Exploit Kits Are Dead—Long Live Exploit Kits: Detect '18 Presentation Series | Anomali

Exploit Kits Are Dead—Long Live Exploit Kits: Detect ‘18 Presentation Series

 

A “Cyber Threat” has Garnered National Attention and the World is Mobilizing to Respond

Traditionally, intelligence, law enforcement, and the military have been marshalled to respond to security threats. But the cyber domain is unlike any threat we have ever faced. From natural disasters to terrorist attacks, most threats are bounded by the physical world, whereas cyber threats are bounded by technology, existing in a virtual world.

To combat this threat, we need to situate the response in the proper place within our organizations, which will be the technology shop, home to computer engineers—not cops, warfighters, and spies. Last, we must ensure that responders, policymakers, and operators have the right kind of skills to both understand and combat these cybersecurity threats.

Watch the on-demand presentation, led by Paul Sheck, Senior Threat Research Analyst from Anomali.

So my name is Paul Sheck, as it says right there.

This presentation and talk was originally on exploit kits.

But who's familiar with the exploit kit landscape right now?

Are we seeing a ton of exploit kits like we were?

No.

They've kind of disappeared.

And that was the genesis of my talk last year.

My talk last year was right after-- I started working on it right after RSA killed all the domain shadowing stuff, and it's kind of been on the decline.

So this is picking up on that research.

So exploit kits are dead, but we can still learn a lot from exploit kits from looking at the stuff that I've used over the last little bit.

Not to say that I'm the best at it or that I knew a lot about it, but it's been rather fun to do with a hobby, and they pay me occasionally for it too.

So we like that.

At least, I like that my kids do too.

My background is I'm part of the Anomali Labs team.

I do the CSO professional service as well.

So I go out to client sites and do engagements and so forth to help work with the professional services and threat intelligence and workflows.

Before I worked at Anomali, I was a stock analyst, or I worked in couple of stocks.

And I started to do to support services, support as a threat intel hunter, or a threat intelligence analyst at a major FI.

So I got hooked on exploit kits back in 2010, and I have been interested in them for a very long time.

And it's a lot of fun.

I realized I didn't fix my slides.

So-- I'll try not to use that word because I think that's the most said word in any presentation-- when is a good time to take on or to become aware of a current or an emerging threat?

This is a question out to you guys.

When do you-- [INTERPOSING VOICES] Exactly.

When is the worst time or one of the worst times you can get-- [INTERPOSING VOICES] Right.

So if anybody has seen or ever been in this experience, this is after IR tells you that you gotta compromise or you're showing up somewhere, and they're working many, many incidents.

The idea is, like I said, the exploit kits rely on domain names or domains, IPs, and registrant.

They have to get the domains or the exploit kit onto the internet.

So how can we take technology available to us or patterns and find ways that we can get in front of, or at least faster into, when infrastructure is standing up, or becoming, or hitting the internet and that we can get mitigation in before.

Another question for the audience that I didn't put in a slide-- I tried to minimize my words-- is, how do you do your blocking or your mitigation for your enterprise?

Or your corporate?

Or your environment?

Who does IP blocks?

Typically, network security, the firewall people.

But do you as practitioners, do you omit it, or do you use IP blocking for mitigation?

It depends.

It depends.

Do you do TLD blocking on proxies and so forth?

It depends.

It depends.

So the idea is I've seen anybody range from IP blocking to TLD blocking to the second level domain blocking to hosts blocking to regex in URIs because they cannot block they can only detect.

And so what I've found in most cases, figuring out the way to get the most effective mitigation is not really at the exploit kit.

It's at the TDS that's driving traffic and figuring that out.

But there's a lot of organizations that don't have the time, or resources, or understanding.

They're dealing with not so much the immediate gratification, but the immediate pain of I have a compromise, and I need to block something.

Where can I block?

And that's led to at least three different organizations or two different organizations that I've worked to that they're fighting the battle way too close to home.

It's too much.

It's a reactive position.

