2018 BSides Toronto: Joshua Grunzweig

I got the beard for it too all right folks well welcome to b-sides Toronto 2018 this has been quite a journey I'm one of the cofounders of this event but I am definitely not the one doing the work if you see people with orange shirts here please thank them for all of their hard work I am NOT one of those people they just put up with me these days so a couple of housekeeping items before we get rolling here number one dr. Jones are you here there is so Dan Jones will be taking photos for us for the event if you do not want your picture taken please either let him know or somebody an orange shirt so that we make sure

that we don't expose you to the wider universe all right a few other things where are the bathrooms if you need to there at that door that's the easiest one there's also a couple of onesie twosie zout that way as well please clean up after yourself we're not your parents I have enough trouble with my own kids I don't need to take after you guys to lunch we'll be downstairs where abouts downstairs oh down the stairs okay so lunch will be down the stairs we have to be sure that we understand that there are other events that will be happening here so please make sure that you are courteous with them as well because we are not the only

show in town and we have to be very aware of these things to do what other things we have to do here well none of this would be possible without our sponsors and we'd like to say thank you to our sponsors and we'd like to invite up Dinesh where are you you're over there now and the Nash will be saying couple words hey guys so I offer security innovations we came in last year and we saw the crowd do I think it was the first besides even last year v sorry so it was pretty far it was the first time we came to the event that's pretty fun and my whole team is like yeah we should do it again so we are

running a capture the flag event in eng102 how many of you guys have ever played a capture the flag event a lot of you guys so I'd be seeing a lot of you guys over there so a quick intro of what the event so you might all of you use Amazon or any e-commerce websites right so we would always want to see like what kind of attacks are possible or how can you break into them so legally of course you cannot do it on the real world websites so we we are running a we are running shred so think of shred as a totally vulnerable totally insecure ecommerce application you can break into it and unlike the typical cts

applications where you get a flag here you do not have to worry about a flag every time let's say you get an exercise you get a point depending upon that type of exercise you find you'll get more points let's say you drop a database you get even more points so you don't have to worry about the traditional Flags so I'll see you guys again eng102 and thank you it's fun to be here thank you very much to be fair the first couple of iterations of be size Toronto we're in a bar so I can understand why that might not be if something that somebody would remember all right so this year we're doing the charitable thing again we are

actually raising funds for cam H and we're going to be doing that in giving away a couple of sector passes for this one for this year and one for next year so that will be happening today do-do-do-do-do oh here we go sorry sector tickets will be on auction before lunchtime and when we did this in the past that number went up pretty fast so be prepared to go to the mat on this one right now so another thing that I've seen it a lot of conferences and we haven't done it in the same vein but we want to put it this way if you are hiring you want to put up your hand right now all right for those of you

looking for a jobs go meet these people there are name tags here for a reason mainly because I was too lazy to stuff all these badges myself so I did that but case in point you don't have to put your name on here but if you do it just make you know this is your community you didn't take the time to meet everybody that's a really good idea in that respect so they got the hiring thing also we are going to be doing something called kindling that you're gonna see in our list of things to do and that is an idea that was put forward where that if you are working on a project or working on

some sort of event or something along the lines where you need help we're gonna ask people to bring up these ideas so if you have that idea you'll want to talk about it and during the King Lync sessions we'll say look what's your idea put it up and then you start to that discussion for that little bit period of time so keep that in mind as we're going forward now in addition before I get too far down the road here the other sponsors I would like to thank very much our Palo Alto Networks Proofpoint who is going to be doing our lunch today for Danette and I apologize if I get this Nam name wrong Sakura Zee scaler and

logarithms and as well we have the Kali Linux training from offensive security and thanks to our folks at sector and of course security innovation and [Music] dududududududududu now the last thing I want to say before I turn it over we have a code of conduct please do not act presidential I think I made my point now I'd like to introduce the our presenting sponsor Palo Alto and are they there's somebody coming up we're here ah there we are excellent well please welcome Palo Alto to the stage thank you thank you may as well come on up Josh so yeah thanks again everybody for for coming out this is a great event my name is Stephen Pauly I'm with Palo Alto

