CG - Angler Lurking in the Domain Shadows - Nick Biasini

alright everybody hear me all right yeah all right guess I'm going to go ahead and get started all right well thanks everybody for coming out this evening listening to me talk about angler lurking in the domain shadows the majority of this talk is going to be about angler exploit kit and domain shadowing which is a technique that I term that I came up with I guess earlier this year I'll spend more time talking about angler in general and all that stuff too before we get started take a second and talk about Who I am my name is Nick be acini i am a threat researcher with the Talos group spent basically my entire career in security

the overwhelming majority of that was in Sox started off as an analyst working third shift and a 24 by 7 environment I've been an engineer manager did cna and policy very briefly and now I'm back as a researcher and couldn't be happier I may ask yourself why coffee beans anybody who's worked third shift in a sock knows coffee is your best friend and I am not afraid to admit that a lot of what I've accomplished on this slide as well as in this talk is largely due to coffee okay so here's an overview of what I'll talk about I like to spend a minute or two and just give a quick exploit kit overview I'll talk

specifically about angler and then spend the majority of the time talking about what domain shadowing is how I found it scope stuff like that and then I'll finish up with some other techniques that anglers been using lately some info about payloads and then finally some detection stuff [Music] so what r exploit kits I'd like to use this example of an assembly line because that's kind of how I look at it so it's a software package that's available for users to buy or rent the whole idea is you add your components so things like what domains do you want to use for redirection what domains do you want to use for landing page and exploitation what IP addresses what exploits do you

want to target what payloads do you want to deliver and then at the end you basically have a web framework set up to compromise users but how do users get compromised there are two primary ways that users get into the actual infection chain the first is mal vertising malvert izing is just a malicious advertisement that a adversary will pay to have hosted on some sort of ad network whole idea is user goes to some website usually a larger one get redirected via a banner ad or something into a redirection chain then end up on a landing page end up getting exploited deliver some sort of payload compromise the other primary one and what I've seen a lot out of angler

lately is the use of compromised websites largely WordPress sites a lot of people ask themselves why is it a big deal when there's some random plug-in and WordPress that has a vulnerability against it this is the reason why threat actors use that information and they compromise a very wide range of websites they don't deface it they don't really change it much all they do is they drop an iframe in the main page or some sub page the whole idea being that an adversary or sorry a user would browse to the web page say their local restaurant while they're looking at the menu in the background there's a redirection going on landing page being served and they're being compromised

without ever realizing it now I've seen this be invisible to users where they had no notification at all I've seen them actually land on a full landing page and I've also seen where landing page gets popped in some little tiny iframe up in the corner so there's a lot of different ways users are getting compromised but at a high level that that's it they end up in one of those two places end up in the gate landing page exploit page payload and then they're compromised so angler I like to call it the innovation driven exploit kit reason being it is innovating and evolving at an alarming rate so far in 2015 it has had a banner

year started off with the adobe flash 0 day that's really rare for exploit kits to to use that type of technology and drop a zero-day in their exploitation chain but they work done they've done a lot more throughout the year and I'm going to talk about not only what I observed from the initial 0 day campaign but what I've also seen as time has gone on now one of the reasons that they're so effective is their use of exploits now this is a pretty cool chart a lot of information on here key thing to note are the red lines that is when angler was seen actively exploit a vulnerability gray lines are when patches were made available if you

notice here this is the one exception with a zero-day where the red line proceeds the gray line most of the time though as you note it's shortly afterwards that angler started exploitation now this graph actually only goes up until June as you know there were a couple of really really large zero days that came out in July angler was exploiting those in some cases within hours and at the most within one to two days now the one last key thing to note on here are these blue dots so these represent the amount of times that we've seen in our telemetry the various versions of Adobe Flash the one key thing to note here is as late as

recently as June there's still a very significant amount of users using 1600 235 then we they're vulnerable to basically every exploit on here plus the ones that have came out since then so that's the reason why you still see angler actively exploited cve 2015 03 1303 590 336 it's because it's still extremely effective at compromising systems users really don't patch shockingly so as I said before this all kind of started with the zero-day campaigns our group and me specifically were tasked at looking at these campaigns and what they were doing so these are all exploit pages associated with angler that were linked to that campaign or one of the campaigns when I was looking at this I noticed