The idea of this talk is to try to figure out or look at both the GrandSoft Exploit Kit.

Is anybody familiar with GrandSoft?

Has anybody seen GrandSoft in their environments?

It's not really a common one in North America.

I think they were targeting Panama the last time I talked to somebody that was using BlackTDS and GrandSoft.

So it's not a common exploit kit, but it's one of the last remaining.

Rig moved over to IP-based stuff, and that's killing me because I can't use domain tracking for IP-based exploit kits, and you can just block the IP.

But what I like is these are my three favorite things.

Because I can use those to triangulate in on interesting things.

So another thing that I like-- GrandSoft comes back to you, right?

So I think GrandSoft and magnitude are different.

Magnitude is a different kit that's basically targeting South Korea, if last time I heard.

Not really an advance kit after.

So he had the fall of Angler and Neutrino and all those other ones.

And then Rig was there.

And Sundown picked up.

And then GrandSoft appeared back in actually September of 2017, much to everybody's surprise.

I'll get into that in a second.

To talk about technologies.

So with the domain name, when you have new domain registrations, there's a couple of different elements that you can track that show up with that.

You've got to have a domain name.

You've got to use a name server.

And you get an IP address.

We have one of our services that does new domain registrations or look for typosquading.

I explained that quite a bit.

Because it's fun to go and look at what the bad guys are standing up.

And it's led to this talk.

Second part is who is?

Who likes GDPR?

You did.

I like GDPR in some ways.

But not when it comes to WHOIS records.

So they are really killing me on making it so that the data available on WHOIS is not as easy to pivot off of.

Because some TLD's just don't give up WHOIS anymore.

They just limit that.

And others and providers like to limit that further.

But in WHOIS records, there's a couple of elements that show up as well, domain, registrant, information, and the name servers.

And then passive DNS, another favorite, has another set.

So all of these technologies have domains, IP addresses, name servers, and then sub-domains.

And the idea-- I grew up playing with Splunk and doing ArcSite and doing that stuff.

So I like patterns.

That got me a job.

Figuring out how to link these three things together on shared information, I can start to at least, extrapolate I think, patterns that allow me to track down different things.

Such as exploit kits and potentially malware in the future, or currently.

I'm still testing that.

We'll get into that in a second.

But there's some overlap in here that leads to allowing better research.

Now GrandSoft-- so apparently was active, 2012, 2013.

I don't remember seeing GrandSoft.

I remember fiesta kit and black hole around that time.

And that might have been I just didn't have eyes on and the work that I was working on.

In September of that he saw GrandSoft again and had been familiar with it.

It was an awesome Minion picture on the what when it showed up.

Kafeine is the guy.

He tracks everything.

It is active to this day.

I haven't pulled the domains this morning.

But they were registering.

They had registered two new second level domains on the 16th and 17th.

And they are still actively getting traffic from black TDS and some other TDS's.

So they are still active and present.

In the course of the last year tracking them, I found [INAUDIBLE].

I'll add this.

This is easy mode.

They stayed on pretty much three IP addresses for an entire year.

They use the same name servers on the same IP addresses.

And they host the sub-domains on the IP addresses.

So their virtual host basically is a one stop shop for this kit.

And all you've got to do is look at the IP address and watch as things change.

So they made it very easy.

But surprisingly enough, it looks like they're very effective.

And also the slide in a second when it comes to the accounts or the activity.

I can't remember what I was going to put.

So what I've done is looking at the activity of the past year, I was trying to understand, why do you think an actor would move from virtual host and different hosters entirely.

Hitting and switch name servers and domains.

What do you think that would motivate that change or that migration?

Anybody?

[INAUDIBLE] Right, so looking at the data, there is good reason for-- there's exploit kids, Angler or Neutrino, you would have one URL.

like each and every survey would have one.

It was a one time use.

I don't think GrandSoft is terribly advanced.

The traffic to get to them might be advanced.

So at first, I thought they were avoiding detection.

But they stay on the same IP address for months at a time.

And they have overlap as they transition between IP addresses.

