw previously thirteen is now replaced with a whole function that calculates that number and again let's have a look at this function what it's doing it's an assembly language but let's let's follow it so al gets three right SHL al to as a child shift left by T two bits shifting

left by one bit means multiply by two she came to buy two bits x 4 so 3 gets multiplied by 4 it becomes 12 now al goes to e CX so now 12 goes to e CX then movie IX 65 so edx edx will put 0 in TD x ID v CX means divide 65 in EAX by ec x which is 12 so the result is 5 multiplied CL and CL has 5 12 x becomes 60 far as becomes 60 then take 65 into CL subtract 60 from 65 the result is 5 increment by 1 gets 6 so the result is 6 you can read it by trying to comprehend what the code is doing but fortunately

there's a hex race deck and pile that just simply collapses the whole function into retail now dynamic model loading like you know we feel if you analyzed Injection memory injection on windows platform that's you will be familiar with that but on Mac OS it's all they also implement the same thing so here is an example what it's doing it takes the encrypted stop encrypted blobbing inside stored inside the executable file about 300 kilobytes in size loads it up in memory decrypts it and then that compresses it and it becomes 900 kilobyte and following that it loads it as a module inside the address space of the same executable and right here the built-in debugger to Ida is not up to

the world up to the job so you need more precise debugger like lol DB that gives you surgical precision and full control of what are you doing so right now I'm running image list command for ll DB and at lists 222 different modules loaded into the address space and right here you can see in the middle there's a col QR 13 this is where the coal is made into the MS link module function so in realizing to api's MS create object file image from memory that's to grab that uncompressed data in memory and load it up and next one an S link module this will effectively load that chunk of data as a module following that call if you run

the same command image list you will find out that there are now two hundred sixty five modules loaded into the same executable image space and if the executable the module number 223 is now specified right here and you can see that it's address weights lower it is 101 a five zeros and the name of the module is image but now if they give command me mam read read the memory of where that module was loaded you can find out that's the content loaded into the address space so does anyone recognize what this stands for CF fa e d fe what's that magic magic head of stand for yeah its feet face so if you're really from the

right hand to the left hand Fe EDF ACF its feet face only feet face corresponds to 32 be microbe honoree feet face will next to a beat in the end turn in e into F becomes a 64-bit microphone room so it's indeed market binary so we can now dump it from memory and analyze it and once we analyze it here is the big discovery of thought that modulus but before we get to that let's look at the entire structure again so the first thing as you realize that it's not the entry point that gets control it's the non lazy class so the first thing what happens is the non lazy class plus log method is called what is doing it's

taking the encrypted code section called the underscore disk or text that takes that section and decrypts it into memory after that the entry point inside that section gets control and what that code is doing is taking the compressed blow up about 300 kilobytes there compresses it it decodes then taking processes in memory and once it's fully in memory it will have it oh it's all of its strings and API is encrypted which will then be decrypted and that module represents itself a very powerful engine the engine itself doesn't do much it has to be dream it's it is driven with the tasks and the tasks are coming supplemented by SDK written in JavaScript and on top of

that the tasks are downloaded from the remote server so it's fetching this little tasks reading in Java Script are those tasks they drive the engine now the question is what can these engine do I'll get to that later the anti debug let me mention a couple of tricks down the slave of this poor anti debugging it doesn't want us to debug it so it's using a trick by calling P trace function with the PT deny attach flag and once again it wants to conceal that string called betray from us so that we can recognize what that function is and for that it's using again it's using the encryption so P trace gets four bytes following that

plus for another two bytes plus six another one byte so it's calling add to the XOR so it decrypts the first character of that encrypted string and assigns it to the first byte of that variable that keeps the decrypted string following that it starts the loop and inside that it loops it did decodes all the other characters of that string and right here it's following that it's calling DL seemed to obtain the pointer into the function P trace the pointer is placed into the variable called FNP trace and following that it calls that FN be traced directly by pointer and it passes the flag to that function called PT deny attach what that means if you

are debugging this executable and call that function the executable the debugger sketball will exit with it who the error code 45 which that which is called oops

so the is called a knots up which stands for error not supported so the executable will exit with that error code however let's say we want to trick it let's say we want to run it and then we want to attach the bugger after that function was called thanks in that case