something a little odd the use of the domains that are being used here it's not uncommon to see things like random character generation weird tlds involved this however looked a little different so weird variety of domains so I decided to kind of dig into it I spent a few days couple of weeks basically focusing around the domains and the activity that we were seeing to try and figure out what was going on if it was something interesting ja did I start take for instance the first domain that was listed on that slide a couple slides ago this unsuspected kevins bayonet so I was like okay this is an interesting domain let me look and see what other sub

domains are hosting angler activity I was able to pivot and this is just a small subset but as you can see here there's a fair amount of subdomains being utilized by angler now my initial thought as with most people would be okay too bad domain seems really logical right that isn't actually what I found though what I found is that the core domain Kevin's bayonet was actually being hosted on a completely legitimate IP non-malicious the website itself was fine nothing wrong with it at all however if you look specifically for that unsuspected Kevin Spann net actually found it pointing to this IP which was what 176 31 125 191 that was definitely a bad IP it was malicious I

knew it so I wanted to know what else could I find on that IP so i pivoted and I found this this is just a small subset for some reason it's all co dot UK addresses I assure you there where other tlds involved this is just the subset that I pulled but what you can see here is there are a fair amount of different regular domains hosting militia sub domains on the same IP address not that peculiar but still a little odd so I went back to Kevin Spann net and searched a little further so I went to domain tools looked up Kevin Spann net found an email address associated with it I also noted that its associated with

14 other domains so I went and found those 14 other domains which are listed here a pretty wide variety of random domains again this is just a random example that I picked out but you can see here there's just random smattering the key thing to note are these Nevada networks ones so what I did is I took this data and said okay well maybe you know is there any other malicious activity associated with these domains and that's exactly what i found what i found is using completely different IP infrastructure associated with different campaigns i saw different subdomains associated with that same users domains that he had registered so this is what I started digging into I

started here and I started rinsing and repeating i started pivoting on core domains angler activity that I knew was active what subdomains were being utilized what IP addresses what registering accounts and just rinsing and repeating and trying to figure out what this is what what am I stumbled upon here and what i called it is domain shadowing basically what i found is adversaries specifically associated with angler we're hijacking legit domains just random domains and then hosting malicious subdomains underneath them and then linking those two IP addresses that we're hosting angler and what I realized is this is kind of a next evolution so if you go back years it wasn't uncommon to see things like hard coded IP

addresses in scripts associated with malicious activity you know go to one two three four and download this file it's really effective you don't have to rely on DNS works really well it's also really great for defenders because we can just go log into a firewall add this IP to a block list on an ACL done that's over with adversaries realize that and they changed they change to registering their own domains so now they go out register their own domain host malicious activity under that makes it a little more difficult to block they're able to rotate IPS things like that you can blacklist domains they can register new ones but what we found is that adversaries are really bad at OPSEC

associated with domain registration so what you see is things like reused email addresses reused names mailing addresses phone numbers makes it really easy for us to track so what we can do is we can say okay we have a kind of a summary of what this threat actor does what their key indicators are when it comes specifically to domain registration as soon as they register a domain it's blacklisted before it's ever used adversaries again they catch on so they move to dynamic dns dynamic dns great idea you know for home users you always want to get to your computer I need a way to make sure that even though i have an ISP that uses dynamic ip's i can

still get there that's where dynamic dns comes in basically allows you to point whatever IP you have were whatever IP you want to a sub domain associated with a dynamic dns provider great way to be able to always access your computer but it's a better way for thread actors to hide and be able to do domain usage without any tracking whatsoever and you know keep in mind that all of this is still being used today I'm still seeing hard-coded IPS register domains and dynamic dns specifically with dynamic dns though what we found is enterprises and companies really started to evaluate why would you allow dynamic dns there's no real legitimate business use for it so what we've seen is a lot of people

just blacklisting dynamic dns across the board every once in a while a new one will pop up but it's pretty easy to get caught up and add it to your blacklisting technology just makes it that much easier to stop so again threat actors had to evolve and that's when they started moving to domain shadowing [Music] so how big of a deal is this you know how how widespread how much people are accounts are affected in the time I was researching which ended up being like a month maybe a little more I was able to find 25,000 unique subdomains being used specifically for angler activity now those 25,000 subdomains were associated with thousands of core domains those

