Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]

CMD:%Look%who’s%talking%too% DNS:%a%botnet%dialect%

Francisco%J.%Gómez%Rodríguez%(fran@Gd.es):%•  Computer%Engineering%(EUIMUPM)%•  Security%Research%(Telefonica%R&D)%•  dig$fran.rootedcon.themaﬁa.info$TXT$Carlos%Díaz%Hidalgo%(charlie@Gd.es):%•  TelecommunicaGons%Engineer%(ETSITMMUPM),%GPEN,%GCIH,% OPST,%ITILF%and%CCNA.%•  Technology%Specialist%in%Ethical%Hacking%(Telefonica%R&D)%•  dig$charlie.rootedcon.themaﬁa.info$TXT$

look$who’s$talking$too$Nasal%Spray%This$presenta9on$contains:$one%year%ago%…………………………………………....%%%%3%mg%cloud%malware%distribuGon%…………………..….%%%10%mg%dns%is%in%the%air%…………………………………………%%%10%mg%suspicion%………………………………………………….%%%%%8%mg%data%leak%………………………………………………….%%%10%mg%laboratory%……………………………………………….%%%%10%mg% 4.4$FL$OZ$(130mL)$ Tamper;Evident:%Do%not%accept%if%sealed%blister% unit%has%been%broken%or%opened% THIS%PACKAGE%FOR%HOUSEHOLDS% WITHOUT%YOUNG%CHILDREN%

INTRODUCTION$

One%year%ago%…%•  We%talked%about%DNS%and%Malware.%•  We%released%Cloud%Malware%DistribuGon% (CMD):% –  An%alternaGve%method%for%malware%distribuGon% using%Cache%DNS%services.% –  Using%client%default%DNS%se_ngs.% –  Malware%source%virtually%untraceable.%

A%DNS%shot%

Cloud%Malware%DistribuGon%in%a%nutshell%CMD$

Cloud%Malware%DistribuGon%1.  Encoding:%Split%malware%payload%into%DNS%Records.% %2.  Publishing:%Publish%domain%and%each%record%in%a%public%Name%Server.% %3.  Loading:%Force%an%Open%Emi`er%DNS%Cache%Server%to%store%all%records.% %4.  Downloading:%Download%records%from%an%infected%host%(bot).% %5.  Decoding:%Rebuild%malware%payload%from%records.% 8rjqerkjqet.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 1,2% ueirytbdosu.cmdns.domain.com1% 3% 4% 5 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% Open%Emi`er% DNS%

Encoding%&%Publish% Cloud%Malware%DistribuGon%(I)% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqet1 ueirytbdosu.cmdns.domain.com1% ueirytbdosu1 ktqtr53xase1 ktqtr53xase.cmdns.domain.com1% kzmfzzmfzze1% kzmfzzmfzze.cmdns.domain.com1% •  From%malware%ﬁle%we%create% a%base32%coded%string.% •  So%we%split%the%string%into% DNS%compliance%records.% DNS%AUTH% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% Freedns.afraid.org% 8rjqerkjqet.cmdns.domain.com1% kzmfzzmfzze.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1%

Cloud%Malware%DistribuGon(II)% 8rjqerkjqet.cmdns.domain.com1%•  We%upload%each%DNS%record%from% a%malicious%DNS%to%Open%Emièr.% ueirytbdosu.cmdns.domain.com1%•  This%is%made%by%requesGng%each% ktqtr53xase.cmdns.domain.com1% record%to%Open%Emièr%DNS.%•  Then%Server%caches%each%record.% kzmfzzmfzze.cmdns.domain.com1% Split[1..n].cmdns.domain.com% A?% 8rjqerkjqet.cmdns.domain.com1% Open% ueirytbdosu.cmdns.domain.com1% Emièr% ktqtr53xase.cmdns.domain.com1% cmdns.domain.com% DNS%AUTH% NS?% DNS% kzmfzzmfzze.cmdns.domain.com1%Freedns.afraid.org% Loading%

Cloud%Malware%DistribuGon%(III)% •  Since%the%Open%Emièr%Server%has%cached%all%records%we% convert%it%into%a%domain%authoritaGve%domain%server.% •  From%now%on,%Open%Emièr%will%resolve%all%domain%queries.% •  Thus,%all%Internet%DNS%servers%can%resolve%malware%records%and% bots%can%get%them.% DNS%AUTH% % % %Freedns.afraid.org%8rjqerkjqet.cmdns.domain.com1% Open%ueirytbdosu.cmdns.domain.com1%ktqtr53xase.cmdns.domain.com1% Emièr%kzmfzzmfzze.cmdns.domain.com1% DNS% Downloading%