Networks and this is Josh with me here rather than taking up our kind of sponsor II part of this talk I want to give all the time to Josh here Josh works with the product of our products so Palo Alto Networks is one of the biggest cyber security companies on the planet today and what Josh does is he's on a team of threat researchers called unit 42 these guys do not play with firewalls they do not play with endpoint protection what they play with is the threat intelligence data that is generated by all of these sensors that are all over the planet and so this is very agnostic threat research and with that I just want to hand it

right over to Josh hello everybody thank you for having me on this surprisingly beautiful Saturday morning here in Toronto yeah this is actually really cool venue I feel a bit like a college professor right now well yeah like Dave was saying there's random ferns too so you know I love it so by way of introduction my name is Josh Brunswick I reverse malware been doing it for about 10 years now I script in Python and I tend to write a lot of blogs I mean honestly if you were to distill my professional career those three bullets pretty much cover it so today we're gonna be talking about a group called the Gorgon group for those

that might not be familiar with the term it is a a number of individuals that we believe to be residing in or around Pakistan that conduct both targeted attacks against foreign and domestic government entities and also simultaneously conduct more widespread cyber crime attacks so basically trying to pay the bills so today I'm going to be covering a few things I'm basically gonna walk you guys through how I discover this group originally all the way up until the expanded research that leads us into what we know today we're going to talk a bit about the the tools and the tactics that these guys use to conduct their their attacks and also you know talk a little bit about attribution

I know I'm being recorded so I'm gonna skirt the line as it were and try not to get myself in too much trouble so it all started about a year ago little over a year ago I found myself sitting at my desk at my home as I do looking at sort of what was going on for that day see if there's any anything interesting that that caught my eye and what I discovered was this series of targeted you know attacks against a a US government individual or a series of individuals that were actually based over in New Delhi India so on the surface they really didn't look all that special I mean sure it was low volume

but what we were seeing was where we're seeing was really generic innocuous file names for the email attachments we were seeing generic subject lines and the email sender in this case was a likely compromised indian yahoo email account so that by itself really didn't catch my eye that much but what did catch my eye was the malware being used so with all these attacks that distilled down to three unique malware samples there was two rtfs that acted as simple downloaders dropping a Mauer family called Kusa rat that is not a special piece of malware by any means it's commodity it's easy to obtain probably cost like 40 or 50 bucks but the third one the Excel document was a copy of the

crimson rat malware family now for those that aren't familiar crimson rat is a very low volume malware family almost exclusively used in targeted attacks it has overlap with other research including transparent tribe by Proofpoint actually who's in the audience summer as well as operations c-major which was research done by Trend Micro who may or may not be here today I'm not sure so this of course caught my eye caught my attention you know I'm thinking myself well on the surface didn't look all that exciting but I probably dig in a bit further so of course I jumped into the crimson rat stuff first it actually actually proved to be totally boring there wasn't too much there it used situ servers that

were were well known it was overlapping with previous research that had been done pointed to some German VPS nothing super exciting there really the only exciting thing might have been how it delivered the payload it just simply had this embedded Excel form with three text boxes that had I guess you called ordinal encoded binary so it would take each number comma separated convert it to its binary representation concatenate it all together and add a binary at an executable which it would then in turn term you know run and do its thing so I was little discouraged I thought to myself this is probably dead I am dead end I probably just wasted a good chunk

of my morning but you know I I kept going I decided you know I might as well look at everything so I jumped over to the RTF now these guys were not special they used an incredibly old CVE 2012 zero one five eight sure lot of folks in the room are familiar with it because for some unknown reason it still works just a simple shellcode downloader under the hood and it pointed to the tsuba comm slash files / SP dot exe executable and as I said earlier the payload was Kassar rad so again nothing super exciting here but this particular side of things did leave me with a couple of network-based artifacts that i decided

to jump into further we had an IP address that was the c2 for kisara and then of course we had the tsuba com domain which was hosting the mauer itself excuse me I've been fighting a cold all week so you have to forgive me so I jumped at the the IP address first and decided to jump into a third-party tool that we always find ourself using and that is called passive total looked at the Whois for this guy and what I found was potentially interesting it was a ISP located over in Pakistan over in Islamabad but yeah it was an ISP it was probably a nice PE not that dissimilar from Comcast down in the states they cater a lot to

residential homes a little bit to businesses but primarily residential homes are their sort of bread and butter when you navigate to this IP address on port 80 you're actually presented with a a web front end to a home well let's see consumer grade gigabit router which adds some interesting evidence to the fact that we know that this is a ISP that caters to residential homes now normally see to servers are some random VPS they you know there's something very obscure it might be a a compromised organization but here we have evidence pointing to the fact that it might actually belong to the attackers home home IP so so that was interesting kind of tuck that away