thousands of core domains were associated with hundreds and hundreds and hundreds of registered accounts and that's just what I could see keep in mind that some of these people did have privacy protection turned on so I couldn't really get an absolute view of how many actual accounts were affected as well as how many domains that's just my lowball figure is somewhere around 2000 how are they doing this and what are they targeting the basic idea is fishing so you fish register in accounts there is not you know a month goes by that you don't hear about some sort of fishing campaign targeting usually go daddy what I found was that all of the domains that i found that we're being

shadowed were actually owned by godaddy that has nothing to do with godaddy itself they're actually they do a lot of great services for their customers they they offer two-factor authentication but if you think about it from a threat actor perspective if you're going to spend the time and the money and the energy to build a fishing campaign and get users to click on the links and build the infrastructure to host the pages to gather the information you're going to want to go where you get the most bang for your buck and that without a doubt is godaddy last time I checked they controlled about a third of the domains on the Internet so obviously if

you're going to go after one that is the one to go after they're like five or six times the size of the nearest competitor [Music] so why register an accounts the short answer is no one logs into them I mean how many people here own domains anybody got how many of you've logged into your register an account more than twice in the last six months a few but keep in mind we're we're security people we tend to do it more than most people would most people log in to do two things to update IP addresses associated with the domains that they own and to renew the subscription for the domains that's it adversaries realize that and they take

advantage of it no by compromising these accounts and adding these malicious subdomains not only do users never log in and check they don't really receive notifications for this type of thing by default and on top of that most times it's not really intuitive where subdomains are in a lot of these portals that they have [Music] and look domain shadowing is a really cool technique and it it's a very effective way to bypass a couple of key technologies the first is looking at sites that are related to blacklisting so if your primary technology that you're supporting is doing blacklisting this basically defeats it so you have to keep in mind that yes there are 25,000 sub domains but most of them were active

for less than 30 minutes some of them were active for only five if you're trying to keep on top of this by doing blacklisting by the time you actually get the site blacklisted they've already moved on to two or three domains down the line not only are they blocking and changing to different subdomains but they're changing the core domains associated with it one other interesting thing that I found is under accounts where there was more than one domain associated with it without exception they used more than one I could not find a single example where they used every single one I don't know why it could be that they're saving it for later but it's just an interesting tidbit and look

if all angler did was that it would be a pretty cool way to help bypass blacklisting technologies and again by using these known websites that other people own you're going to get away from a lot of web reputation type stuff so most of these sites had when angler activity started had either no web reputation or a slightly positive one usually it's it changes as time goes on because you got a lot of angler activity going on it gets downgraded pretty quick but it does at least create those windows and that's kind of a theme with angler is they're all about creating windows to compromise users now this isn't all they did there are a bunch of other techniques that they used

and I'm going to talk about a few of them you can see them here so let's start with landing page 2 nanigans now historically if you look at a landing page for an exploit kit if a user ends up there they're going to end up with a giant screen of gibberish a bunch of junk that is likely to make them freak out close web browser do what users do when they get compromised i don't know run around their hands over their heads whatever but they're going to have some sort of an adverse reaction you know they're gonna they're going to say okay wait a minute this isn't right and quickly close their browser and try and

figure out what happened so angler did something different they used quotes in the text this is actually what a landing page would look like the all the quotes are from Sense and Sensibility for some reason but but there are a couple of reasons why they would do this the first as I said is for users if a user ends up at this page they're probably going to be a little less likely to freak out as quickly they might pause for a second and say what is this or just say oh I must have clicked some wrong link and go back and not necessarily close the web browser again little things to help prevent users from reacting adversely

and getting compromised the other reason is for machine learning so if you're using machine learning to try and detect malicious activity it's a lot more difficult to detect this from normal web pages than it is a random page of gibberish what you would normally see but again anglers not done let's talk about 30 2 cushioning so 302 cushioning this is actually associated with the redirection chain 302 cushioning is just using HTTP 302 which are moved temporarily they are super common on the internet every major web page uses them you just don't realize that they're there great example go to google com you're actually getting a 302 redirecting you to ww google com threat actors you're using this because they

