Focus On Your Malware, Not Infrastructure! - Omri Segev Moyal

small opening remarks as well so good morning besides liverpool this is the first besides liverpool i'm really excited so first thing i want to have one last one more round of applause to all the organizers they've really worked hard i've been in contact with them for like six months so good work everybody

[Applause] this type of conferences and gatherings are a real game changer being chosen to open the conference is great honor and responsibility everything is fresh and new but also fragile like a seed just starting to grow a seed of hacking wisdom and knowledge sharing how the event will go today will probably go for a long time creating a new tradition in liverpool of course there are bigger events like black hat infosec and defcon so why do we need b sites why do we need b sites in liverpool site conference makes the true difference between the infosec industry and the hacking community it's about commerce it's not about commercial businesses it's about sharing experience and knowledge and meeting

other actors there's a slippery path between being an industry and being a community the difference is what you the audience the sponsors us the speakers and the organizers will make of it so go on going on fun laugh drink meet you people generate new ideas and project i'll be doing the same with you probably drinking so let's get started the presentation i'm going to show today is called focus on your malware not infrastructure i did a little survey on twitter amongst my friends researchers other members of the security research community and i asked them what is the thing the most challenging for them when they are developing and building their security research app by far

on also on the threads and in the survey itself it was time constraints everything takes time we don't have that time and we actually want to go home a bit early another one am every night so this talk is about helping solving that time constraints basically the way it was the agenda is we're going to first look at how we currently build some modern research apps we're going to look at introduction to serverless what it is what it is not what is it good at and what is it bad at and some of the security considerations because we are a security conference we must look at it as well we're going to look at some

current projects some of the latest things are we going to look how they were developed and how we can use them to to our advantage we're going to have an end zone example slide by slide showing how we can build something that used to be really hard for every security research and now we can build it really fast and easy using serverless and last hope for the demo got to go right we're going to have a quick live demonstration are we going to build a live app using serverless hopefully the internet and everything is going to work all right so um quick introduction to myself from marie segev moyal i'm an entrepreneur uh researcher doing exploits apts also a

community advocate and a big football fan of makabe haifa if you know it in israel actually played against liverpool once and one all right weird yeah all right so i'm doing a lot of research i'm also an entrepreneur and there are some ways that almost everybody that goes to build a research app goes through so let's assume we have some kind of a poc code i want to run there's some poc that i want to deploy first thing i really need to start planning i need to plan for the magnitude what's the size how many malwares i'm going to scan how many urls i'm going to work with i'm going i need to budget i need to understand what is

going to be the volume of my work i'm going to understand the volume of the volume of the network all the bandwidth all of those and i need to stop back usually for some resources from the company or sponsors or anything like that so that takes a lot of time and it's something nobody really likes to do nobody likes to you know back for budget or works on those kind of things and let's say i got my budget i got everything sorted maybe i cut off some stuff and then i need to start building up the infrastructure let's say i want to analyze some error i want to build a sandbox so i need to allocate i don't

know how many vms i can i need to start build up the network to make it secure and private i need to focus a lot of time on that i didn't even start with my project and then i need to find a way to start deploying my code let's say i'm using some continuous integration or github or simply on my machine but still only now i started to run my app and once i started to run my app then i need to start monitoring it because we work with research app usually researchers are not the best developers i know i'm not and they break when i start monitoring them i can't stress how many times i've worked

through the entire day late into the hours of the night and then okay i found my absence my app is working went to sleep only to wake up that it broke the minute after so i have no research that i have nothing to work with and that's really really frustrating so i started look and said all right i'm wasting a lot of time i need to stop thinking of what i can do better and but before i can understand what i can do better i need to start understanding what are the main flaws of what i'm doing i can start matching them so the first thing of the i guess major flaws in research app development is the fact

that i understood that it's not scalable at all makes it really hard let's say i'm working with some malware strain let's say emote was is a good example emoted is pretty good at the way they distribute their attacks one time they distribute two or three malware two weeks after a million hour on the same day and then they're going quiet for a month and then fremont and then two days later medium samples so it was really hard to get up the infrastructure ready to sustain all of those malware and analyze them and then uh just wait there with the infrastructure just waiting for it to work so it was something that was really really hot i

needed to find a way to make my app scalable the next thing i discovered is that we were not agile at all which is not good i mean developers always focus on agile and security research not so much and basically let's give an example anyone here work with cuckoo sandbox for example viper any one of those tools yeah i see some places so if you really want to get cocoon production it's a great app but it takes a lot of time you need like a team of devops and everybody to actually start working with it and then as soon as something breaks because the app was worked as a full multi-purpose uh app it has domain analysis document