one one one one

so if you're trying to trick it and run an executable that called that function peak trace deny attach and then you try to attach the bucket to it what will happen it will attempt to debug it will result in a crash and actually in a segmentation violation exception this is what will happen so how do we defeat that trick during analysis we can simply step all of the call in to the function that calls that deny attach features and here is an example I'm gonna use so pseudo a well DB so we run debugger or well divvy and we specify the application I want you to debug that application then it tells us target created what do you want to do with it

our run we're going to run it once we run it it immediately quiz and it says process enters that with the status 45 that's error not supported because of that call it deny attach P trace so what we can do is we can stop it at the execution at the point we can put a breakpoint at the point where it calls that function this is the call into the function that in turn calls the betrays deny attach and if you look at the actual call function it takes 5 bytes because the address is at 5 and if next one is a fail so a minus 4 10 minus 5 is 5 so we know that that call itself takes

5 by so what we do we give it commands to Liddy Baga re-register w rank PC PC stands for the instruction pointer what do we want to write into the instruction pointer PC plus 5 content of PC plus 5 so we want to take the current content of the instruction pointer at 5 and put it back into instruction pointer after we've done that show us the content of PC and it tells us that now the content of PC is F 5 F a so we simply stepped over the function that called the meatrix and then we can continue a debugging but this is just one of the tricks the next one is the vm detection

they the developers of this they don't want these application to run under the under the virtual machines under the under the sandbox and why is that imagining the developer took the executable and submitted it to a bunch of sandbox around the world and that would mean that each installation would have to for each installation the developer would have to be paid by the this company behind it internally this company calls this condition fraud so they call this function check possible fraud inside that function they want to reliably detect the presence of the virtual machine the first trick they use they take the MAC address and check if it starts from a given constant and for

example oh oh one C four two if the MAC address starts from that it corresponds to parallels virtual machine and they use a whole list of these constants to define more than 35 different virtual machines and this is the least a snapshot of the virtual machines it can define that comes right from the from the poor and one of them is can the app so it can detect the presence of the hypervisor as well and as we know different sand boxes around the wall they are using either virtual machines or hypervisors now the next trick is using is get the MAC address and IP address which I mentioned guest host your ID now give the name of the USB

vendor name because if you run it under the VMware or V box it will have that string the my V box and the Hardys the USB name give me the display ratio so it's basically basically fingerprinting the virtual machine masked position since the last mass movement event if the mouse is is the mouse moving because if on Mac platform you can imagine running installer and that receives clicks while the mouse is not moving they consider this condition system hard time since the last reboot and because each sandbox will will have to revert back into the clean state by restoring the Queen snapshot by restoring the Queen the system uptime will also be reset into the same volume so by checking that

delay since the last report they are detecting the presence of the virtual machine full path name of the dmg file some send boxes give it a predefined name like file name or hash of that file so if it's not what they expect that I'm happy with that position and size of the application you know all this trickery is they're basically fingerprinting the sand boxes they don't want to allow execution under the sandbox now the crash locks right now if you look at this URL that it's using you can pause the get request string and sense that as a crash lock which they host on Amazon but is there anything dodging that you are relative did you think of

PNG why would anyone send a crash log to a remote script these guys as a PNG file because if you look at the firewall logs and try to open seen him on a herald and look at the wire shock it will be full of PNG get requests right so many of them are pulled so it's just to conceal that traffic into the normal traffic to discuss it on the traffic why would they do it I don't know now the configuration files they have two types of the configuration files the first one is dynamically extracted from its own body and again a questionable method why they're doing this and how they do it they take the

actual content of the binary file and start parsing its content from the end to the start and for each two bytes that they calculate the difference in the of the content between these dots two bytes and looking for a specific pattern that consists of seven predefined integers and once they found it they say okay this is the marker I found my configuration file then they decrypt it with a s100 algorithm and this is the example of the configuration file the config itself contains the product title product description Yael Yael or Iran and this is when the Installer fetches the original installer legitimate one from the remote site and executes sir and this assembly shows you

this method how they how they fund it so this is the loop one big loop and in that loop the condition is they continue until they reach the top of the binary which starts from the head of faiths feet face as we mentioned the head of the micro binary in that look they grab the index - - that that's the previous byte pour it into variable they spare able then grab the content of index - 1 the current one and then then subtract the previous one from the current one and that becomes the difference the difference between these two points for with that they if it's if it's negative they add 256 then they check that

