Search Engine Deoptimization with Gootloader

besides las vegas breaking ground is now proud to present andrew brandt and gabor sapanos in their talk on search engine de-optimization with gootloader

hi everyone so thank you very much for coming to our talk today at b-sides i'm andrew brandt principal researcher with um my colleague gabor shapnos who is our research director at sophos labs we're going to be talking today about a very interesting in our opinion uh attack that we discovered uh that we're calling goop loader so um what is it exactly well um in essence it's a web-based uh attack that delivers something called gootkit uh we're you know good loader being a concatenation of good kid and loader um good kid has been around for a while it's at least since 2018 and it's been used as a malware family that's delivered several ransomware uh rats and other types of malware

um it really has evolved into a more widespread uh distribution network for malware and it the way that it delivers the payloads to targets is through some very interesting uh search engine optimization although we've characterized this search engine de-optimization and uses a large network of compromised websites to um to bring down a a sort of watering hole uh page that then if the if the target downloads what is presented on that page and and double clicks it uh starts this path of uh infection that we're gonna get into in a minute um so the the this gootloader attack um because it relies on uh manipulating search results uh the the attackers have done some poisoning of search results and

that requires necessarily uh focus on specific languages and so what we see is that there are certain countries that have been targeted or at least the uh the languages of those countries have been targeted for these attacks and that the attackers have been delivering different payloads depending on where the target has been located so um the majority of the attacks we've seen have targeted the united states and canada and north america um but there also have been attacks targeting germany france and south korea and the again because of the way that the attack works the attackers are using key terms in the languages of those countries to lure people sort of into this network and then

as a result the output is that they're getting these different malware payloads depending on the region of the world in which they're located so um doing analysis on this project was very challenging it was a uh the people who have come up with the system by which this works uh have spent a lot of time trying to figure out how to make it hard for people like zobby and myself to do the work that we did one of the ways they do that is they make it hard to sort of stumble into the watering hole there's a lot of criteria that have to be met the the person who goes to the page where the malicious

code is being hosted has to have a referrer link from a web search and specifically as far as we can tell it has to be from google um it has to obviously be a visit to the web page from one of the targeted countries that they've that they're trying to infect people in and the ip address that you visit from uh has to have not been uh on that website in the past 24 hours and that's just the part where you stumble into the page where they deliver the first stage payload but then that first stage payload itself has additional obfuscation has a polymorphic code it has incredibly long sleeps and some of those sleeps have been hidden

inside of the encoded layer so you can't just uh you know bypass the sleeps by uh by rewriting some of the scripting code and then there is a whole fileless um sort of mechanism that it uses for persistence where some of the information and including the actual malicious payloads are being stored in the registry as this encoded data and then being pulled out again on demand so let me give you a quick overview of the attack and then i'm going to pass the it on to uh to zopy for the deep dive so here's a quick diagram that that sort of highlights the the high points of what we knew about the attack um back when we initially started doing

this research as i mentioned it all starts with a google search and the google search terms are for that they're trying to you know lure people in with have to do with sort of business terms things like downloads but also contract and agreement uh in the in the languages that they're targeting and the poisoning that's happening um basically results in the the web page with the malicious stuff ending up at you know usually one of the top results but almost in in almost every case that we found uh it was the very top result uh in the search when when we were doing the analysis once you click that link in that first search search result you land on a web page

that belongs to a legitimate organization or sometimes it's a private web page um but the web page has been modified to basically generate uh in real time a dynamic fake message board or forum page that you land on uh and that when you when you get there it it appears that there is a you've sort of stumbled into a conversation in which someone else has asked for exactly the thing that you were doing the search for and someone a different person on this fake forum page has responded to that question with hey i've got exactly what you're looking for here it is and it's that payload that you download from that conversation uh that we call the uh the first stage

java javascript so that then you pull that down you end up with a js file on your your uh workstation your windows machine and by double clicking that you start w script on windows which then runs through and and does the the process of decrypting uh all of the internal stuff that then pulls down a second set of scripts and begins the rest of the process that you see here and that includes writing data into the registry um using powershell to load some of that stuff out of the registry bringing down and and you know running you know injected code that through process hollowing runs within a legitimate process and then that final that final payload