analyzers file analyzers working with vm databases then if something breaks the entire outbreaks and more than that if you want to do some code changes then you need to take down the everything take down almost all the servers deploy your code run it never works for the first time so you need to redeploy takes almost a day to actually in production to get it to work and that also means that usually by coders you actually deploy your code so for research a quarter a few days that doesn't work because you need to work really fast so this is another example unless because all of those reasons it means that we are really slow on adoption if there's a

new malware straight if there's a new exploit there's a new type of vulnerability takes us a long time to actually respond to it which is horrible in these days that people speaking about minutes now not even hours etc so it's something we really need to focus on so i worked with my colleagues worked with friends worked with the community did some fred did some analysis and i came across a few ideas how to make it better the first one was working with docker swamp kubernetes orchestration anyone familiar with it cool so people familiar with it it's good it's actually much better than what it used to be but let's take a cuckoo example again to actually get a

proper cuckoo running in kubernetes i need an instance for my database two i need one for the web server i need one for the processing i need one for the elk i need one it's hard i'm a researcher i'm not a devop i don't want to spend all this time on running those apps so it was really really problematic for me it wasn't enough i was really tired of dealing with all the orchestration and servers and everything and then i came across a really cool idea what's relatively new it's called serverless i know it's a funny world it's kind of annoying word but it's actually kind of what it is basically serverless it's the latest brightest way for the

cloud providers to make more money and basically that's what they do uh they are like a casino the house always wins but it's actually cool some of them do it right basically what it means they've went into such a good stage of optimization that if someone rents some kind of a vps or an instant sales cycle or some kind of resources and doesn't use it they are going to use it in a third party kind of application in the serverless way basically going to use the scraps of whatever cloud resources that are left in their huge domain the hotdogs of cloud but basically there's so much of it left so they can actually provide you with an

almost limitless resources for mostly short periods of time or different kind of tasks so it's actually pretty cool basically most of it is working on the concept of fuss faas function as a service pretty new concept the main one and we are going to focus on today is amazon lambda there are also google cloud functions ibm open wiz and lately don't use it microsoft azure sorry but anyway it's focused mostly for developers on the fact that you should focus on your code besides right [ __ ] the infrastructure basically work just on your code it actually work for there but there are some limitations we'll go over them it also means that we are going to focus on

remember that single purpose functions we are used if you're working with docker multi-purpose apps now we're going to change our mindset to single purpose functions and basically what this means there's some kind of an event event triggers api call reading to a data writing to a database file activity something like that you will get an event you will process it in your function and then you can do whatever you want with some kind of an output safety database trigger another function things like that but you don't work on how we used to have one purpose functions for apps for everything it's also really good for bugging and everything like that last uh not last thing but another really important thing

is you don't pay for ideal super important if you rent cloud servers you rent ec2s you probably know that you're using most don't use 70 of what they're on for long term of what they use even if they use docker and kubernetes is actually pretty hard with serverless you basically only pay for exactly what you use you do pay a bit of amount but still usually on the long term it's much better and the last thing is that it's very very scalable let's go back to the imoted example i can analyze one malware strain if i do it studies statically for example and i can analyze a million i don't need to wait for it i don't pay

for the for the time i'm waiting i'm only paying for that exact time i actually tested it and it was really really good this is one of the reasons i'm actually focused on amazon here now am i the only one actually seeing this is the i'll fly video game i i couldn't stop playing once i start seeing it so kind of cool anyhow i'm not trying to photo of anybody here i mean there's some brilliant people here probably smarter than me a computer scientist you need servers but for our purpose for our point of view for this specific task for presentation for developing our apps we don't care about them now this is a security conference so actually

indulge you go ahead and try break out of the lambda find vulnerabilities you can make good money if you find one from amazon for example on the about bounty but leave it for now focus on just the way we develop our apps so it's not perfect though it's pretty new and there's some really cool limitations remember we're using the scraps of whatever the cloud provider gives us so first thing there's a very pretty steep learning curve and i'm trying to break some of those barriers today uh we are not owning the app we are basically running it somewhere in the magical realm of the cloud so first thing is that it's really hard to debug i mean it's not hard it's

different for example there's not much break points or traces or hooks the way we used to debug our apps today you need to work a lot of exceptions and login exceptions and things like that so this is something really important to understand another thing is there are some technical limitations for example when lambda just started you had a limit of storage of 500 megabytes now that's pretty small now it's two gigabytes but let's say you're dealing with some video app that needs to process or generates more than two gigabytes of storage then probably service yet is not for you there's also a limit remember we're using the scraps so we're using some kind of a server