in my back pocket and held on to it and I moved over to sue bot now if you were to look at sue bot calm the current who is is protected it's all but you know unusable you can't really do much with it but again using passive total if you were to look at the historical who is you'll notice that there's some interesting information displayed specifically we get an email address of SMS all team at gmail.com and further you know evidence pointing to the Pakistan region in this particular case it is pointing to hyper bed Pakistan and I pronounce it as if I'm mispronouncing these these regional names it's not something I'm as familiar with as I

should be so I took that email address and I pivoted further I decided to see what other domains have been registered using that email and I found 17 additional domains now it's probably hard to see because it's a bit small on the screen there but essentially we're seeing a series of domains that reference both the Pakistan region as well as Arabic words so we see stuff like yes ear and Kumar we see Moulton in the case of multi male com Moulton is actually a city in Pakistan but then we also see some interesting stuff at the bottom like full crack zone and free freeware soft sand and so on and so forth so stuff that would indicate that

this individual was kind of dabbling in password or application cracking software cracking some of that you know stuff that we would probably tie two more script kiddie activity so I decided to take those 17 domains look historically at their who is and I saw a lot of interesting stuff I saw a number of domains that have been registered simply by the name loom are similar information to this but then I found one and I forget which one it was but I found one domain that historically had this information here and it had it had a a email registrant again as SMS all team at gmail.com it had a a registered name of Umar su baat location a army

aviation base in in raup India Pakistan so even though I'm up here in an academic stage you don't need to really be a PhD to make the correlation between soo bahk calm and Umar su baht there's somewhat of an obvious correlation there so I felt pretty good at this point I'm thinking myself okay I've got a name a name that I have reasonable certainty that likely owns this domain but so what does that mean that this this domain was created for the sole intent of malicious activity because more often than not will see instances where domains are simply compromised they're running web servers with outdated software they get compromised people throw their malware up there and host it it's not unusual so

I decided to look at Subic aam just over HTTP and I found a there was no actual website there it was just essentially a file repository and be it had about 80 or 90 unique malware samples hosted on it all open directory that'll be a recurring theme of today these guys are really bad at configuring Apache apparently because it's always open directory which is great for me I'm not complaining but yeah I'm a malware guy so I was like super excited b2c you know all this malware that I could kind of dig into and have some fun with so I spent some time and I decided to cluster it into various Malory since TVs and so on and so forth and

there's a few I guess key takeaways of course Kassar rat which was the file originally found hosted here we see a number of samples related to that 11 in total we also actually see that same crimson rat downloader sample hosted here as well now we've never seen any inference or any indication that this sample had any direct ties to this domain prior but here we see it actually hosted here which was you know pretty pretty interesting what caught my eye personally was this large cluster of luminosity link so for those that don't know luminosity link it's a gang commodity rat it's been out for a few years now I think they actually just arrested the

guy behind it some some random guy down in Kentucky in the United States but I found myself a couple years back doing a lot of research on this Mauer family I I don't know why I just randomly found myself gravitating towards it and I spent gosh probably a week or two fully understanding how this Matt and how this malware worked and the way it works is you buy it it's like 40 bucks or it was back when it was it was still being sold and you register it with an email address and then you're able to create new samples and each sample has a configuration associated with it that configuration is encrypted and embedded in each sample so I had spent a little

while understanding how to decrypt and parse that config and I basically looked at 15,000 samples and pulled out the configs and just like dumped all that info on github so that people like yourselves could better protect and defend yourselves against this threat but that was great because I still had those scripts and so I decided to run him against those 20 samples and I found that they all had identical configs they're all the exact same what really caught my eye though was the c2 domain which was a a DNS server or a DNS host just a dynamic DNS if I remember correctly had some interesting words in it it had USA it had UAE or United Arab Emirates it had the word

hasan speculation here it might have been really the President of Iran not sure but more importantly it resolved to an IP address that should look familiar and that is the exact same IP address that we saw earlier posting that that gigabit home you know consumer grade router so here we've got Malware posted on subha comm pointing again to that same IP what also was cool is that again we had the email address that was used to register this malware when it was purchased it for those I can't see says Khurram rizvi at hotmail comm and so I having numerous years of experience decided to leverage you know all of my my expertise and so I