that's running in the context of some other legitimate process in windows has the ability to do things like bring down the final payload now what we discovered in doing the analysis of this is that this entire process is handled through a machine that we're calling the mother ship but it's essentially the command and control server for for the malware it also is delivering the fake forum content to that page and delivering the javascript so um this this visualization is from a tool that we call the root cause analysis tool it's an internal tool here in sofos and it shows a representation of um the telemetry that we've collected from one of these attacks and what what you'll see here is that it

sort of starts in the upper right corner with the firefox browser in this case uh browsing to a page on google and then following it to a search result which delivers a zip file that contains a js script so as you sort of move from the upper right to the to the lower right you see that the user ran winrar to unzip the file they double clicked it which then invokes wscript and the windows scripting host then sort of handles the rest of the infection process at which point um you know the machine is basically toast within a few seconds uh wscript invokes powershell powershell is running through a bunch of commands doing the decrypting doing the

the process hollowing and injecting and eventually you you end up in the bot sort of the bottom left corner there with gootkit at step six so i'm gonna pass it over to zopi who's gonna take over the rest of the the talk uh yes and i'm trying to explain the technicalities of the whole infection chain and as andrew said it it starts with a google search but that's not where the whole store story begins because before that the operators of this good loader infrastructure must already have compromised several web servers that host their code so before uh the beginning of the infection there is a prerequisite a preparation phase where several dozens or hundreds or maybe even thousands of

uh websites are compromised and we don't have information how exactly they are compromising these wordpress sites uh it could be some remote vulnerability or they're just using weak password username password combinations but what we know is the result of this compromise and the result is that a set of scripts are injected into into the wordpress installation and these scripts are defined as event handlers to different wordpress events for example the the first three uh on the list on the top are uh responding to the events when the content or the header of the or the footer of the web page is being prepared and is ready to publish on the the html page and the last one

is uh executed and the last look is executed when the wordpress instance is started up this is the the boot up at initialization phase of the malicious code and one of the typical code fragments that we see on these compromised sites is a piece of code that does ip address filtering and blacklisting and what it does it makes sure that it doesn't serve the same ip address again if it is already been served on the same day so you cannot go to the website and infect yourself over and over again it doesn't really happen to victims of this infection more like researchers who want to understand the entire process anyway not only the i the address itself

but the a large neighborhood of that ip addresses is also blacklisted which shows that the operators of goodwill there are not particularly interested in infecting thousands of users in fact they are quite happy if they manage to infect only a single user within an organization

and then let's start with the infection process itself now that the preparations are done and let me begin why i found this research interesting because i've been analyzing computer viruses and other sorts of malware for 25 years i have seen many different infection forms we have seen a lot of presentations about mulder delivered in email messages or marker being distributed via vulnerabilities or weak passwords in that facing applications or services or water hauling attacks but malware being delivered through search engine on optimization is a is somewhat of a different uh different thing that i have not experienced before and i it was very interesting for me one of my most interesting researches that happened and i

i tried to understand the end-to-end infection process and i'm trying to explain in the remaining of the presentation how this impression process goes because it's a very different infection strategy from the trajectory's point of view the good loader operators are they are like spiders they cast a web of poisoned search expressions and then they don't do anything they are waiting for the the victims to hit those expressions in a search engine and get themselves infected so unlike other distribution strategies they don't have a predefined target list that they are going to after they are different mechanisms to make sure uh that they are reaching their desired targets if you can skip back to the previous slide

one of these um target selection mechanism is the search expressions that they are poisoning and uh if you're able to gain reasonable statistics from the german search terms that they were poisoning and it turns out that the main terms were related to free software downloads or samples or forms of contracts and other legal documents these are what they were after more most notably uh they were not targeting search terms like viagra or porn or software cracks so they were not going after the average uh computer user more like business environments and business computer users this is one of the selection methods they were using and then when one of the victims goes to the web browser and starts punching in

his search terms like in in this case we are simulating a german victim who is looking for a free free download of midi songs so it enters the google search engine which we found is the good loader infrastructure is most efficient in targeting the google search engine and we actually found that they are pretty successful in that on the around the top of the list of the hit list we always found the compromised websites that are delivering the malicious content but how are they able to uh achieve that how can they be successful and how can they fool the google search engine so let's look at the the original web page that is that was on the top of the list

of the search results it's actually an informational site from michigan cannabis entrepreneurs little to do with german midi songs but if we look into the code of the website itself that is exposed in the in the source code what we find is that it contains a large blob of of data and and that data contains the the most common search terms that this good loader malware distribution infrastructure is targeting also along with the subsides within the within that host that are allegedly serving those and all this is organized into a an element within the web page this element is called a64 ec 48 and there is a script tag at the end of this element that makes sure that it is it is

