-
Not Synced
Herald: So, who here saw the talk about
-
Not Synced
politician-speak this morning?
-
Not Synced
Nobody? Okay.
-
Not Synced
Yeah it was in German, so... maybe.
-
Not Synced
I wanted to respond something
to the people who did, but...
-
Not Synced
yeah, apparently, now,
-
Not Synced
talking gibberish in
a human-understable language is,
-
Not Synced
you didn't hear about that today, but
-
Not Synced
talking gibberish in electronic languages,
-
Not Synced
you are probably familiar with that,
-
Not Synced
so Ben here is a security researcher
with Checkpoint,
-
Not Synced
and he will talk to you today about DGAs,
-
Not Synced
so, algorithms that produce gibberish,
-
Not Synced
but they got a bit smarter in the past
-
Not Synced
and he will tell you something about
-
Not Synced
how to detect gibberish which somebody,
-
Not Synced
some people might want to
have for politicians too,
-
Not Synced
but you have to use reason for that,
-
Not Synced
and he will give you an idea about how
-
Not Synced
you can do that for DNS.
-
Not Synced
Okay, give a warm round of applause
-
Not Synced
for Ben here! And, let's being.
-
Not Synced
Herzog: Is this thing on? It is.
-
Not Synced
Okay, first things first,
-
Not Synced
if this slide makes any amount
of sense to you,
-
Not Synced
then I'm sorry to have to tell you this,
-
Not Synced
but you're probably a robot.
-
Not Synced
So what are the good news,
-
Not Synced
that's the bad news,
-
Not Synced
the good news is you've
come to the right lecture,
-
Not Synced
because once this is done
-
Not Synced
you'll be able to detect gibberish
-
Not Synced
just like the rest of the humans,
-
Not Synced
you'll be able to blend in
-
Not Synced
and no one will know a thing.
-
Not Synced
So first I'm going to refresh
your memory a bit
-
Not Synced
about what DGA is,
-
Not Synced
and what the problem is
that it was trying to solve.
-
Not Synced
Let's look at a regular scenario,
-
Not Synced
a basic scenario where
-
Not Synced
an infected system
has been infected with malware
-
Not Synced
and it wants to converse with
its command and control server,
-
Not Synced
that's what malware does nowadays,
-
Not Synced
in the past it may have just
done its own thing
-
Not Synced
without receiving any commands,
-
Not Synced
but today, malware usually
waits for commands
-
Not Synced
and operates based on commands
that it receives.
-
Not Synced
So, in this basic usual scenario,
-
Not Synced
the malware came with a built-in
DNS address hardcoded,
-
Not Synced
and the malware queries the DNS server
-
Not Synced
with this hardcoded address
-
Not Synced
and receives the response,
-
Not Synced
this is the IP address of the C&C server,
-
Not Synced
now the infected system contacts
-
Not Synced
the address of rest of the Internet
and the C&C server,
-
Not Synced
the C&C server very excitedly responds
-
Not Synced
"yes, I have another machine
under my sway"
-
Not Synced
and the connection is complete,
-
Not Synced
now the infected system and
the C&C server can converse.
-
Not Synced
So, all of this is fine and good,
-
Not Synced
until one day, the powers that be,
-
Not Synced
the, maybe ???, I don't know,
-
Not Synced
they find out about all of this
-
Not Synced
and they talk to the people in
charge of the DNS server,
-
Not Synced
that's probably ???,
not necessarily,
-
Not Synced
and they tell them, well,
-
Not Synced
there's been this shady activity going on,
-
Not Synced
and it's making use of your DNS servers,
-
Not Synced
would you kindly make sure
that it stops,
-
Not Synced
and the people in charge of the DNS server
-
Not Synced
do not want any trouble,
-
Not Synced
so they remove the record pointing
-
Not Synced
to the address of the C&C server,
-
Not Synced
and now the infected system,
-
Not Synced
just as before, makes the DNS query
to the DNS server,
-
Not Synced
and they ask, okay, where is
the IP address of my C&C server?
-
Not Synced
and the DNS server basically responds,
-
Not Synced
go fish.
-
Not Synced
Now, the C&C server just stands there,
-
Not Synced
fully functional, waiting
to send commands,
-
Not Synced
and it stands there, and it waits,
and it waits, and it waits,
-
Not Synced
and that's not very good for the campaign.