decided to Google it and what I found was a single post on hacking forums comm a response actually technically wasn't a post but a response on a thread about a office exploit builder and here's a user named sue bot basically saying hey you know I purchased this thing I'm having some trouble with it my register and email is again that Khurram rizvi at hotmail.com so it's like that's kind of neat because here we have another instance of the name sue bot and here we have it tying directly to malicious activity so at this point my thought of this being just a situation where the guy got compromised has all but disappeared i'm pretty sure this guy is just just a bad

guy who-who is likely behind these attacks so I looked at his post history and and one detail I hadn't mentioned until now is that the original attack took place at the end of July 2017 and if you were to actually read the time stamps on the right you'll see post about 12 times in his in his lifetime on this forum posted once in late 2016 and then he just went dark he went quiet and he didn't really kick off or start up again until the beginning of July 2017 at which point he starts asking and purchasing exploit builders and malicious uh office macro builders and krypter x' and that all sort of thing and it leads right up until essentially

that attack so that was really quite fascinating i felt pretty good at this point i i felt like i had really come full circle with this research i had essentially started with some fairly innocuous looking target attacks against US government entities pivoted in a number of ways to ultimately determine who i felt was the individual behind these attacks so i felt good i felt like we had really come to a good conclusion with this research passed along the information to the necessary authorities ultimately ended up blogging about it and kind of just continued on with my day-to-day work and so it really felt like the endless story but in the months afterwards certain developments took

place myself and other co-workers found ourselves discovering more situ servers more malware hosting servers that we ultimately clustered in this same grouping of activity so all of a sudden we got to the point where i was thinking i can't all be it can't all be this new marcbot guy right because we're starting to see more names more more relationships and it got to the point where we really just thought to ourselves okay this this feels more like a group like there's multiple people involved and so we expanded our research and i do want to point out because my co-workers made fun of me that that is a worm like crawling along i don't want to

see social media posts later about how Josh Brunswick has inappropriate icons and as in his PowerPoint so that is a worm just to make that clear so we found more stuff we kept seeing more malware hosting repositories and again as I said earlier they were always open directory listings other attributes that we continue to find where these doc and exe sub directories these folders as well as VBS scripts that were just always present so it just it's sort of we just see that time and time again this particular instance is actually not that Lago it's from June of this year same deal June of this year also June this year I did a lot research in June

April in this case but you see the same repetitive attributes we also oftentimes see this work directory involved as well you'll see at the top the the parent directory is work and sometimes they they mix it up in this case it's docked but also like dock new exe new exe I mean but generally you get the gist so what was all said and done we'd had identified 24 domains that we tied to this this group of activity and the other interesting thing that we found was the majority of the Mauer they used leveraged bitly it leveraged the bitly URL shortening service so bitly is not a malicious service I want to make that clear we work with the security

team very frequently they're great they're very responsive they they take this stuff down as soon as we ask him to but like many services out there it gets abused it gets treated maliciously and so we started to find that a lot of the samples had bitly domains you'll see the word load or loading frequently used and I'm not sure if these guys thought that helped him hide like like oh some system ends like oh here's a here's an office dock running a macro that's downloading a file from bitly oh but it says loading please wait so like it's okay it was oftentimes misspelled - but I there was a lot about 130 when it was

all said and done and I'm not gonna wait because I don't have all day but yeah when I was all said and done we'd identified about 1200 unique malware samples 24 domains encompassing about 90,000 unique attacks based on our telemetry and as I kind of said in the very beginning these guys dabble both in targeted attacks as is just generic commodity attacks so let's break that up a little bit let's just focus on the commodity attacks themselves emailer is nothing special I'll be I'll be blind it's readily available commodity malware that you can buy on most underground forums for less than a hundred bucks in most cases there's cracked versions that may or may not be backdoored that you can get for

free so in this case we saw a lot of what has already been discussed we see low Kiba Remco luminosity link so on and so forth nothing terribly special on the telemetry side I'd mentioned that bitly was used now bitly is great for those that don't know the the not so secret secret about a lot of these URL shortening services is that you can typically add a character to the end of the URL and get anonymous telemetry on who clicked it so on bittley's case if you had a plus sign to the URL and you have an account you get something like this you get a historical timeline of when the link was viewed in some cases you get the

referring application whether it was email or Yahoo or or YouTube or whatever the case may be and you get country of origin so as a researcher that's that's gold like I I can definitely use that data so I scraped all the the bitly urls used in commodity X yanked out all the underlying JSON and was able to generate this you know arguably somewhat pretty map the total included about 135,000 clicks so a little bit more than we saw here Politan networks and the regions that were that were hit most was somewhat interesting as well we saw a lot in the United States about 18,000 clicks India came in second with 12,000 and then we saw about 20 to 25,000 and the