Now they've changed up the ways that they register domains too.

But it's interesting to look at history over time or what I have history for, to see where the domains showed up.

Not are geographically, because it's all in Russia.

But how the pattern looks as they register new domains, and they use new name servers.

So this is a multiple graph.

In December of 2017, they actually came up into-- or September-- but I don't have registration data or registrant data for the domains.

They used xyz as their favorite one to serve up the exploit kit.

Then they have TK, GQ and CF, I believe.

So the more the TKCF and GQ, I don't have visibility onto the registration.

But I can see a little bit of the xyz.

So in December 2017, they have two domains.

And they use two name servers.

The next month, they started to get a little bit more active.

In December, they had 144 sub-domains that were serving up the exploit kit.

They disappeared in January for a little bit and then showed up in February.

They were using 10 domains.

I think they jumped up to 300 different sub-domains that were served.

And they are using a different set of name servers to register their domains.

In March, they expand a little bit more.

March, they registered 26 domains and ended up serving, I think, 1616 actual uses of sub-domains.

So their traffic exploded in March.

And then they started to move, as they added more, or they kept adding domains and shifting domain servers.

And we go through as they keep moving.

So December's a weird outlier, as it's not attached to anything.

But they started to have overlap with the large things, being email addresses that they used.

One was an admin support.

It was very odd.

Lets string a bunch of numbers together at p.33, which I believe is a ProtonMail-like email.

So it's one of those, like it should be anonymous.

But if you use it to register all of your malicious stuff or half of it, it's not very anonymous.

Or we don't really care about the attribution, other than I can track with it.

And then the second one was when they move over to an abuse.support, which is again, not very helpful in itself.

But combine that with name servers and how they register the domains on the same name servers, it was really easy to connect the dots literally, between what the domains were showing up on.

So September, we get a little bit more.

So I had visibility on 82 of the domains that they registered.

In reality, what I found was they had 335 domains that they used.

Generally, the name servers that they were registering the 250.

I couldn't track what registration information they used on their name servers.

I wish I did.

And I started to enrich with passive DNS in here, so I could start to pull up the sub-domains.

And if you see the squares-- sorry, the squares and where Maltego decided to be very helpful and start to collapse into collections.

So I was going to go or keep going.

And then I realized I was going to have a bunch of squares that were four.

And each square would have a hundred or 200 domains in it, or sub-domains.

And it wasn't going to be as useful.

So they were fairly prolific.

And here's the time, or the domains over time-- or account over time.

So strangely enough, he showed up.

Let me see if I can find the pointer.

Which button is the pointer?

[INAUDIBLE] Oh, OK.

So in September, they had the one domain, which was a strange project X that has kind of followed on the domains.

But it hasn't been as active.

And then December is where I start to get the registration information.

And you can see where it spikes up to the 1600 sub domains.

Now the activity is interesting.

Because he looks like they tested.

They moved around some infrastructure that I didn't know, that I need to dig in after the talk.

They were using Google Hosting at one point and apparently DOD at another point.

So that was very interesting to have 20 dots show up in the Maltego graph.

And then look at passive DNS and actually see exploit kit hosting on it.

Here's another view.

So this is just the spread of domains, same graph, just plotted on different IP addresses.

So you can see where they move from the 62 dot over to the 185.

And I can remember what the first hoster is.

But the second one is a Russian one.

Excuse me.

But like I said, easy mode.

Basically all I have to do is dump into passive DNS, pull down the domains, and start to look at it.

And then throw those into threat string further for the trusted circle.

How many of used investigations and threads string?

So I had a fun investigation that I've been tracking GrandSoft with.

And I thought I was pretty proud, 3,745 domains, until I ran through the data again and realized that I missed 2,000 domains that they had hosted on.

So I've now blown up an investigation.

We're trying to test the investigation feature.

And I'm excited to see what the new investigation feature will use and how I can visualize and graph this in the future.

But it's been interesting to watch.

As they stay active, they stay active on three IP's.

But they use a lot of domains.

