1 99:59:59,999 --> 99:59:59,999 Herald: So, who here saw the talk about 2 99:59:59,999 --> 99:59:59,999 politician-speak this morning? 3 99:59:59,999 --> 99:59:59,999 Nobody? Okay. 4 99:59:59,999 --> 99:59:59,999 Yeah it was in German, so... maybe. 5 99:59:59,999 --> 99:59:59,999 I wanted to respond something to the people who did, but... 6 99:59:59,999 --> 99:59:59,999 yeah, apparently, now, 7 99:59:59,999 --> 99:59:59,999 talking gibberish in a human-understable language is, 8 99:59:59,999 --> 99:59:59,999 you didn't hear about that today, but 9 99:59:59,999 --> 99:59:59,999 talking gibberish in electronic languages, 10 99:59:59,999 --> 99:59:59,999 you are probably familiar with that, 11 99:59:59,999 --> 99:59:59,999 so Ben here is a security researcher with Checkpoint, 12 99:59:59,999 --> 99:59:59,999 and he will talk to you today about DGAs, 13 99:59:59,999 --> 99:59:59,999 so, algorithms that produce gibberish, 14 99:59:59,999 --> 99:59:59,999 but they got a bit smarter in the past 15 99:59:59,999 --> 99:59:59,999 and he will tell you something about 16 99:59:59,999 --> 99:59:59,999 how to detect gibberish which somebody, 17 99:59:59,999 --> 99:59:59,999 some people might want to have for politicians too, 18 99:59:59,999 --> 99:59:59,999 but you have to use reason for that, 19 99:59:59,999 --> 99:59:59,999 and he will give you an idea about how 20 99:59:59,999 --> 99:59:59,999 you can do that for DNS. 21 99:59:59,999 --> 99:59:59,999 Okay, give a warm round of applause 22 99:59:59,999 --> 99:59:59,999 for Ben here! And, let's being. 23 99:59:59,999 --> 99:59:59,999 Herzog: Is this thing on? It is. 24 99:59:59,999 --> 99:59:59,999 Okay, first things first, 25 99:59:59,999 --> 99:59:59,999 if this slide makes any amount of sense to you, 26 99:59:59,999 --> 99:59:59,999 then I'm sorry to have to tell you this, 27 99:59:59,999 --> 99:59:59,999 but you're probably a robot. 28 99:59:59,999 --> 99:59:59,999 So what are the good news, 29 99:59:59,999 --> 99:59:59,999 that's the bad news, 30 99:59:59,999 --> 99:59:59,999 the good news is you've come to the right lecture, 31 99:59:59,999 --> 99:59:59,999 because once this is done 32 99:59:59,999 --> 99:59:59,999 you'll be able to detect gibberish 33 99:59:59,999 --> 99:59:59,999 just like the rest of the humans, 34 99:59:59,999 --> 99:59:59,999 you'll be able to blend in 35 99:59:59,999 --> 99:59:59,999 and no one will know a thing. 36 99:59:59,999 --> 99:59:59,999 So first I'm going to refresh your memory a bit 37 99:59:59,999 --> 99:59:59,999 about what DGA is, 38 99:59:59,999 --> 99:59:59,999 and what the problem is that it was trying to solve. 39 99:59:59,999 --> 99:59:59,999 Let's look at a regular scenario, 40 99:59:59,999 --> 99:59:59,999 a basic scenario where 41 99:59:59,999 --> 99:59:59,999 an infected system has been infected with malware 42 99:59:59,999 --> 99:59:59,999 and it wants to converse with its command and control server, 43 99:59:59,999 --> 99:59:59,999 that's what malware does nowadays, 44 99:59:59,999 --> 99:59:59,999 in the past it may have just done its own thing 45 99:59:59,999 --> 99:59:59,999 without receiving any commands, 46 99:59:59,999 --> 99:59:59,999 but today, malware usually waits for commands 47 99:59:59,999 --> 99:59:59,999 and operates based on commands that it receives. 48 99:59:59,999 --> 99:59:59,999 So, in this basic usual scenario, 49 99:59:59,999 --> 99:59:59,999 the malware came with a built-in DNS address hardcoded, 50 99:59:59,999 --> 99:59:59,999 and the malware queries the DNS server 51 99:59:59,999 --> 99:59:59,999 with this hardcoded address 52 99:59:59,999 --> 99:59:59,999 and receives the response, 53 99:59:59,999 --> 99:59:59,999 this is the IP address of the C&C server, 54 99:59:59,999 --> 99:59:59,999 now the infected system contacts 55 99:59:59,999 --> 99:59:59,999 the address of rest of the Internet and the C&C server, 56 99:59:59,999 --> 99:59:59,999 the C&C server very excitedly responds 57 99:59:59,999 --> 99:59:59,999 "yes, I have another machine under my sway" 58 99:59:59,999 --> 99:59:59,999 and the connection is complete, 59 99:59:59,999 --> 99:59:59,999 now the infected system and the C&C server can converse. 60 99:59:59,999 --> 99:59:59,999 So, all of this is fine and good, 61 99:59:59,999 --> 99:59:59,999 until one day, the powers that be, 62 99:59:59,999 --> 99:59:59,999 the, maybe ???, I don't know, 63 99:59:59,999 --> 99:59:59,999 they find out about all of this 64 99:59:59,999 --> 99:59:59,999 and they talk to the people in charge of the DNS server, 65 99:59:59,999 --> 99:59:59,999 that's probably ???, not necessarily, 66 99:59:59,999 --> 99:59:59,999 and they tell them, well, 67 99:59:59,999 --> 99:59:59,999 there's been this shady activity going on, 68 99:59:59,999 --> 99:59:59,999 and it's making use of your DNS servers, 69 99:59:59,999 --> 99:59:59,999 would you kindly make sure that it stops, 70 99:59:59,999 --> 99:59:59,999 and the people in charge of the DNS server 71 99:59:59,999 --> 99:59:59,999 do not want any trouble, 72 99:59:59,999 --> 99:59:59,999 so they remove the record pointing 73 99:59:59,999 --> 99:59:59,999 to the address of the C&C server, 74 99:59:59,999 --> 99:59:59,999 and now the infected system, 75 99:59:59,999 --> 99:59:59,999 just as before, makes the DNS query to the DNS server, 76 99:59:59,999 --> 99:59:59,999 and they ask, okay, where is the IP address of my C&C server? 77 99:59:59,999 --> 99:59:59,999 and the DNS server basically responds, 78 99:59:59,999 --> 99:59:59,999 go fish. 79 99:59:59,999 --> 99:59:59,999 Now, the C&C server just stands there, 80 99:59:59,999 --> 99:59:59,999 fully functional, waiting to send commands, 81 99:59:59,999 --> 99:59:59,999 and it stands there, and it waits, and it waits, and it waits, 82 99:59:59,999 --> 99:59:59,999 and that's not very good for the campaign.