know that it's all over the internet it's a lot harder to detect redirection when you're using a technology that everyone else is using it's another cool way to try and get users infected now I i talked about domain shadowing what i didn't mention is domain chatting was actually also being used in the redirection chain so they were using completely different register and accounts with completely different domain shadows just to redirect users as well

now this is something that is more recent this started I want to say mid-june probably and has continued up until two or three weeks ago this URL structure changed that they've done and as I said before there are two main parts to exploit kits landing pages and exploit pages basically so you go back to the beginning of the year this is the URL structure you would see for an angler landing page if you're looking at it from a regex perspective or a detection perspective pretty straightforward just a big string of numbers that's pretty easy to write detection for as time went on they changed not not a lot just a little bit but again increasing the amount of

characters and the folder structure adding some dashes I've seen underscores as well but again the whole idea here is subtle changes to compromise users if your detection technology is relying on this type of stuff these small changes will create windows for them to compromise but what we really saw in June was a drastic change to this now this is totally different as you can tell other using search as the the keyword in the in the URL now and they're passing a ton of parameters with it now this actually looks exactly like a Bing search now to be fair if you see the queries there gibberish you know most users are going to search for something like that however if you're

looking at this programmatically and you're trying to write say a regex to try and detect something like this from normal English text it becomes much much more difficult and that's exactly what they're trying to do again this major change caused a lot of detection headaches know that there was a lot of animosity about how they changed but it wasn't they weren't done a couple of weeks later they changed again now they're using we're using this which is just english word PHP now one thing to note here is the use of these single character parameters there's a bunch of them in here they were initially doing a set amount of parameters that made it a little easier

to detect unfortunately that didn't last very long what they did is they rotated to something like this and this is where they sit as of Friday of last week the last time I really looked at angler so what they did is they pivoted to this now there are two other variants of this there's view topic view forum and search PHP now you might think to yourself well that's not really a step in the right direction because before they were using just random English words now the thing is viewtopic PHP view forum dot PHP and search shop PHP are extremely common you go to any website that does any sort of forum functionality or does basic

searching odds are you're going to end up on a viewtopic PHP view forum dot PHP or search dot PHP page this is virtually impossible to pull out of telemetry if all you're doing is looking for URL structure and that's exactly why they do it compromise users now look changing the landing page URL structure is awesome but it doesn't help you if you don't change the exploit structure as well because all you do is you get a bunch of people hitting landing pages and then your detection technology catches the exploit page so users don't get compromised so they did something similar with exploit side [Music] again going back to the beginning of the year big long string of text one special

character I think I saw a couple that were like to mostly dashes and underscores it's pretty easy I mean that's not really the most standard thing you're going to see in a URI on the Internet as time went on they changed a little bit again increasing the length of the string adding a couple more special characters nothing really earth-shattering but then to coincide with that change to search that I talked about before they change to something like this now this looks extremely similar but if you look at the first two [Music] you may know there's no extension and this one uses dot py charm so before it wasn't that difficult to write a regex or logic to look for say flash files

that had no extension on them that had maybe 25 or more characters in them this would get you a fair amount of angler activity apparently they realize that decided to change so they started using extensions the one here is dot py charm and then adding parameters to it in these cases their numerical based they tended to be this way for a while we did see some legitimate extensions things like dot aspx dot PHP those are legit extensions we also see a bunch of junk like dot Java to and dot CPP bin initially there was somewhere between 15 and 20 different extensions they were using but as I said before they were passing word-based numeric parameters on

it was actually to all of the time that lasted for maybe two weeks and then this happened now again this is where we sit today as a Friday English word based dot random extension now when I say random I mean random I don't really see much duplication in these there are some of them are word-based some of them are random strings of text it's just random and on top of that they started changing the parameters now they have model sound Street whatever now their varying not only the number of parameters but the labels that they're using and the types of labels all designs to evade detection so why are they doing all this you know

yes they have a detection but what what's the reason what are they delivering as a payload there's an emphasis on pay there if you note all of the payloads associated with angler are associated with monetization there's a direct way for them to monetize the type of stuff that they're dropping on systems the first one is bid app downloader soba depth downloader is the malware downloader that is exclusive to angler it is virtually always drop and click fraud on I threw something in here so click fraud is basically a way for them to monetize the system being compromised by using scripts to generate clicks on ads now I threw a little detection bonus in here up until two