difference - the signature and that's the signature which consists of seven 64-bit integers and if there is a match they increment they found counter and if that counter achieves seven it means that they found all seven characters of that signature go - found injection internal they found this condition injection and in the injection routine that will extract and decrypt that configuration file the second configuration file is supplied as a JavaScript file and right here you can see the example of that JavaScript file so report is where they send the reporting the add URL is there l of the remote server from where they fetch the tasks and they which drive the engine requires rule or not rule of install

skip TM check false or true this is driven by configuration and here is an example of what is it they sent to the report server so in in Y shape it looks like encrypted and so by decrypting it by knowing the key and reconstructing Engineering we can decrypt the configuration file that they submit and you can see that they say they report the Auris version name type of the browser OS platform IP address STD size and some other information we render the fact that whether it's running on a virtual machine or not this is the report that they submit now the remote tasks that they fetch here is an example of the encrypted task that comes it so

it comes as 85 kilobyte of binaries again it's encrypted once it's decrypted it will have its own JavaScript wrapped into the headers so header and footer and the code will extract that task and that task will be JavaScript driving the engine and now coming back so what is the engine what can engine do as it turned out the engine is a full back dog so basically if you look at the browser manager can terminate browser process setting your home page screenshot controller it can take fullscreen snapshot it can take snapshot of of the image where the mouse is clicking it can download is give new tasks cradle theorization for tasks using given credential system control it

collects full system information the OS version all cookies from ulta problem why would they do this collectively so focused all running applications check the presence of the EM as we mentioned at remove applications - from dock getting for about the connected iOS devices so if you take an iPhone and plug it into the system it will collect the serial number ID device class of the connected device it can search for files recursively on on a Mac it can terminate specified applications read Cavazos read any text file delete specified directories run specified script with pin bash as a road collect network information download display dollar files display alerts it's a fully functional backdoor so we come into the the final part is

the final part is the vendor behind the software claims that they have millions of downloads millions and millions of downloads of the software bundled with this particular software now imagine that this software inside itself it's using techniques to deeply conceal the functionality if I was to speculate I would have imagined that someone who wrote now in the past was building this kind of software because the techniques just right even the injection of the memory injection is taken from the Mac hacker's handbook it's just copy paste the other techniques are really like obfuscation right time encryption encrypting all the strings decrypting all the api's and today bugging anti cell boxing it comes from the wall of

windows malmö but now it's in the on the Mac platform the tasks themselves are symmetrical encrypted so I posted last the question what happens if someone intercepts that traffic well what if someone injects fraudulent tasks into that stream if someone takes control over the remote website and hacks faxes or if the developer goes rogue and forming playgirlz rockin inside a job or whatever the these are gazillion reasons how things can go wrong but they can go wrong if someone gets controlled and injects these malicious tasks they will suddenly get yeah backdoor access to so many systems but on a final note is what I wanted to mention is the it's not about this particular threat it's not

about this particular points about the trend itself II think of Windows Windows existed for so many years and it's been in a hostile environment it's been you can think of it's been plagued by malware but at the same time Windows evolved with it right so there were new techniques new methods address a randomization there were techniques against state corruption developed and there were so many techniques being developed and the industry went along with developing their own techniques their own protection mechanisms so the modern antiviruses they have such sophisticated mechanisms to detect this kind of thing so we're not Windows platform but for now imagine that the system that enjoyed impunity for so many years and with the

sense of security that people have behind Mac OS and many corporations many companies they run 100 cassette of the importance random access and why because they don't need AV that's the that's that's a common misunderstanding of what's happening in reality and finally it's it's the just the proof of the disturbing trend that we're witnessing that trend is the spilling of all the techniques that involve so many years windows they're now spilling how developers developers that are hired very smart people educated with higher education yet good very good rewards and very high salaries working for these companies they are building this software by using all the techniques that hold over so many years on Windows and this is what we're

dealing with so this is at the end of the presentation if you have any questions please

it took a while so for instance if you look at the whole period of time it takes to find out that it's a dodgy thing to detect it that's one thing going an extra 80 percent probably or remaining 20 percent takes eighty percent of time this is what people say eight twenty eighty principle but if you look at the analysis so first is as I as I mentioned the assembly to understand that it's doing this dodgy thing so it immediately draws the attention so you can't discard it now once you see that thing you can't discover it so you go on then you find out all these encrypted strings and you realize that you can