And they'll continue to move.

So I was looking at this and thinking, OK, if this is pretty easy, I can script this out, pull in IOC's.

What would be something else that I could look at?

And try to use the name servers, the domains, and the sub-domains, or the name servers, domains, and the registrant name though.

Who's familiar with Gozi or Ursnif?

Or Snifula, or [INAUDIBLE] Neverquest.

Or there's a whole bunch.

So hard mode was IS-- ISFB is another one.

So this is a crazy information stealer that's been around for quite a while.

When I started in 2010, I had heard about Gozi from a friend that was saying that version one was doing clear text credential stealing.

So when it would steal your information, you knew that you had a Gozi infection.

Because you would see a stream of clear text flying out of your hill.

So it was rather fun to watch a Gozi a compromise and then a [INAUDIBLE] compromise.

Because they would do is the one would steal the other.

And they would sit there and just amplify and amplify.

And they'll just continue ship back with the other one which ship back.

Does not sound fun.

That sounds fun to watch as a network.

But I don't.

Another story was within 15 minutes of a Gozi compromise-- and this was recently-- they had activity on the account that the person who was compromised from another location.

So these guys are serious.

They're in for fraud.

And to be able to monetize stuff.

It's used by a bunch of groups from multiple people.

And as joking as I am about this, this is serious.

And it's a very present threat.

Challenges with Gozi, as I started to dig into-- and again, I apologize for the amount of text.

If you guys want to read that, you can.

The challenge with Gozi is it's used by multiple teams.

They are multiple groups.

I'm not into attribution.

But it's interesting to see how the campaigns differ.

In this one, I'll talk about two campaigns that I was looking at, if I can keep my voice.

I blame you, Nicholas.

Meetings before you present.

What I'm digging into is the domains that we're serving up the binary.

Now I found, as I started to dig into this, sometimes this delivery mechanism, so I'll explain.

It's an email that contains a macro enabled word document.

That Word document executes power shell.

And Microsoft did a great write-up on a pair of the domains that they've found that I hadn't looked at or I was going to stumble across, had I not been distracted by work.

It happens I guess.

That day job, paying bills.

It's good.

What it does is they deliver the macro enabled with a document.

That executes power shell, connects back to a domain that they have.

And then it pulls down a binary.

Now people have talked about, they see Gozi or Ursnif when it comes down, or [INAUDIBLE] or TrickBot.

And I only looked at that Gozi side or more of the domains.

Because domain name server and registrant email.

Multiple groups use it, just looking at a couple of the campaigns.

So has anybody seen bookingcabarete.org?

Or .net or .com?

So somebody pointed me out this in early August or middle of August.

And I decided to look into it.

bookingcabarete.org, has anybody heard of cabarete or cabarete?

I don't know how to pronounce it.

It's apparently a vacation spot in Puerto Rico.

And if you search bookingcabarete.org or .com, the first one can Google is booking.com.

And it's cabarete locations.

Is there relation to what they were sending out?

I don't know.

I haven't dug into the lures that they were using.

But it was interesting to me that if you look at the differences, you have .org that's hosted these 184 and 150's.

Anybody familiar with GoDaddy?

So these top ones are all GoDaddy.

And then when you add a sub-domain, it switches over to 95, which shows up in Russia.

Has anybody experienced domain shadowing or domain shadowing like activity?

How does domain shadowing work?

Not to put you on the spot, [INAUDIBLE]..

Basically looking in subdomains [INAUDIBLE] domain?

Right, so where does that legitimate-- At the [INAUDIBLE] server to then be able to [INAUDIBLE]..

Right, so they compromise the registrant account, leave the second level or the domain where it is.

Generally it's part on GoDaddy potentially.

That's where a lot of them were.

And then they'll spin up the sub-domains on other places.

How do most people's reputation work?

Based on [INAUDIBLE].

OK, or that second level and where it's registered and where it's living at.

So when it came to reputation, it seemed like we're analysts.

We're also reputation analyzers.

Well I see this.