weeks ago if you were to see a domain lookup for WWF tools org followed up with a domain lookup for WWE CB e ro PE you that box 99 times out of 100 had the dep on it it actually uses these two domains in its DGA now interestingly enough the user that owned WWE tools org a week and a half ago pulled that domain off of the internet and for four days the death was completely broken it did not work at all because it relied on that domain so what you would see is a ton of lookups for earth tools org that went nowhere followed by repeated alternating between it and Google now after four days the

owner shifted and put up new dot earth tools work within a matter of hours the DEP was updated the DGA was updated and that was working again so now if you see these two domains being resolved in your telemetry go look at that box because I virtually guarantee you it is compromised with the Deb but that's not the only payload the overwhelming majority of the rest of the payloads were ransomware now ransomware is basically justing encrypting files holding them ransom for money the majority of the infections that we saw were crypto wall three point out that's just kind of the favorite I guess among people that pay for angler we've seen other ones we've seen alpha crypt Tesla

crypt recently saw CTB Locker but there's an awful lot of ransomware being pushed by angler now every once in a while I would see a Trojan get dropped and there is some news and research recently then indicates that these trojans are associated with finding point-of-sale terminals so you find point-of-sale terminals for one reason to compromise credit cards again it's all about money with angler they are very very good at getting users compromised and delivering payloads that get money to their consumers and that's exactly why they're so successful right now [Music] okay so let's talk a little bit about detection regex is your friend you can do a lot with regex searches to find angler activity but you have to stay

diligent with this stuff you have to keep up on open source resources follow people on Twitter look at how it's changing over time because I'm going to tell you right now you're regex that works today likely won't work in a couple of days and it definitely won't work in a month because angler is really really good at changing but there are other things you can look out for in your data I talked about domain shadowing looking for multiple subdomains under a single domain but not just looking for that looking for longer length strings angler doesn't always use long length strings in their sub domains but most websites don't use long length subdomains at all you see a lot of ww

mal dot for m dot stuff like that you don't see a lot of 10-12 character subdomains looking for a bunch of subdomains resolving to a single domain as well as resolving to different IPS is another key indicator i said before 302s are super common what you don't see is 302 stacked angler does that periodically so that's another thing to look for where you see users hitting 302 to another 302 e to another 302 that's something that should be a red flag and this last one here is a little noisy not going to lie but if you start using these other ones to reduce the data set you'll end up with something useful if you look for adobe flash that doesn't

have a dot swf extension on it it's another way to start hunting for this type of stuff one key thing to mention is when angler did the random extensions a while ago they started using dot play and I thought that would be a fantastic thing to pivot off of look for flash files with dot play extensions who incidentally dailymotion uses dot play for their flash videos so it didn't didn't work out too well for me um but keep in mind look your IDs IPS coverage usually does a really good job at catching landing and exploit pages you know that they they know that this stuff is very active they're going to do a good job of catching it but this thing

is changing so much and you have to keep in mind that these changes create windows how long of a window are we talking about really depends on the change and the technology that you're using to detect it some cases it's only a matter of hours or a day but sometimes it could be as much as a week before your vendor releases an updated signature that catches this stuff reliably that's when all this other stuff comes in handy you got to use that type of research to try and find it because yes IDs IPS are good at catching it but when changes are made systems are going to get compromised and you need to have ways to try and find it that don't

rely on that type of technology so domain shadowing was so effective that it started being copied you know what is that they say that imitation is the highest form of flattery that's the case then anglers should be very flattered because exploit kits are using domain shadowing more and more we saw rig pick it up within a matter of months we've seen neutrino pick it up and recently we saw nuclear added as well this stuff is very very effective so more and more exploit kits are going to continue to use it because it works I just like throwing this in here because you're dealing with a bunch of random domains from time to time every once in a while

you just can't help but laugh at some of the random combinations that come up so yeah the this is all stuff that I find in telemetry while I'm looking okay still got a few minutes left so when it's Trey to you part of the reason why this is so nasty and such a beast to dry and detect let's play a game let's play spot the exploit kit there are three URLs there anybody care to take a guess which one of those three is actually angler hey buddy I think you're actually right you're so here if you look at this this this kind of gives away a little bit this is what I was talking about when I say looking for