an invisible uh non-display element so when an average user would visit this site it would experience nothing about this content and this search terms and the this advertised subpage sub pages but when a search engine scroller visits the site it will find all this and it will uh gather all these keywords and it will rank highly in the search results anyway let's go back to the german user that was trying to infect itself himself with a good law there if the site is visited from any other country then target from mexico or sweden or hungary my home country the content that would be displayed after the click from the google search is an innocently looking german text about the

german electronic music scene that mouse and other outdoors are listed there fair enough but how does it turn into a malware distribution framework let's look into the source code of this page and it turns out that the depending on the if the conditions are met for the target selection the content of the page will be changed on the fly this page the the content of this uh website the html code contains the original german text about the german electronic music scene plus an inserted javascript and this is where it starts to get interesting this inside javascript is the one that will first reshack to the mothership and it does that by first gathering information about the request uh that led the the

user to clicking on that page and visiting that page that the information is the server id the ip address from the user that the user was visiting from it is used for filtering out non-intended and non non-wanted countries visiting that site and restricting it only to germany in this case user agent and most importantly the reference string of the web browsing and in this case the reference string will contain the original search terms that were punched in into the web search engine and from all that a large uh request is is built and it is sent to mygame.ps server which is the mothership that's the domain name of the mothership that serves the malicious content

throughout this distribution campaign and at the end whatever is returned from the mothership is going to be rendered into the finally displayed page a header to header and a body text to the body text but what will be this returned content first of all uh what it will do is uh at first it will purge all original content that was to be displayed so the entire thing about dead mouse and the german electronic music scene is is deleted uh after that a fake forum discussion text is inserted in the next step it is going to talk about uh free midi song downloads just as the as the user requested from the search engine and finally downloaded link will

be presented so at the end when the webpage is swapped what the user will not see uh is the original content uh actually it will probably see for a couple of milliseconds the the header of the page or or the blank uh content but uh immediately it will be replaced uh by the fake forum conversation and this fake forum conversation it will always have the same general structure it will be about some user looking for miraculously in the same search terms that the visiting victim has been searching for and then a very helpful administrator is providing with the download link and the thankful user is very grateful and thanking for for all the have and

uh very happy at the end it is a very very smart social engineering trick the user punched in uh free midi song downloads in the web browser and it will end up in a forum discussion that discusses exactly that and provides a solution for exactly that and this the same structure is repeated over and over again whatever we are looking at the german german or the french or the the english or the korean versions of this distribution framework uh the text was always the same translated to that particular language and even the icons representing the users are the same so it always has the same visual fear and the important part is the download link that is inserted and

that's allegedly provided by the administrator and what does this download link contain it will it will point to a zip file that will contain a javascript component and if we look at the name of the javascript file it will be exactly the same name composed from the original search terms it's because when the page is rendered the request to the mothership will contain the refreshed string which contains the original search terms and the mothership returns a file with the name exactly matching uh the beast so from the victim's point of view he was searching for three midi songs in search engine it will end up at a forum discussion uh discussing uh the same exact terms

three midi songs and it will be served with a file that will have the exact same name uh free mini song so it all looks so convenient and so not suspicious so why wouldn't they click it anyone would kill it right what happens then then the mayhem will be released on him and the infection process will start by executing the first stage javascript which was uh downloaded and clicked by the the suspecting victim and this first javascript is a highly obfuscated server-side polymorphic code where the the initial instructions are broken up into elementary pieces the first two lines uh are the first is a function that just does nothing but adds two numbers the second

splits a string so the the elementary operations are split into uh functions and they are placed in random order and all these pivots have an encryptor uh which uh decrypts uh the the content uh that's in the middle of this uh display actually the the decrypted content would continue the layer of the same encryption so then it's all over the end result will be the download there code for the the second three stage installer and this downloader code has a simple structure it has a it uses a set of three possible download server names and it sends a request to the to the download server and the request will contain the unique unit parameter highlighted by yellow in

this in this code listing that will be randomly generated unique parameter for each visit and each user and the randomly looking string consisting of numbers is appended as a value of this parameter but the last six digits of this this value will not be that random because that's always two seven eight one four six and uh this represents that the user who who executed this javascript is actually using a computer that is connected to a windows domain so it's likely to be part of a corporate environment and not a researcher running in a sandbox on or an analysis environment it is also uh anti-analysis to lend a sort of selection of the potential victims so this