Europe region overall and then Japan and Mexico kind of randomly showed up as well so this stuff is is widespread but just given this telemetry alone there's almost like like a somewhat targeted feel to it like like they at least isolated its regions based on what I could tell looking at the industries hit education and high-tech top the list manufacturing health care and then retail sort of tallied up a good chunk as well and these guys are big on email like if you're trying to defend against this against this stuff just look at email because that's pretty much all they use they they either use widespread spam campaigns or specifically you know targeted spear phishing emails but it's

always email so just I guess a heads up there so let's jump over to targeted stuff there's about a dozen or so targeted emails that we'd identified the these subjects of them varied somewhat but typically it always correlated to some some recent event and what you'll notice if you find yourself reading through a number of these is that Pakistan actually shows up quite frequently you might be wondering why because you know we've said earlier or I've said earlier that these guys are likely based out of Pakistan there's a lot of evidence pointing to that foot to that fact so why then are is Pakistan showing up so frequently in these subjects and I can really only speculate

there but given sort of what I've discovered about these guys I sort of get the impression that they're not super big on their their local government you know they have a lot of pride in where they're from but they I think in a lot of cases might disagree with some of the decisions made by their governments so that may or may not play a role here for example you know third bullet from the bottom how rigging took place in the Senate elections in Pakistan but yeah lots of interesting material here lots of interesting correlations Pakistan and you know India Pakistan and the United States things of that name the targets overall included a pretty wide range we saw a number of ministries

of Foreign Affairs in various nations being targeted we saw embassies getting hit we saw a number of nations overall United States Bangladesh Pakistan some weird ones Russia Australia Philippines Brazil these guys didn't they they definitely targeted their attacks but they didn't seem to have super strong mechanisms in place to say yeah we definitely have to only target these ones they they they branched out a bit and the fact that embassies and and Ministry of Foreign Affairs were hit may or may not factor into that as well so bitly we get to use bitly again about 1,700 clicks and again I want to maybe also point out that these clicks may also include security researchers they

may include the attackers themselves this isn't necessarily isolated to victims only but what we see is about 500 clicks in Pakistan 250 or so in the United States and then Philippines India and Russia also finding themselves with a few clicks as well and given the subject material that we saw earlier it kind of makes sense so this is the part where I kind of have to walk the line and I'm gonna be clear I'm not gonna like full-on like Doc's these people because that would be kind of a jerk thing to do but I do want to provide insight into the people behind it now we haven't identified a lot of people and in fact there's there's been some

instances where other researchers have been instrumental in the identification as well Aqib on the left on the right there for instance was identified by a group ii ii ii i proposed if i'm pronouncing that incorrectly ii ii ii say it's an asian based security group they had a nice blog post a few months back where they identified this guy so this of course is not holistic of the entire group this is really just kind of what we know about so far now we've got two amar we've got a user named Fudd pages that's just his moniker that's not his real name or his real picture I just I had to pick something it seems somewhat

appropriate and then a key so Fudd pages is someone we probably know least about but he shows up a lot within this cluster of activity that we've labeled Gorgan and the guy's really into the scene you know is he's constantly selling and providing various underground services he's got you know webpage I think there's like five pages calm or something it's not super subtle but he's just sort of like really involved and it's someone we haven't really tied to a specific identity yet but person is definitely on our radar Aqib is an interesting guy as well okay I'm not gonna full-on like go into like everything I'm not gonna like show his Twitter and all that sort of stuff but I

do want to highlight some of the guys Facebook groups because I think that really helps paint a picture of who these guys are so if we look at this guy's Facebook groups and he's got a lot of them we can see that he's a into hacking as you know implied somewhat obviously on the top there he's into crypto like crypto currency man of my own heart and he's really gonna like development like Android we also see PHP frequently and then we see a lot of Pakistan related stuff too that's a common theme with these guys you know they they are in a lot of Pakistan a lot of local groups it's just something I guess take note of Umar is is so much

similar he's a bit more brazen he doesn't he's unlike a lot of hacking groups like like just obviously so it's just um he hasn't done a lot to lay low I'll just say that but yeah we see we see some interesting stuff we see a lot of hacking groups we see in aviation army public school which may or may not ring a bell when you remember that old who is in for that we discussed earlier all Pakistanis a lot of hacking groups he's also real big gonna like the local tech IT scene he puts on a lot of like gatherings and organizes a lot of meetups and that sort of thing and just more the same now one thing I do want to