Cloud%Malware%DistribuGon%(IV)% kzmfzzmfzze.cmdns.domain.com1% ktqtr53xase.cmdns.domain.com1% ueirytbdosu.cmdns.domain.com1% 8rjqerkjqet.cmdns.domain.com1% 8rjqerkjqetueirytbdosuktqtr53xasekzmfzzmfzze1% •  With%all%the%retrieved%records%bots% can%rebuild%the%original%ﬁle.%% •  Bot%has%now%updated%the%malware% ﬁle.%Decoding%

%Own%survey%:%yesterday%and%today% Febrero$de$2011$ Marzo$de$2012$ España% EEUU% España% EEUU% Queried%hosts% 10.406% 10.406% 8217% 8217% Replying%hosts% 87,22%% 87,39%% 87,58%% 87,69%% Open%resolvers% 76,46%% 77,28%% 95,45%% 82,08%% Open%emi`ers% 57,76%% 57,33%% 53,78%% 53,51%%Accept%+norecurse% queries% 55,91%% 55,49%% 87,67%% 74,44%% TTL%≥%604800% 43,05%% 42,94%% 51,24%$ 49,32%$

A%quick%test…% DNSCrypt$In% the% same% way% the% SSL% turns% HTTP% web% traffic%into% HTTPS% encrypted% Web% traffic,% DNSCrypt%turns% regular% DNS% traffic% into% encrypted% DNS%traffic% that% is% secure% from% eavesdropping% and%manMinMtheMmiddle%aàcks.%%

…%a%quick%demo.%Summary:%We%can%use%DNSCrypt%and%CMD%Method%works.%%

DNS:%yesterday,%today,%and%tomorrow%DNS$IS$IN$THE$AIR$

Are%you%talking%to%me?%•  Let’s%see%some%about…% –  DNS%as%covert%channel.% –  DNS%uses%in%malware%communicaGons.%

l% DNS%as%Covert%Channe%%•  OzymanDNS%(Kaminsky)%•  Dnscapy%•  (NSTX)%Iodine:%Use%several%RR%types,% NULL,TXT,CNAME)%•  Dns2tcp%&%TCPMoverMDNS:%relay%TCP%connecGons.%•  LoopcVPN%One%of%ChinaMTelecom%Hotspot% nightmare.%

Are%you%talking%to%me?%•  Let’s%see%some%about…% –  DNS%as%covert%channel.% –  DNS%uses%in%malware%communicaGons.%

Stateless%malware%(I)%•  TSPY_ZBOT.SMQH –  Another Modified ZeuS Variant Seen in the Wild. –  Reported in September 2011 by Trendmicro. –  Data exchange is also now happening in UDP. –  http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/

Stateless%malware(II)%•  Older&version&using&TCP&to&exchange&conﬁgura7on&ﬁles.&However,& The&new&version&exchanges&all&data&in&UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

Stateless%malware(II)%•  Older&version&using&TCP&to&exchange&conﬁgura7on&ﬁles.&However,& The&new&version&exchanges&all&data&in&UDP –  http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet TCP%

Where%theres%smoke,%theres%ﬁre.%

Feedorbot%•  Using DNS protocol. –  Feedorbot share encrypted commands from C&C. –  Encapsuling data in TXT records and Base64 encoded. –  http://www.cj2s.de/On-Botnets-that-use-DNS-for-Command-and-Control.pdf

HiloG%•  Thanks%DNS%querys%HiloG%monitors%infected%host%status.% –  h`p://blog.forGnet.com/hiloGMtheMbotmasterMofMdisguise% ! 142625.bc7a3d45.01.0AC1FD9D62074E6D9D2889088284DAB5.n.empty.1148.empty. 5_1._t_i.ffffffff.explorer_exe.173.rc2.a4h9uploading.com%•  Although%It%uses%DNS%as%control%protocol,%bots%download% update%ﬁles%from%“ﬁle%hosGng”%servers%by%HTTP.%% !