code reaches out to a php file on the second the second search hosting server and this simple php file it does nothing more but collects all the request parameters and hands it over to the mothership that request is visible at the bottom of the code in this case the mothership is not represented by the my game that this domain name but the corresponding ip address anyway the request is sent to this file sd.php file and this php file in return if the conditions are met for the infection of the user it returns the installer javascript and that installer javascript um it contains two embedded large strings uh these are the windows components that are used in the later stages of

infection one is the injector of the final payload the other is the registry order that will load the injector from the registry there is a short javascript code that will save both of these blobs into the registry and then uh creates an autorun key in the registry it is it will be executed whenever the computer is rebooted every time and this uh the value of this key will be the powershell code that is visible at the listing on the bottom which will extract the registry loader and proceed on with the infection process so at the end of the successful execution of the installer script we are going to have a set of registry keys that are storing

the the payload injector we are going to have another set of registry keys that is storing the registry order these are the two windows malicious components of the uh good loader distribution framework we are going to have an an autorun key in the registry uh which if we look at the value of the autorun key it's the at the bottom of the the window it will read a value of some windows environment variable and whatever the value was there it will execute it and the value of that environment variable is going to be a final piece of powershell code that will go through the registry uh extracts the the keys that are corresponding to the

registry loader loads that program into the memory and runs it so at the end of the successful injection we are going to have two blobs in the registry we are going to have a registry key and we are going to have an environment variable and that's all the the files components that are on the infected system uh no malicious content will be created in the file system uh so most of the components will be invisible from uh across the classic traditional uh antivirus protection programs so let's look at what the registry loader does after the the previous powershell loader invoked it it will go through the registry and uh it's the the content of the

the the payload injector which is stored in uh consequently named register sub key 0 0 1 2 3 up to however long that loader is now at first it doesn't look like much of an executable it's just some random junk string but what the registry loader does is after it collected it it will uh do a brief transformation uh i decryption would be too ambitious for that so let's uh look at what happens to the first four characters or of the stored registry law that is a wdua string the the y will be replaced by 4 at the beginning the d it will be it will remain the same it is not transferred uh the u it will be replaced by four

obama by five and the a again it will be not transferred so it start to resemble a hexadecimal representation of an executable because these two bytes correspond to the mz marker at the beginning of the windows executable from that we can get a picture of how this file will be extracted from the memory uh from the registry and will be loaded into the memory as a windows executable in in the next step the the loaded injector will inject the final payload using process hollowing um this is illustrated in this simple process trace that we have observed it goes from the bottom right to the upper left corner it starts with a the powershell code that was read from the

environment variable then uh no it starts from the powershell code that was uh setting the registry autorun key then in the middle is the powershell code that was in the environment variable and then a clean seemingly keen windows application imaging devices.exe is executed but what happens is that uh the that the injector is going to load these imaging devices exa which is part of the microsoft photo viewer suit application loads it for execution but holds the execution and overrides the entire memory area occupied by it by the final payload which would be one of the trojans distributed by this framework so uh on the first side it would look like that a clean windows application imaging

devices except was uh executed but really at the bottom of that a malicious windows code is has taken over that memory space and executed from there later on uh they the the operators of mood loader that why bother with relying on the the existence of of the imaging devices it may not be there it may have been uninstalled or deleted so they brought along a benign application by themselves so the the injector contained two executables a clean one that was loaded uh and the execution was halted and was posed and then the the content was overwritten by the chronos banking roger payload so if you are looking at from a process explorer you would see that a clean trusted

even digitally signed application from embarcadero technologies uh has been executed but really at the in in reality uh the the coronal spanking trojan is running in disguise of of this clean application

so the i'll take over from here zopie um so what we found in doing the analysis on this story uh is that um as we mentioned earlier they're using these compromised uh wordpress sites we don't know how they're compromising these sites and in the course of doing uh the analysis of this attack uh we found relatively small numbers of uh sites that were that were hosting the landing pages that we're delivering that first stage of malware and then slightly more that we're hosting the second stage however we suspect that that these numbers are much larger and that we are only seeing a uh a tiny window into this uh sort of much greater size attack um

and uh it's sort of to highlight the fact that everything uh is really being controlled by the mothership we also noted that there was this um additional php that uh that was being delivered to the wordpress sites uh is a very simple uh remote shell so that they can take anything uh pass it as a as a as a variable or as a in the query string to the website and have the website basically interpret that and uh run the code or command or whatever it is uh remotely on on the wordpress site so um what do we do about this the real problem here is the is the next step so you say you're a