that is currently not fully optimized so the main cloud providers have limited mostly to 15 minutes you can't run a single function more than 15 minutes usually when i work with people who start working with it when myself if you get to something that runs more than 15 minutes either you didn't properly optimize your code or if you really need to with some like really magical machine learning algorithms something like that then you probably want to use dockers or something else but it's an imitation worth knowing and the last thing is the concept of warm and cold boot this is something really important what basically happens in the background for example amazon they have their own

containers and you're creating a package your code you deploy it into their sphere and then it's waiting for a trigger whenever the triggers start they will shift your container to that location that wasn't really used and will execute so you have three steps here the the good look the container is starting to deploy and then usually functions have been some kind of initialization code let's say we're doing av scanning i want to get the latest signatures so i'm going to download them that takes a few seconds as well and only then the first step of actually running your main function of whatever you want it to do so that takes a bit of time usually a few seconds but

there's something cool because of the optimization they're not going to deploy that package all the time so they have there's a few time there's a short time span if you execute your function again it means it's a warm boot now and you're going to execute a function right away so you can actually even abuse that if you want to keep your functions running all the time so it's something really important to understand but if you look at it it also means that service is not feasible for everything let's say you deal with some police alerting or weather activity tsunami alerts and a few seconds actually really counts so you might don't want to use that as well but most especially for

research apps it's well more than enough this few seconds now it al it almost sounds like hanzo and greninja stories some uh candyland but remember we are researchers we work in a very hostile environment so we did it with exploits malware nation state for god's sake uh and we don't want to mess with them too much we must understand some of the security considerations before jumping in so the first thing is and i see it all the time people work really fast when they start working with serverless and they forget about securing their code and remember we don't need to patch we don't need to do updates we don't need to secure the infrastructure about

our code if it's damn vulnerable it's them vulnerable and things like event data injection are so common rces some people even connect the serverless to a database you get sql injections and stuff like that remember the os top 10 all the apsec uh principles work with them work with them really hard don't skip your security development life cycle if you do it in production the next thing is in insecure storage remember you got some containers floating in that magical ram and if you have some things like password api keys any secret social id numbers uh saved uh physics under storage not encrypted then it means that if it gets compromised somehow your code gets and

if someone work with gdpr or anything like that sometimes you can't even know where your code is actually in so there's some services to work around it amazon if there are secrets means you get an api call based on permission for the lambda and then you get your code you run it in memory and you destroy it right away so remember that as well after that we have permissions remember people are used to work with multi-purpose apps so they first starting to work with single purpose function what they actually do is making many many many many many many functions giving them many many many permissions and then they get compromised compromised compromise and all their

infrastructure get compromised so it's something that you really need to understand work on single purpose functions and the least privileged access that you can also uh budget exhaustion really really new concept if we get deals today apps usually what it means that our services are going to be down maybe we're going to lose some forester juicy doesn't really mean much but for production means that we are going to lose money on on not operating it doesn't mean we're actually going to pay more money based on the usage so for example we've emoted they actually attacked our services and they were trying to make us use more bandwidth remember it's scalable the cloud providers doesn't know it's an attack and they just

provide more and more resources to you so you can actually or sometimes it's errors that your programmers did so remember to monitor and set up bad budgets according to what you can actually afford uh also verbose exceptions people get hooked to how rapidly they can actually develop code but when you develop rapid code people leave a lot of exceptions a lot of purpose exceptions and sometimes i've seen passwords being returned to the users because they really wanted to debug so remember not doing that as well and last thing we are heavily relying on logging from the application side from the infrastructure side for example if it's a web application it's the nginx uh if it's other ones then

we're relying on those logs with functions those kind of functions there is no logs in the uh in the infrastructure you need to write the logs yourself record every activity record every exception most of them have some building tools as well so i really wanted to find an out of war quote but i couldn't find one and you know it's the keynotes you must have one and you guys are left with that but anyhow let's look at some more practical examples uh binary led by airbnb airbnb are heavily relying on amazon and i spoke to the security security engineering because i really wanted to understand why they used it so basically they created a way

to uh get alerts on every malicious file getting uploaded to airbnb why they decided to use serverless is actually pretty unique because the engineering team didn't have approval to stop uploading files what does it mean when you upload a file to airbnb it's a profile picture new user or new listing some kind of a house listing so it means if they stop it for one minute they're gonna lose a lot of money so what they did actually created a way to trigger parallel to the actual logic of their apps and whenever someone using s-free bucket is the storage unit for amazon someone upload the file the app for airbnb is uploading some kind of a file it will go to a lambda trigger as