It looks like it lives on GoDaddy.

I'm not going to pay.

And it doesn't look like a legit domain, no matter that it failed that sniff test or something.

So what I found was I thought it was rather interesting that they kept the .org or that second level in GoDaddy.

But they have the sub-domains over there.

This was serving up the ordain, what looked like ordain lures.

So the ordain.

And then status.

This is the .net .com.

Interestingly enough, the .org's were only on GoDaddy.

And then they had the sub-domains somewhere else.

These are all on malicious holsters.

So I think they started GoDaddy.

But they moved it over, so that they had everything to that.

This is just a breakdown, GoDaddy, the 50 dot.

It's good, harmless.

I think it scored zero something.

And then you look at the Russian one.

So that, to me, struck as interesting as I did, the passive DNS lookup of the booking cabarete.

Some information, and this is where I ran into a challenge with that I couldn't use based on name server and email registrant.

It's GoDaddy.

GoDaddy has done a great favor.

Or they switched over to who is, so they can GDPR compliant.

But thankfully, sometimes the name servers can be helpful.

But in this case, it wasn't.

And I had to rely on passive DNS to go in and figure out where the hoster was.

And then start to look or pivot off of that into the information where I can see where the binary served up.

Again, lots of text.

So that's the first.

There's the second one, terminal output.

Give me a second.

I really have been talking too much.

Can you mute for a second?

OK.

Maybe it's stage jitters, who knows.

I don't know, stage fright.

Yeah, please.

I'll just take one.

That's fine.

I have a question [INAUDIBLE].

Yeah So [INAUDIBLE].

Is your main objective to track the attacker?

Or are you trying to protect customers in this point.

What was your objective as you're tracking this?

[INAUDIBLE] No, that's fine.

No, that's a good question.

So the idea is this is what I like to do for fun when I'm not doing photography or other stuff.

But I think it's useful, because I found that a lot of organizations would do rejects and rely on ideas and different things.

But I wanted to move that temporal advantage to as soon as we can run or we identify a registered domain that I can get it out to the community or get it to the premium or labs premium.

So that you guys could put in blocks.

Now depending on the org, I don't know exactly how people are balking, which was why I asked, who's relying on IP's, domains.

I prefer to block the TDS.

Because then you don't have to worry.

So TDS jargon-- who knows what a TDS is?

Traffic Direction System.

Yeah, Traffic Direction System.

Are you familiar how that plays into the ecosystem?

They drive traffic to your exploit kits.

So if you can knock out a TBS, you don't have to deal with any of the exploit kits, generally that that particular one on one feed to.

Black TDS is one.

That's how I found this one.

It was much harder to knock out black TDS.

Or I thought it was much easier.

Because it was three domains at the time, that I could see.

But grand soft was a little bit more prolific from a domain perspective.

And just figuring out how to get the best things, if I can't see telemetry and give you URLs.

And I can't look at the rejects, or if I did look at the rejects.

And that was one of the ideas.

Anybody heard of fallout exploit kit?

Anybody looked at the URI patterns for fallout?

It's a mess.

The conversations I've had or I've seen, they can't put a rejects around it.

Because they randomized word dictionaries all over the place.

And they've literally made it so it's almost impossible to do rejects for.

So if we can find the domains as they're registered.

And I could give you guys the second level domains, and you block them and the second level, you don't have to deal with the exploit kit at the sub-domain level.

So that's the purpose of this.

That answer your question?

Yeah.

Cool.

Thank you.

[INAUDIBLE] Again, yeah, absolutely.

And that's the part that I thought was pretty amazing, as I dug into this.

It's staying on one IP address for this much.

Would you know that-- I mean, that seems really, for lack of a better word, dumb.

I mean, why would you-- how can you just [INAUDIBLE]??

Right, and I don't know when it comes to home-- man, my throat's killing me.

I agree.

I don't know why.

I think he's having success, or they're having success.

And so they're not moving.

They're not feeling the pain.

The esta kit was one of my favorite ones early on.

They didn't change.