standard sort of like you know windows using web browser person um what do you do about this um there's a few steps that that savvy people can take and the problem that we discovered is that with each of these possible solutions and you know we're not including you know running ace uh you know quality uh endpoint security product on your machine but just what are things that you can do that don't involve buying a security product um well there are free tools like things like noscript security suite which runs in firefox and chrome they do offer some protection the problem is that um using noscript is a pretty high bar for non-technical people to to sort of

become aware of how it works and to understand how to use it effectively um there are things like you can learn to recognize this this fake message board the the redirect page that we were talking about um they always use the same icons they always use the same sort of structure and visual appearance of the page not everybody is going to do that not everybody is going to have seen this talk as much as we would like the whole world to know about this um there will be people who have never heard of this until they get you know sort of this thrust in their face um it's also probably too high a bar to

say um instead of clicking a link in the search result just type in the address and go to the home page of that website make sure that it has the type of content that that they claim that they're going to have i don't i don't think that that's a reasonable thing to say and you know i've said this for years but you know by default windows has this setting called hide file extensions for known file types i've always told people to turn that off um and if you do it you might realize that you've downloaded a file with a dot js extension and not a pdf or a document file uh but that also then relies on people

knowing that they shouldn't click a js file that that it's actually dangerous and so these are all very problematic solutions for end users and really what i what i want to say is that google itself is the watering hole in this case there they really need to be aware of this method of manipulating their search results um you know here's here's one of these results and you know there's this ability to kind of look at it and google will even tell you like this website was indexed you know several years ago and even though you know it's not https that may not matter you know the re the reality is that um it's the search engine optimization that

starts the whole rest of the snowball effect happening and leads to something like this and and until google sort of is able to recognize when this kind of search engine manipulation is happening on their platform and start to address it and adjust their algorithms i don't know that there's really a great solution for end users other than to just be extremely careful when something that is exactly what you've been looking for gets dropped in your lap like it was basically um you know gift from heaven so um so hopefully google will deal with that and uh and that concludes our talk so we'll open it up for questions and uh thank you for attending our talk

all right thank you for joining us today this is the q a or the search engine de-optimization with gootloader

i understand your co-author gabor couldn't make it today due to the time zone uh but we're really glad to have the chance to talk about this presentation with you um i love your background by the way that is uh really awesome thank you what is that uh so yeah uh this is a uh it's a historic photograph of the computer lab at ucla uh from the 1970s i'm a uh in addition to doing uh malware analysis uh i volunteer at a retro computing museum uh here in colorado and uh so i i use some of these machines for real and i like to play with them uh you know at the museum as well so we

had a really great museum here in seattle that went out uh because of kovit it's out of business so i'm very sad but hopefully maybe someday it comes back i'm aware of that yeah we've been trying to obtain some of their stuff actually excellent well i'm glad it ends up somewhere um so first off uh let me just say that you know the structure of this attack is just i mean you know it's really really hit me it's beautiful it's it's such a lovely middle point between fishing and like actual spear fishing and it kind of hit me on a personal level right in a way like let's say scattering usb drives or malicious ads for

various you know too good to be true products just can't right yeah i mean this is something we've all been there right trying to rtfm or pull up a hail mary on a code feature where we're trying to implement or a communication protocol we're trying to reverse engineer a song or movie we can't find in print anywhere or some buggy interaction we can't figure out and then like we cast it out into the internet's hoping desperately that someone somewhere has documented this thing that we're wrestling with right and then chorus of angels oh you know they're in the glow of the monitors this thing that promises salvation you know or at least that possibility of cutting

a few hours off our struggles and it just plays so beautifully into psychology of certain you know niche problems and professions and subcultures that you really have to admire it and and that is really the danger here is that it is handing you precisely what you what you are asking for and in fact uh it is using uh exactly the same words that you have entered into your search query right that they uh know that it's able to parse that stuff and then uh send it off to that um to that what we call the um the mothership server which then serves you up with a piece of malware that is named the you know after the

query that you have just entered so it is essentially handing you exactly what you asked for um but again like you said it's only in very niche types of of queries right and they're all business related we saw that the terminology uh in all of the languages that these threat actors targeted uh were looking for terms that had to do with contracts or business agreements of some kind and so you would see things like you know terms like agreement or documents or loan or uh you know contract and and those were the kinds of words that turned up uh most frequently in these searches so i you know that actually does lead me to another question

