9:59:59.000,9:59:59.000 Herald: So, who here saw the talk about 9:59:59.000,9:59:59.000 politician-speak this morning? 9:59:59.000,9:59:59.000 Nobody? Okay. 9:59:59.000,9:59:59.000 Yeah it was in German, so... maybe. 9:59:59.000,9:59:59.000 I wanted to respond something[br]to the people who did, but... 9:59:59.000,9:59:59.000 yeah, apparently, now, 9:59:59.000,9:59:59.000 talking gibberish in[br]a human-understable language is, 9:59:59.000,9:59:59.000 you didn't hear about that today, but 9:59:59.000,9:59:59.000 talking gibberish in electronic languages, 9:59:59.000,9:59:59.000 you are probably familiar with that, 9:59:59.000,9:59:59.000 so Ben here is a security researcher[br]with Checkpoint, 9:59:59.000,9:59:59.000 and he will talk to you today about DGAs, 9:59:59.000,9:59:59.000 so, algorithms that produce gibberish, 9:59:59.000,9:59:59.000 but they got a bit smarter in the past 9:59:59.000,9:59:59.000 and he will tell you something about 9:59:59.000,9:59:59.000 how to detect gibberish which somebody, 9:59:59.000,9:59:59.000 some people might want to[br]have for politicians too, 9:59:59.000,9:59:59.000 but you have to use reason for that, 9:59:59.000,9:59:59.000 and he will give you an idea about how 9:59:59.000,9:59:59.000 you can do that for DNS. 9:59:59.000,9:59:59.000 Okay, give a warm round of applause 9:59:59.000,9:59:59.000 for Ben here! And, let's being. 9:59:59.000,9:59:59.000 Herzog: Is this thing on? It is. 9:59:59.000,9:59:59.000 Okay, first things first, 9:59:59.000,9:59:59.000 if this slide makes any amount[br]of sense to you, 9:59:59.000,9:59:59.000 then I'm sorry to have to tell you this, 9:59:59.000,9:59:59.000 but you're probably a robot. 9:59:59.000,9:59:59.000 So what are the good news, 9:59:59.000,9:59:59.000 that's the bad news, 9:59:59.000,9:59:59.000 the good news is you've[br]come to the right lecture, 9:59:59.000,9:59:59.000 because once this is done 9:59:59.000,9:59:59.000 you'll be able to detect gibberish 9:59:59.000,9:59:59.000 just like the rest of the humans, 9:59:59.000,9:59:59.000 you'll be able to blend in 9:59:59.000,9:59:59.000 and no one will know a thing. 9:59:59.000,9:59:59.000 So first I'm going to refresh[br]your memory a bit 9:59:59.000,9:59:59.000 about what DGA is, 9:59:59.000,9:59:59.000 and what the problem is[br]that it was trying to solve. 9:59:59.000,9:59:59.000 Let's look at a regular scenario, 9:59:59.000,9:59:59.000 a basic scenario where 9:59:59.000,9:59:59.000 an infected system[br]has been infected with malware 9:59:59.000,9:59:59.000 and it wants to converse with[br]its command and control server, 9:59:59.000,9:59:59.000 that's what malware does nowadays, 9:59:59.000,9:59:59.000 in the past it may have just[br]done its own thing 9:59:59.000,9:59:59.000 without receiving any commands, 9:59:59.000,9:59:59.000 but today, malware usually[br]waits for commands 9:59:59.000,9:59:59.000 and operates based on commands[br]that it receives. 9:59:59.000,9:59:59.000 So, in this basic usual scenario, 9:59:59.000,9:59:59.000 the malware came with a built-in[br]DNS address hardcoded, 9:59:59.000,9:59:59.000 and the malware queries the DNS server 9:59:59.000,9:59:59.000 with this hardcoded address 9:59:59.000,9:59:59.000 and receives the response, 9:59:59.000,9:59:59.000 this is the IP address of the C&C server, 9:59:59.000,9:59:59.000 now the infected system contacts 9:59:59.000,9:59:59.000 the address of rest of the Internet[br]and the C&C server, 9:59:59.000,9:59:59.000 the C&C server very excitedly responds 9:59:59.000,9:59:59.000 "yes, I have another machine[br]under my sway" 9:59:59.000,9:59:59.000 and the connection is complete, 9:59:59.000,9:59:59.000 now the infected system and[br]the C&C server can converse. 9:59:59.000,9:59:59.000 So, all of this is fine and good, 9:59:59.000,9:59:59.000 until one day, the powers that be, 9:59:59.000,9:59:59.000 the, maybe ???, I don't know, 9:59:59.000,9:59:59.000 they find out about all of this 9:59:59.000,9:59:59.000 and they talk to the people in[br]charge of the DNS server, 9:59:59.000,9:59:59.000 that's probably ???,[br]not necessarily, 9:59:59.000,9:59:59.000 and they tell them, well, 9:59:59.000,9:59:59.000 there's been this shady activity going on, 9:59:59.000,9:59:59.000 and it's making use of your DNS servers, 9:59:59.000,9:59:59.000 would you kindly make sure[br]that it stops, 9:59:59.000,9:59:59.000 and the people in charge of the DNS server 9:59:59.000,9:59:59.000 do not want any trouble, 9:59:59.000,9:59:59.000 so they remove the record pointing 9:59:59.000,9:59:59.000 to the address of the C&C server, 9:59:59.000,9:59:59.000 and now the infected system, 9:59:59.000,9:59:59.000 just as before, makes the DNS query[br]to the DNS server, 9:59:59.000,9:59:59.000 and they ask, okay, where is[br]the IP address of my C&C server? 9:59:59.000,9:59:59.000 and the DNS server basically responds, 9:59:59.000,9:59:59.000 go fish. 9:59:59.000,9:59:59.000 Now, the C&C server just stands there, 9:59:59.000,9:59:59.000 fully functional, waiting[br]to send commands, 9:59:59.000,9:59:59.000 and it stands there, and it waits,[br]and it waits, and it waits, 9:59:59.000,9:59:59.000 and that's not very good for the campaign.