I don't know what they were doing until they happened.

But sometimes these kits don't change.

And they're not sophisticated.

If they're still making money or they're still getting traffic.

And then from a blocking perspective, I don't know.

I haven't actually contact an ISP to see if they would block those to prevent homeowners or home people or non-business.

But from an enterprise perspective, if you can block at a TDS level, or if you can block in an IP level, whatever keeps you as far away from that threat as possible is the most optimal way.

But people or friends that I've talked with, before and after I joined [INAUDIBLE] struggle with different levels of mitigation.

They can only do rejects max and post-compromise cleanup.

That's where they're at.

If they could do the IP addresses and do the mitigation prior, it seems like it's a mixed bag across the world or the different industries.

But yeah, that was one of those, why can't we block this earlier on?

And some people just aren't aware of it.

And since the landscape has changed so much, it's .

Interesting I don't know where fallout kit is showing up at.

But it sounds like it's trying to come back into the mainstream of maybe America.

Yeah?

[INAUDIBLE] So the URI stuff?

So the one that I remember, I don't know if anybody saw or ran into NicePak.

It was I think 2012.

Try googling NicePak and see if you can find anything on the exploit kit.

You'll find backpacks and everything else.

That was fascinating.

Because the emerging threats community was cranking out signatures as fast as they could to try to match it.

And the actor was changing the signature within an hour of the new signature generator.

He may or may not have been on that list.

So it's interesting to see what open sharing communities can be exploited.

But that was interesting to watch.

I think they've learned a lot in a number of years on how to go in and try to evade.

And once again, it shows that we need to mature the detection and the mitigation capabilities.

If we're relying on rejects, that's awesome.

But has anybody spent months working in rejects?

Do you dream in rejects or have nightmares after?

That's what my experience was.

So I think they've learned a lot through researchers poking at it and beginners or novices starting to do and deciding to write blogs on different things and just getting it out on Twitter.

And they want to make money.

So they're making it more and more difficult.

Any other questions before I get back to Gozi?

And I think I have my voice.

How are we doing on time?

Cool.

So this is another campaign with Gozi around the same time.

[INAUDIBLE] at the time.

Again, small text.

Anybody see a pattern that shows up amongst the data that I've got up here?

[INAUDIBLE] Yeah, so they use CSNow or CS@now.cn for everything.

Now this set of named servers are interesting.

Because that led into an entirely different mess related to the same thing that don't have a very good understanding of it.

Because it ends up these are all related to a botnet or a couple of them.

But it's an interesting delivery, as I started to pull, obviously kicking in on the contact.

And then everybody else uses two or three of this DNS pod.

Now DNS pod, I found out, was kind of a mess when it comes to shady activity.

And I did.

So breaking it much more readable for you guys, just common information.

I saw a delivery or what ended up being delivery URL's.

And then I was told that the seritopola was commanding control.

Digging into the name server and the registrant email for kit because those had commonality.

This is August at DNS pod.

basically shut down my computer and then died.

Because it had 31,000 links between the domains.

It's a mess.

There's a lot of stuff that's being hosted That registrar, the host-- they're being abused by numerous groups and by the type of squatting and the fraud and so forth that I saw.

So that's kind of hard to whittle down.

This is just the CS@now.cn.

And as I've found, there's more [INAUDIBLE] type of squatting.

I remember a few different things that showed up in these.

But it's still a big mess.

I think that was 300 domains that they registered in just the month and a half that I was looking at or that I went back for this.

But if I add name server or the constrained by name server and email, I'm down to less than 100 domains.

And those turned out to be these.

Anybody watch the keynote?

Where Hew went over the graph?

It was very quick.

But he talked about this [INAUDIBLE] .com showed up in the graph that they pivoted off of.

So that was rather fun.

When I started looking at this, it was back in the top topper Tony and the different areas.

So I can quickly narrow down.

By using their name servers and the email registrant, I can start to look at the different domains.

I started to go through everything on the list.

And it's pretty much all bad, for various reasons.