um which is how common is this thing actually in the wild i mean what's your sense of who's employing this and how they're targeting it uh that that is a great question and um you know we we only have um basically a tiny window into this uh the way that we discovered it was was fairly niched in the sense that you know we have telemetry that we're receiving from customers that is telling us about uh essentially the these a couple of activities just before something bad is detected on the machine and using that we were able to bet to back trace you know sort of what they did and um we think that it's actually

extremely widespread we are aware of 90 to 100 compromised web servers we believe it's probably an order of magnitude more uh web servers that are being used to do this search engine optimization and um you know again it's not it's it's obviously not difficult for a sort of dedicated threat actor and and the payload that they're delivering in a lot of cases is a steeler that steals credentials from a big variety of software including you know an ftp credential for a website so is is quite reasonable for them to have access to a thousand or two thousand servers that they then you know inject this code into wow um so i also my understanding is i mean

you guys you were depressed with this a little while back in like march right so what uh is there anything like that you've learned since then that you know didn't make it into into the presentation or anything you know uh that's evolving still with this so what's the the direction forward yeah so um we so the new stuff that we discovered since the the publication is uh that we we obtained with the help of one of the owners of one of these compromised websites we got all the the um the wordpress modification code the so that stuff that you saw in the presentation about how the mothership talks back and forth to the wordpress site

is all new um we also you know in the course of doing that we discovered that one-liner uh you know remote shell that they were injecting into every one of these wordpress sites which basically means that even if they were lose their you know the whatever credential that they had you know stolen from somebody to break into those sites and change those pages they could just ask commands in the context of wordpress on that machine and make changes you know in that way as well right okay wow i uh that you got to admire the the dedication craft and the amount of effort that's that they've put into this i mean you know i i feel like they're

that that you have to admire the amount of effort that went into this and yet with that much effort and that much trouble you know could they have not done something that would be more beneficial to humanity cobalt strike on a you know targeted person's machine i mean right yeah so to to that extent like i i recognize that they spent a lot of time contriving this very difficult to reverse engineer method of infection and then the persistence method where it's encoded in the registry so that can you know conventional uh av can't find it um but yeah just it i blows my mind to think that couldn't they have just done something better with their lives if you're

capable of this you're capable of actually making some really great money you know doing something constructive absolutely yeah um so the uh the other thing that i was interested in of course is you know your your summary at the end like i had all these questions like well you know how can we you know other than you know automated detection of the fingerprint and this or they're like how could a human being actually like understand that this link was going to be bad and so forth or a system but all that you're i think you're completely right that you know the it is the the seo problem it is the the search engine problem um

so what though you know given how paulie sort of the hiding that that they go through here and the the you know the the work that they do to uh to avoid you know turning up in uh you know a a bot or a scan or these sorts of things like what would you think uh you know is the direction for trying to make that happen like i mean i i certainly hope that somebody who works at google is is you know watching some of these talks and that can you know back to their you know to their engineering team to say look here's another here's another abuse method that we had not uh previously discovered or you know

noticed um but yeah i mean all of those with the exception of using a you know an endpoint security product that is observing behavior and it's you know using behavior to sort of uh manage these these very very difficult to detect files um there's almost nothing an end user can do to protect themselves i mean all of all of those suggestions that i came up with on that uh second and last slide were were just you know a desperation move because we're trying is there anything that you can do i particularly love the getting to be able to recognize the sights i mean that's by that by that point if you've been infected repeatedly enough you'll you'll probably like

get a sense for it but i i certainly hope that the whole world watches this talk and learns that of that little you know icon of the little you know daisy and the icon of the little you know the administrators icon that looks like an hourglass like those the thing is is that it's not doing anything different and it's doing the same thing in four different languages they always look exactly the same if we can just get word out that hey you see it's something that looks like this you know don't go there but then of course as soon as that word gets out widely enough you're going to change it up so yeah that's a losing battle

absolutely there's um needs to be someone with a far broader sample base of of you know data to look at and to see it as it evolves and to incorporate that into their detections and so forth so yeah you're right it needs to be something like a google and you know fortunately i know a couple people there so we could probably you know but uh okay all right cool all right sorry i didn't hear the warning um all right well thank you so much for your time uh yeah and uh talk to you soon be safe everyone