Morto%•  From IRC to DNS. –  Morto, like Feedorbot, uses TXT records to comnunicate. –  http://www.symantec.com/connect/blogs/morto-worm-sets-dns-record

GATHERING$&$EVALUATING$INFORMATION$

Gathering%&%EvaluaGng%InformaGon%(I)%•  h`p://www.wombatMproject.eu/%%•  h`p://exposure.iseclab.org/index.html%%

Gathering%&%EvaluaGng%InformaGon%(II)%•  h`ps://dnsdb.isc.org/#Home%%•  h`p://www.webboar.com%%

Gathering%&%EvaluaGng%InformaGon%(III)%•  Don´t%forget%the%classics:% –  h`p://www.robtex.com/%

Learned%in%#Rooted2012%•  h`p://labs.alienvault.com/labs/index.php/projects/openMsourceMipMreputaGonMportal/%%

SomeGmes%…%I%see%dead%people% •  September,%2011% %%%%(Top%10%Malicious%Domains)%

Scratch%&%Win%

Ten%Li`le%Niggers%•  h`p://www.webboar.com/ip/67.15.149.70/% –  25%Domain(s)%on%IP%Address%67.15.149.70% •  azxdf.com% •  civiGcle0.com% •  morewallfalls7.com% •  mjuyh.com% •  ckubf.com% •  okjyu.com% •  hjuyv.com% •  djhbw.com% •  orn2hcb.com% •  plokm.com% •  himovingto8.com% •  qlovg.com% •  nbgtr.com% •  hiuxd.com% •  quiluGon2.com% •  vcxde.com% •  liunj.com% •  uncdt.com% •  asljd.com% •  loijm.com% •  xvfar.com% •  bruGllor5.com% •  mjrth.com% •  zscdw.com% •  zukamosion3.com%

SomeGmes%…%I%see%dead%people%

CMD%could%be%alive!%

DATA$LEAK$OVER$DNS$

TradiGonal%data%leak%using%DNS% [OUTPUT_DOMAIN]1 DataLeakRecord1.[OUTPUT_DOMAIN] DataLeakRecord11 DataLeakRecord2.[OUTPUT_DOMAIN] DataLeakRecord21 …! 1% 2% Cache%DNS% (public or private) DNS%Auth.% OUTPUT_DOMAIN% Bot

Using%a%DNS%reﬂector% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% (PUBLICATION_DOMAIN)! Cache%DNS% !Data1!R>!DataLeakRecord1 (public or private) 3% Force%Data%Leak%Upload% CMD$ 5%Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)% PUBLICATION_DOMAIN% !Data1!R>!DataLeakRecord1

DNS%reﬂector%(demo)%

Using%FastMFlux%DNS%reﬂectors% DNS%Auth.% DataLeakRecord1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 2% 1% Cache%DNS% (PUBLICATION_DOMAIN)! !Data1!R>!DataLeakRecord1 (public or private) 3%DataLeakRecord1.[OUTPUT_DOMAIN] Force%Data%Leak%Upload% CMD$ 5% Bot Data1 [PUBLICATION_DOMAIN]1 Data11 4% Data21 …! Data1.[PUBLICATION_DOMAIN] Cache%DNS% DNS%Auth.% (Open%emi`er%+%cache)%

Data%Leak%using%NXDOMAIN%responses%•  NXDOMAIN%responses%are%cached:% –  NegaGve%caching%is%useful.% –  TTL%value:%The%SOA%minimum%parameter%is%used% as%the%negaGve%(NXDOMAIN)%caching%Gme% (deﬁned%in%RFC%2308).%•  Other%queries%may%reuse%some%parts%of%the% lookup%(quick%response).%

Caching%NXDOMAIN%responses%(I)%%

Caching%NXDOMAIN%responses%(II)%%

Caching%NXDOMAIN%responses%(III)%%

Data%leak%with%“dig”% RCODE$ TTL$ QUERY$TIME$

Leak%recovery%with%“dig”%(I)% TTL$<$86400$ QUERY$TIME$<$300$msec$

Leak%recovery%with%“dig”%(II)% TTL$=$86400$ QUERY$TIME$approx.$300$msec$ It$is$not$a$good$method$for$recovery!$

Leak%recovery%with%“dig”%(III)% TTL$<$86400$ QUERY$TIME$<$300$msec$

Leak%recovery%with%“dig”%(IV)% RCODE$≠$NXDOMAIN$ QUERY$TIME$<$300$msec$ It$is$the$preferred$method$for$recovery!$

Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot

Data%Leak%using%NXDOMAIN%responses% DNS% 2% 1% (Open%emi`er%+%cache)% DNS%Auth.% UT_DOM AIN] 1.[OUTPUT_DOMAIN] (OUTPUT_DOMAIN)% 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN] dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% RESPONSE:%RCODE?% dataleakrecord1 TTL%value?% Query%Gme?%

NXDOMAIN%(demo)%

Data%Leak%using%“nice”%domains%•  There%are%authoritaGve%DNS%server%that:% –  Simply%point%all%unknown%DNS%queries%to%a%single% IP%address.% –  Minimum%TTL%value%on%the%order%of%1M7%days.%•  Where%can%I%ﬁnd%them?% inbox.com% imgur.com% –  Alexa%“Tops%Sites”:% motherless.com% h`p://www.alexa.com/topsites%% wikia.com% wikispaces.com% pbworks.com% %%%%%%%%%%%%…%

Caching%‘nice’%responses%(II)%%

Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco datale Bot

Data%Leak%using%‘nice’%domains% DNS% 2% ‘nice’%DNS%Auth.% 1% (Open%emi`er%+%cache)% (OUTPUT_DOMAIN)% AIN] 1.[OUTPUT_DOMAIN] UT_DOM 1.[OUTP d1.[OUTPUT_DOMAIN] OMAIN] TPUT_D d1.[OU … AIN]dataleakrecord1 UT_DOM rd1.[OUTP ataLeakRecord1.[OUTPUT_DOMAIN] … DataLeakRecord1.[OUTPUT_DOMAIN] IN] T_DOMA d1.[OUTPU krecor atalea MAIN] PUT_DO rd1.[OUT akreco a1.[OUTPUT_DOMAIN] datale 1.[OUTPUT_DOMAIN] z.[OUTPUT_DOMAIN] b.[OUTPUT_DOMAIN] a.[OUTPUT_DOMAIN] … … Bot QUERY:%+norecurse% % 3% ANSWER%SECTION?% dataleakrecord1 TTL%value?%

Conclusions%dataMleak% Use$client$ Upload$ Expose$ Download$ Score$ default$DNS$ queries$ cybercrime$ queries$ (0;10)$ seings$ needed$ infrastructure$ needed$ TradiGonal% YES% 2%queries/kB% YES$ M% 5%DNS%tunneling%Using%FastMFlux% YES% 2%queries/kB% YES$ 2%queries/kB% 4%DNS%reﬂectors% Using% NXDOMAIN% NO$ 2$queries/B$ NO% 20%queries/B% 2% response% Using%“nice”% NO$ 2$queries/B$ NO% 20%queries/B% 6% domains%

ToDo:%Improvement++%•  Data%Leak%using%‘nice’%domains.%But$ remembering$that:$ –  Must%use%client%default%DNS%se_ngs.%•  Maybe%can%use%three%party%resources%…%(once% again)% –  %…%Use%misconfigured%DNS%(proxy%DNS,%cache%DNS,% authoritaGve%server,%…).% –  e.g.%must%ignore%“+norecurse”%flag,%“minimalM response”%configured,%etc.%•  Result:%Untraceable%data%leaks%

Harder%than%ﬁnding%a%needle%in%a% haystack!%

Are%we%infected?%LABORATORY$

Making%the%lab.%•  We%need%a%“real”%threat…%•  But%we%are%“ethical”…%•  And%we%are%not%developers…% Searching…$

And%the%winner%is…%•  Wri`en%in%C#%and%PHP%•  GNU/GPL%•  Geared%to%build%botnets%•  HTTP%communicaGon%

How%Flu%works%•  Flu%server%share%XML%commands%ﬁle.%•  Infected%hosts%get%XML%ﬁle%through% HTTP%request.% HTTP$ Flu% Flu% Infected% SERVER% Host%

Flu%and%CMD%•  We%use%CMD%to%distribute%XML%commands%ﬁle.%•  Our%dream:%Flu%become%stateless%Trojan.%•  Then%we’ll%have%statelessMTrojanMGPL%botnet.% 1%GET% 1%query% 11%pkts.% HTTP/TCP% Vs% DNS/UDP% 2%pkts.% 1%conn.% % 0%conn.% DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%

Flu%and%CMD:%Server%•  PHP%5.3.0%or%higher%required.%•  Three%steps:% 1.  &domain.db%ﬁle%create.%(external%lib:%Tar.php)% 2.  Load%XML%ﬁle%into%DNS%server.%(NaGve%lib)% 3.  Download%data%from%infected%host.%(NaGve%lib)%