an event that the main lambda has a dispatcher it basically will uh connect to many many other lambdas yara analyzes mostly clam avs and whenever it finds a malicious it will stream an alert so basically going back to the airbnb app and probably deleting the file or marking against malicious what's so cool about it first they can do whatever they want with the app it doesn't affect the main business logic app so they can do changes with it they can play with it another thing is that they can add as many analyzers they want or if a simple analyzer is not going to work the other analyzers will work so they can play with it as much as they want they can be

experimental the only thing they are really taking in consideration is the dispatcher so whenever you actually add a function or an analyzer that work with it and last thing they really care about not doing false positive and stuff but really cool project it's completely open source so have a look at it right another project called male scan bot quick disclosure this is something i built so uh take it as you will issue but basically it's also open source you can try it out on telegram it's a bot that helps people scan malware work with malware work with some analysis from your mobile phone the reason i created it was i'm traveling a lot i mean a lot

of conferences i usually don't have my laptop with me and i have a really stupid iphone that i can't do anything with other than messaging so i actually created that bot and basically what it is you are uploading a file you can play with it uh you can uh submit urls and stuff but something really cool is that i completely build it over serverless so i don't need to ssh to anything or work with anything in case the something breaks so basically the way it's designed uh now there's not just telegram there's facebook coming up slack and web and basically i have one single api gateway by amazon it's like their version of uh web gateway ingenix also

serverless and every command that you've seen like virustotal scanning things like that will be traced back to a corresponding lambda so for example some file getting scanned i'm scanning it and then i'm replaying it with scanned i'm also triggering actual scan in the background so you can actually report back to it etc so pretty cool again open source have a look at it if you want now i wanted to take something anyone built a malware sinkhole before here cool one that's good um and basically a malware sinkhole is where us researchers fail analyzers taking hostage or taking in control a domain is command and control center owned by attackers we usually register the domain either by the help of law enforcement or

we find a way to register before them or it was not registered and then we submit all the traffic of the malware to us what's really problematic with it usually we have no idea the magnitude of the attack we can simulate maybe but usually we don't really know and that makes it really challenging also because we this is something that extremely upset attackers every time i did that i was under attack if they know who you are so you really need to secure your infrastructure you need to set it up differently and it's not like your normal apps so basically serverless can actually solve that really fast and it takes months to get a sinkhole up and running so first thing i

wanted to do is find a thinkable malware i don't know if it's a real world but basically uh an email where i can sync now we did have a full database of malware for this specific demonstration and i didn't randomly just found one so actually when it looked a bit and this is something you can use anyway it's a dock i can show it later but it's a google doc you can look for nx domain a tag in virustotal and it basically your mirror was running and the ip was not resolved you couldn't find an ip so it may be a good candidate i looked up and i found a couple of samples this one specifically is an old

smither campaign some of you might be familiar with it and when i check with my smell scan board i can see it not registered i went to a cloud sandbox and iran ran it and i said it's still valid and then i actually checked the ips over other sinkholes so it's kind of cool actually okay i have a good candidate registered it and went to amazon again i love it sorry and what i did is i took route amazon route 53 it's the amazon name server again a service for uh domain name uh redirection etc and but it has really cool unique feature instead of redirecting to an ip or another domain you can redirect to an s3 bucket to

serve uh web files static web files and basically i can also have so i already have some kind of a website that's redirecting uh all of the uh queries and then you can actually save all the access logs so i have another bucket to save the access logs and create a really quick lambda with a combination to elasticsearch now all of that is just a simple next next snack you don't even need to be a programmer programmer much and i'm copying every log to the elasticsearch service so basically what happens we redirect the traffic to us we're already seeing some locks from the malware and in less than an hour when you have like a show of graph this is

like a time to wrap it show off graph of all the heat maps of all the aps around the world that are basically attacking us um so it's really shown took me i think i calculated with breaks maybe an hour and a half to get a malware to analyze it to to create a full serverless sinkhole and actually already have results so i can actually uh for example the ip here in israel was belong to a bank and i sent it like after two hours and told him hey guys we got an infection um the main one in united kingdom you guys are not actually infected this is 14 at sandbox so it's analyzing that malware a lot so