But I can start to now look at-- the point is to use name servers and registrant email.

And figure out how I can find the domains when they're being registered and either add them as suspicious.

Or if they match a certain pattern, I can go in and validate that I can get those into the platform sooner.

And if I can do that, and you guys have access to this as well, you guys can start to get ahead of the threats by using or at least getting ahead of finding something that can get you closer to blocking or mitigating the threats.

Yeah?

The domains-- do you find that they're mostly entirely attack or control?

Or do you think they were taking over good sites [INAUDIBLE] kind of thing?

So that's a good question.

And that's where it smelled like domain shadowing at first.

They compromised the registrant account.

And they move all that stuff.

But it would seem like when everything on the list is showing up as bad, and it's being registered in China or whatever.

And then moving over to Russia and bouncing through Russia and Romania and Ukraine.

That seemed and it was all related to one malware delivery or some sort of fraud.

And I started to see customer domains that were being mimicked as phishing email.

This seems like it's mostly bad.

Again I'm not an attribution person.

But it's one of those-- if it shows up with this combination of name server and registrant, I'm going to say, guilty until proven innocent.

I mean, I'd rather reduce the risk by just making it so that I don't touch them.

Yeah.

Any other questions?

Cool.

So part of-- and this is I believe, the last slide I have.

So the part that I found interesting is keying off of using the domains and then jumping into stuff that people had found and harvested, they started to use or they use this TKN thing with the Microsoft blog post that they posted on the very localized attack.

I believe around this area little bit to the east.

They were using the SOHO.

And then a digit.

And then the .TKN to serve the binary from the malicious word document.

But they were using flux and test in this similar URI structure to deliver the binaries or the payload for or after the power shell command.

So in time, we'll be able to go in and link and build more grafts to try to pull this stuff in.

But it's interesting.

And then I didn't plot it.

One of the domains that I found, which was related to the seritopola is related to the fast flux botnet, flexi.

And it went from when it first got registered to start looking at an passive DNS.

And I think I saw it go from a couple of hundred IP addresses that we're on to a couple of thousand to 26,000.

And my browser started to slow down and realized that this is either something bad.

It might have been a researcher trying to enumerate hosts with a wild card DNS that they might have used, or that the bad guys use.

Or it might be related to a botnet.

But that was going to be way too busy to plot.

And I was having trouble downloading the Json.

So maybe that'll be next year talk is to look at the different delivery things or the C2's and so forth.

OK, questions.

Anything?

I've got a few.

Yeah.

Just outside of the Word phishing mentioned today, what are some of the kind of like a quick rundown of other [INAUDIBLE]?

So fiesta is old.

That was a fun one.

I think that disappeared.

The ones that I'm aware of now, and there's great research that's out there if you have access to the platform.

We're consuming some of this stuff into threat bulletins.

But fallout kit is the newest one that I know of.

Rig is still very active.

Magnitude, sundown, and it's a couple of different variations as well, and GrandSoft.

I think GrandSoft and magnitude are the lower sophistication ones.

But once again, for the most part, other than fallout kit, most of the stuff isn't targeted the US.

Traffic really did disappear.

And they did it right in time for my detect talk last year.

Do you have any or any other questions?

[INAUDIBLE] I don't have a good answer.

To me, I like the relationships and looking in the refers.

Focusing on exploit kits is important, because that's where it delivers the malware.

If what is old is becomes new again, and they become popular, we've got a couple of different problems.

They've fixed a lot of the OS problems and the different things that they were exploiting.

But to me, if I can find that traffic direction system that is doing the traffic.

Now sometimes there's a couple of campaigns now that will route to advertisements or the Diet Coke of evil on the internet.

But not exploit kits, just different stuff from advertising.

But finding the root and blocking those will save you so much time and headache.

And figuring out what is the best mitigating control for your environment?

And making it so you can increase the distance between you and whatever is going.

Now if you have the time and patience or are a curious analyst, let them loose on proxy locks.

It's great to find out stuff or peak app or something.

Is there anything else?