Flu%and%CMD:%3th%Party%•  ISC%Bind%•  FreeDNS.afraid.org%•  HE%free%DNS%service%•  Misconﬁgured%DNS%server.% Open% Emi`er%

Flu%and%CMD:%Client% •  We%use%ARSoD.Tools.Net%library.% •  Without%GUI%changes:% –  We%use%domainload&to%data%leak.% –  We%use%domaindownload&to%get%XML%ﬁle.%

Flu%and%CMD:%How%it%works%(I)%XML2DNS$ LOADXML$ DOWNLOADXML$ DNS$ Open% DNS$ Flu% Flu% Emi`er% Infected% DNS% DNS% Host%

Flu%and%CMD:%How%it%works%(II)% •  How%flu%call%back?% –  NXDOMAIN%can:%Track%new%bots.% –  NXDOMAIN%can’t:%Send%huge%files.%% DNS$ Open% DNS$ Flu% Flu% Emièr% Infected% C&C% Nxdomainquery% Nxdomainquery% Noerror% DNS% Noerror% Host%DNS%Server%

Flu%and%CMD:%How%it%works%(II)% 1.  How%flu%call%back?% –  NXDOMAIN%can:%Track%new%bots.% –  NXDOMAIN%can’t:%Send%huge%files.%% 2.  Then…%we%need%to%expose%DNS%server.% DNS$ Open% DNS$ Flu% Flu% Emièr% Infected% C&C% Nxdomainquery% Nxdomainquery%1% Noerror% DNS% Noerror% Host% DNS%Server% DNS$ DNS$ Flu% Flu% Cache%2% Infected% DNS% DNS% Host%

Flu%and%CMD:%Demo%

Conclusions%•  DNS%is%a%botnet%dialect…% –  One%year%ago%DNS%was%a%possibility,%today%could%be%a%real% threat.%•  Data%leak%using%DNS%need%an%improvement…% –  ...but%we%are%working%progress.%•  Malware%need%to%communicate%undetected,%and%IDS% want%to%detect%malware.% –  Both%must%be%looking%for%the%same…%DNS.%•  Don’t%forget%DNS%Protocol%

QuesGons?% Who$invented$the$rootedcon?$Perez$the$mouse$ Rootedcon$is$your$parents$Santa$ Three$Magic$Kings$

References%!  h`p://code.kryo.se/iodine/%%!  h`p://dns.measurementMfactory.com/%%!  h`p://darkwing.uoregon.edu/~joe/secprof10Mdns/secprof10Mdns.pdf%%%!  h`p://www.blackhat.com/presentaGons/bhMeuropeM05/BH_EU_05MKaminsky.pdf%%!  h`p://www.blackhat.com/presentaGons/bhMusaM04/bhMusM04Mkaminsky/bhMusM04Mkaminsky.ppt%%!  h`p://www.pcworld.com/arGcle/220024/feds_accidentally_seize_84000_innocent_domains_link_them_with_child_porn.html%%%!  h`p://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf%%%!  h`p://www.secdev.org/projects/scapy/%%!  h`ps://www.isc.org/soÉware/bind/documentaGon/arm95#man.dig%%!  h`p://dns.measurementMfactory.com/cgiMbin/openresolvercheck.pl%%%!  h`p://hakin9.org/magazine/1652MmobileMmalwareMtheMnewMcyberMthreat%%!  h`p://www.ieÑ.org/rfc/rfc{1033,1034,1035,1183,2181}.txt%%!  h`p://tools.ieÑ.org/id/draÉMcmdMpreventMmalwareMdnsMdistributeM00.txt%%%!  h`p://www.wombatMproject.eu/%%!  h`p://exposure.iseclab.org/index.html%%!  h`ps://dnsdb.isc.org/#Home%%%!  h`p://www.webboar.com%%!  h`ps://dns.he.net/%%!  h`p://www.ﬂuMproject.com/%%!  h`p://arsoÉtoolsnet.codeplex.com/%%

Thanks%for%your%Gme!% @{Hlexpired,ﬀranz}& {charlie,fran}@7d.es%

Carlos Díaz y Fco. Jesús Gómez - CMD: Look who's talking too [RootedCON 2012]

by RootedCON

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Carlos Díaz y Fco. Jesús Gómez - CMD: Look who’s talking too [RootedCON 2012] Presentation Transcript