just a couple examples all right so let's do a quick demo

hopefully i said my prayers to the demogod and everything is working fine all right so basically what you're seeing here it's called cloud9 is a cloud browser only ide by amazon basically you can have your own environment set up and just use your browser whatever computer you use and you can write your code now it's not the best ide like if you work with python pycha might be better but it has a really good integrations with all the cloud amazon serverless functions so what i'm going to do here basically we're going to build a really quick domain analyzer api send some kind of a queries and get results back so what i'm going to do first i'm going

to create a folder for our app and because i'm working with python 3.6 for this example i'm going to create a virtual environment always work with virtual environments if you don't start with it now because it's going to save you a lot of problems

all right i'm inside my virtual environment and now i'm going to install a framework called chalice chalice is basically a really getting started framework in python they do a lot of the back-end for serverless for you to get started i don't usually recommend it for production we'll see why in a few minutes uh but it's cool to get started cool to get understanding what you can do with it and play with it a bit the documentation is actually pretty well so now i'm going to do stylist charlie sorry an internet stop working new project and let's call it domain analyzer and a loser that's good actually like the name all right so i'm gonna cd into it and a

loser uh and if we look at it basically let's do an ls we actually have app dot py that's our main app and requirements uh we're actually going to ignore the uh the uh requirements but uh for lambda it's really important if you're using any kind of fair product requisites are not coming built in with lambda you need to bring the actual binaries yourself really really important but for this demo we are going to skip that because it does take a bit of time so basically what we have here is a simple hat we import the main charlie's framework we got some domain analyzer app and we have the route route is really important basically telling the api

gateway this route direct it to this function the dev here so we have hello world let's call it besides liverpool all right now we're going to do is simple charles deploy and what charles is doing now it's setting up an iam rule with only the permissions you need kind of and creating a new function called a domain on a loser and then basically deploying the code to it once it's deployed allocating api gateway that is every time the ipad get will get triggered the lambda gets triggered with the input you ever actually sent to it so what we have here is an api url click on it and hey we have a little b side liverpool

pretty simple right now but remember all of you can go to this link right now it's going to work almost everybody in the world can go to this link right now it will work it will stay there and you can only you will only pay for those type of queries it's actually rather cool now what i'm going to do is i'm going to just copy a bit to save some time and we're going to go through this code so first thing i do is i copy a couple of imports if anyone worked with python before then socket pretty standard don't use it library that does network some bad requests and python requests anyone work with python on web then it's

a library you really really want to use to work with web pages etc apis all right so we have that and now what i'm going to do a copy a few simple definitions that are going to be the main code base for our api today everybody can see well the code and everything cool so basically what we have here for example we're going to do nslookup we're going to give it a domain and we're going to get an ip in return so something like that ns lookup and let's do besides liverpool all right so we have visa is liverpool and look at it this is the parameter we're actually taking so we take in straight any parameter given in the url

and we're actually very badly giving it back to uh to socket get us by name don't do that there's actually some vulnerabilities in here but it's just a really simple example and we're returning it back to the user with the domain they gave and the actual ip all right another thing we're going to do is last year i did a talk about malicious cryptominers and we've created a feed and an api this is actually some of the way mel scan body is also using it in the background and basically an api you can query a fee that's on github that says that list most of the crypto miner domains and returns some kind of a message if it's

in in those feed or not and the last thing i'm pretty lazy you probably know this by now so i don't like to analyze a domain with just the ip and then the domain and the crypto miners and everything so i created a kind of a mix of everything that i called analyze make sense cool now we're going to do we save you guys and now i'm going to do again charlie's deploy so it's pretty cool you can see how fast we can deploy apps really really fast due minor changes of the code so what we have here is nslookup besides liverpool and you see we already have some kind of a reply about the besides liverpool

hopefully you are not in the coin blocker list that's going to look bad if you do no nice and the last thing basically let's do analyze and we got the answer so again we can make it more beautiful anything but remember this is something you can actually use really really fast the cool thing about api gateway lambda there are some building protections you can actually generate quotas so if someone you want to give your friend only 100 credits a day stuff like that they will do it for you as well and again multinational a lot of places everything can use it very very scalable all right so last thing because i don't want it to be overly abused

charlie's delete all right all right so just finishing up quick recap uh we went through some of the things at least for myself i found really really challenging when i was building my research app and i was working with other teams with other companies we went through what is serverless some introductions things that they do better some security considerations common vulnerabilities etc we went through some usage of like binary alert mel scan bot we did a step-by-step how to build a sinkhole hopefully that was a bit of incentive that you can build your own apps with it as well and lastly we did a quick demo using chalice how we can deploy a domain analyzer app so uh thank you

[Applause] you