highlight and this is pure speculation but I thought it was interesting is that he is a member of Indian ideas hacked now you might recall that initial attack used a indian yahoo account and just personally i just found it really somewhat fascinating and interesting to see that this guy is also part of a facebook group that is essentially involved in the buying and selling of indian specific user accounts so that was just something that kind of caught my eye and I guess you know cuz I'm gonna wrap up here in just a second just to sort of wrap up this is not apt I'm gonna make that perfectly clear I actually hate that term but this is not

an example of it this is an example of some some kids you know in our early 20s who are are not from wealthy areas they're not from you know they don't come from a lot of wealth they feel very strongly in their convictions they're trying to get by and this is sort of the culmination of what has happened as a result of that this threat should by no means be taken lightly I mean it's not apt but this is still a serious threat I mean most threats out there are but it's it's been some really interesting research it's it's there's been a lot of pivots that I wasn't expecting there's been a lot of turns and twists that that

surprised me personally but overall it's been sort of a fun ride and hopefully you guys enjoyed it as well a few references and case folks wanted to learn more about it again some some similar posts to e SEC 360 also did a nice blog number five and six they're there in Chinese so Google Translate your friend on that one but unless you speak Chinese but yes with that I'm going to wrap things up I what I got to like 10:30 Dave oh there is I'm good all right with that I guess I will open up to questions of folks have any

yeah so the question is while you're looking at

sure sure that's a great question so the question was you know while I'm researching this am I looking at the current geopolitical events going on at the same time and I believe the other question was sort of how do I know this is a real person versus just some fake persona and that's a great question I didn't jump into all the evidence to answer your second question first I didn't jump into all the evidence but there is at least in the case of Amar very very strong evidence that this person exists we've we've identified like a lot around this guy and with respect I just don't feel like this guy is sophisticated enough to to go to such

efforts to to create this persona while that is always a possibility though in this case my personal opinion is that it is a real person as for the geopolitical events I try to keep up as best I can but I am in no way shape or form an expert I'm not a political science major I'm just AM our guy so I certainly do my best but but I have limitations just like everyone else

so the question I guess is can I say what certainty that he doesn't have a wealthy background I feel like I can I can explain that to you better when I'm not being videotaped so I guess for the rest of the audience just maybe trust me on that one yeah yeah so if the question was if he had used of EPs instead of a home router with that of affected the the investigation certainly certainly that makes things oftentimes much more difficult in this particular case though as we discovered the majority of the the interesting stuff actually came from the tsuba comm domain itself though so while that would have made things more difficult we still would have in this

case got some good a good good info out of it yes in front

so the question was with the amount of compromised home routers how do I know that it was his I believe it was his I don't have concrete evidence that it was but there's a lot of of evidence pointing to the fact that it likely was and as we saw I mean yeah I guess it's possible this guy might be like a neighbor and the guys got Wi-Fi and he like got access to it and then just used that but even in that situation in that hypothetical he would still be sort of a neighbor he would still be in pretty much that direct vicinity yeah the I mean there's just a lot of evidence pointing to that fact pointing

to that conclusion I think there yeah right in the middle yeah how do I land on the name Gorgan my boss has picked it now we try to stick with like I like a monster that wouldn't get us sued by Disney so so Gorgan is like like what Medusa is it's like a like a snake lady snake hair lady I don't have a good answer for you it just seems somewhat you know like a lot of heads like a lot of stuff going on I don't know it just he just threw it out there yeah

yes yes there's a big spike in March or May I don't know if I've actually dug into that fully but I suspect it was just a like a big like a big spam campaign they'd conducted in that period I could probably find out for you I can give you my card later and yeah maybe one more question yeah

yeah I mean the question is sort of you know how do I mask my identity as I'm doing this research presenting at conferences that are videotaped is probably not the best idea but in your in your specific example you know knocking on his home router just through the use of proxies and VPS as myself I mean as researchers we have to employ in a lot of cases the same techniques as the bad guys to sort of hide our our identities as well so with that I'm gonna wrap things up because I want to make sure the next speaker has enough time to set up because that's always like the worst when you're like my time

I go I gotta go so I'm gonna wrap things up thank you for your time it was it was a lot of fun and [Applause]