[INAUDIBLE] I don't know.

So that's an interesting one.

I don't I don't have a good answer for you.

I honestly haven't paid attention so much to what the payloads are.

I've been more interested in trying to find the source of that.

I know that I saw, when I was actively watching telemetry and defending an organization, that was interesting to watch as the payloads were much more sneaky at the beginning.

They were dropping the banking Trojans and different stuff.

And then FAKEAV started to show up.

And then FAKEAV moved over to ransomware.

And the change has been going from, I'm going to sit in the background and steal a whole bunch of information and not let you know to be in your face and charging you $90 to clean up this compromised, to holding your system ransom.

In the recent years, the ransomware being dropped.

I think [INAUDIBLE] showed up a couple different times.

And everybody's in it to make money.

The people that are sourcing the domains to exploit kit writers to the payload are the people that are dropping the stuff.

So I can't tell you what's going forward, other than-- [INAUDIBLE] Yeah, go.

The exploit kit versus ransomware [INAUDIBLE],, an exploit kit is just a delivery mechanism for the payload.

[INAUDIBLE] I just think phishing has become just the easiest way if people-- if I can send your organization then that's better than trying to get people to go to your compromised websites [INAUDIBLE]..

In the last seven years, the exploits kits were [INAUDIBLE] is because [INAUDIBLE] updates.

And whenever everyone found out, hey if we just update our software, then none of this stuff really works.

And it doesn't matter.

So when people update their software, [INAUDIBLE]..

If people were updating the software, what's another way that I can get [INAUDIBLE]??

Right, social engine.

[INAUDIBLE] Yeah, they made great strides in browser and plug-in stuff and OS hardening.

So it's been a huge spur.

How about for other organizations in helping you get down to the bottom of this?

And how aggressive did you want to be in trying to find who's behind it?

Or what other domains.

So [INAUDIBLE] et cetera, to get-- I've seen this stuff in the past.

And you know, I haven't [INAUDIBLE] a few domains.

And you've seen hundreds, let's say.

If you came to one of these [INAUDIBLE] and said hey, I have 300 possibly [INAUDIBLE] domains we talk about this, that kind of thing [INAUDIBLE].

Had you attempted to approach him?

Or has anybody [INAUDIBLE] the same thing and you get a success in the past?

I haven't approached.

Unfortunately, I was trained to really approach a compromised website and get threatened with lawsuits.

So that's something I can definitely incorporate.

I know xyz is fairly extremely respondent on Twitter, like you've got malicious domains.

We can help you take that down.

I haven't reached out to the other ones.

If anything, I would start from an observation.

Or please give me your registrant information, so I can start to see who's spinning up new domains and your [INAUDIBLE] and hopefully work something out.

Maybe I can at the same time to figure out if we get more and start to track.

But this has definitely been more of a side thing, keeping my sanity in wits about me.

So I can do some research, and then try to get it into people's hands.

I've had some pointers, talking to different researchers about this.

I tried to talk to the people that knew more about Gozi Ursnif.

And basically they told me that I need to get with either an offensive security person that can help me understand what they're doing in an active level by attacking them or compromising them.

Or he did get very good at reversing and track the campaigns for I know about like six months.

And I can start to untangle that very messy web.

But for the most part, the idea is getting the data that I have into the platform.

And getting into the hands that people can actually protect and defend the organizations they're at.

My story is my mom is a phenomenal doctor, but she is terrifying on a computer when it comes to email and clicking links.

She's done much better in the more recent years.

But we go through about five net-books a year.

My step-dad would keep buying her net-books, because it was just too hard to do that.

She had I think it was a Juno email that she may still have active.

So she's there.

And if I can put this in the hands of people that can get active out there, or it can help keep my mom safe on the internet, then I'm going to do what I can to do that, as well as just make it so I can get as many domains out to you guys as possible.

So you guys can do that active mitigation or the retrospective searches or how you can operationalize this information into your environments.

Anything else?

Thanks guys for coming to the last talk of the day.

You guys are awesome.