manually you can decrypt one two three five ten but then you get tired right so you can't do it manually many in one day so you got to realize that you need to build a tool and then you start thinking what kind of tool to build or build an emulator that just parses that code and figures out the function and so it takes time to build a tool that takes the the assembler code or blogging for a DES to be able to automatically decrypt those things and so those api's once they're decrypted you need to patch the code back to put them back into the code so you can underlies it again and now can

pretend do it actually what's actually happening what it's actually doing and it's it's like a master door so you're stripping layer after layer after layer after where but the the more you're stripped the more intrigued you become after certain point it's an or return point you can simply dismiss you can't become let it go because it becomes personal you think you think someone has done it on purpose to hide it from me it's not gonna happen no I'll get I'll get the bottom and that's probably one of the things that keeps drug but it takes time yes next time

no I'll be honest with you no and the analysis of this particular poor they were the tasks were analyzed to understand what they're doing and what these tasks are they were not malicious at least nothing we have witnessed nothing we have seen otherwise would have reported this but they think is it's it's it's there it's sitting there it's it's it's like the idea you can think of it as a bomb it's sitting there with the right conditions with the right with all the ducks in one line it may detonate right so we are questioning the the the reasoning why would someone need to have that much power if again if I was to speculate I will assume that the

company is actually making a lot of money by building the software and they don't want the the software to be abused they don't want the hackers to crack it and and do some kind of those are things on the background to reward themselves to make the money out of that to move the company to understand how the system works to game it and therefore they've built a very powerful engine to investigate what happens if things go wrong they want full investigation and for that investigation that's my only reasonable explanation they put a full back door because they want to have full control right but I think another thing is what do you are you aware of what you're running are you

aware that you want to are gonna play chess on the install the whole backdoor with the do customers have right to know what kind of capabilities they're installing on their max and that's the reason why we classify us as poor so are you saying this back door was created to stop illegal use of this well it's a speculation it's my aunt's pickling I think personally think so but I don't know what the true answer behind it but it's there

regionally I'm doing industry the regions and you know I could no no no I can't I can't mention because I'll figure out it immediately and we actually were threatened with a lawsuit so I can't name any ugly mouth any clues

maybe it's [Music]

it's a good question the true intention we can't we can't truly define what the ultimate intention was and the thing is that maybe there's a chance that the ultimate intention was good but we all know what road is paved with good intentions right so we look at this capability we'll look at the dodgy characteristics and in the end of the day if we define or we detect this doggedness in the code we can't distinguish if it's a dodging has come from a malicious sample or if it's coming from the sample with the good intentions it's hard to tell it's coming it's hard to draw the line right but if we see these techniques and in

the code we immediately flag it as as potential and wanted unless it does anything malicious so the moment it starts doing anything malicious but according to our internal policy we immediately fly this is Mel line this is a well it's a question for the product team how they articulated we do threat research Bright's so from the threat research perspective we say that this application is potentially wanted because some users might complain and say you know what I know what I'm doing I like it don't flag it I find it totally good I I know what I'm doing and there are people that say that but with this case it's hard to articulate because what what can i articulate for

instance about this sample apart from the fact that it has a potentially unwanted engine inside that can be abused there is not much to say unfortunately

yes and that will immediately might might backfire we in terms of the company would immediately claim we're not doing this by way of saying because the company keeps very close eye I did mention something but I did apply for virus boarding and on this coming in in London next month and on 3rd of October the program was published never before it still has been so close together two days later they have pulled still it's and replaced the application layer I don't know if it's it's again service or not it didn't happen for months they didn't change the encryption for months but they immediately changed it may be paranoid maybe it's a speculative idea but I think these people they actually

come to the conference's they they they presented the conference they approached they approached myself at the formal conference and objective by the sea why are you detecting us when three guys are standing around why you detecting us can you tell can you explain us and I have to articulate that because of this because of this because of this because of this so it is it is a difficult difficult environment to even to report about this because the the developers are companies with with the budgets and they after us after the developers after the researchers and I approach in intimidate and and ask hard questions and directly why why even using strong language which I can't repeat now