long stringed subdomains that is the actual angler activity but look this this is not easy to detect if all you're looking at is this uri structure it's really really hard to say that is definitely an exploit kit very very difficult this is what angler does let's do one more this is well this is a little old because it's the search syntax that isn't really being used that much anymore same idea though very very difficult if all you're looking at URI structure now to be fair this one actually put two on there if I do this it becomes very very easy to tell which ones but you know they are always this obvious this is just the type of thing

that angler does all the time [Music] okay so I figured I'd throw this in here this is my hunting pro tip associated with actually hunting for angler I make no guarantees how long this will be valid for but if you are looking in raw telemetry trying to find this kind of stuff this is a great place to start as I mentioned before starting with viewtopic view forum and search PHP looking for none or just a little bad web reputation and then a bunch of this stuff is associated with just filtering out noise I've not recently seen angler hosted on a sub domain of ww just because they're using domain shadowing when you have this you're likely to run

into a user actually using it as opposed to just using random strings of text and a lot of this other stuff the forum things are trying to get past the view topic and view forum just because you end up seeing it a lot in telemetry but it's a good starting point so look exploit gets kind of get dismissed a lot they are really bad this whole idea that sophistication is exclusive to advanced threats that's really antiquated and old it's just not true anymore but anglers compromising users delivering payloads that give money to the people that pay for it because of that there's a lot of money to be made there throwing a lot of money at development they're changing

and evolving all the time they're coming out with all these new techniques and ideas and all the rest of the exploit kits realize how successful they are and they start copying all of these exploit kits are really upping their game you know anglers infecting users that are really really high rate and as other groups start taking on this type of technology you're going to start seeing the exploit kits the other ones like neutrino rig and nuclear evolving in the same ways and compromising the same amount of users also on here is just a bunch of exploit kit blogs I've tended to write a lot about exploit kits this year just because they're doing a bunch of really

cool stuff that's my Twitter handle I encourage you to follow me just because I try to tweet about this stuff I'm hunting angler a lot lately if I find an active campaign I try to tweet out the IP address what it's dropping you know try and use that stuff to help protect your users and yourselves I think that's basically all I have does anybody have any questions yeah so with the domains that you were finding did you check any of those against opendns were they actually being picked up by them because I know they spent a lot of time with machine learning so I was curious if any of the domain hits you're finding do

they show up what the delay is for them to be able to detect him so that so I wasn't actually looking specifically at Open DNS data I was just looking at at the domains after they were already being used for compromise so I wasn't sure how fast they were getting picked up by their technology that they're using okay and follow-up to that is with the domains that that you were tracking and all that other sub domains that were being registered could you talk a little bit about the tools that were using to dip it on those to basically follow the trail sure was it simply just looking at the the you know using the whois records

etc and following back on the counter so I was I was leveraging passive DNS a lot so passive DNS is basically like a historic look up of domains it allowed me to go back in time and say ok I have this core domain how many sub domains are resolving to it okay what I peas are resolving how long were they active for how many times were there seen that was the type of data that i was using very heavily for that type of stuff that make sense yeah okay hope oh actually I'm going to abuse my privilege ? to the very sophisticated strings that suddenly change do you think there was anything dry so if i had to guess it would be money

just because there there's you know in the last year or so ransomware has completely exploded and there is a ton of money to be made so what they're doing is they're they're upping their game because now there's people dropping money into development because they know there's a huge return on investment that makes sense i was wondering about the UM the age of the dns registration entry and the value of that in determining whether exploiting is going on or even as a correlator so age is in when the actual domain was registered versus when I was being exploited you mentioned it before and about slide six or seven so on your detection page you didn't mention it at all but it's something

that's talked about so the the actual domains as they're being registered I didn't really see a lot of correlation between a new domain being registered and then immediately exploited via angler a lot of times what you would see is they would just have random you know 912 sometimes a hundred domains registered and what would happen is once the account theoretically is compromised they would start using it for angler activity now what I did find is that over time they would use some domains here and there but it wasn't like a free-for-all where was like oh I got an account let me hurry and run into angler activity it would kind of be like a slow

trickle over time I spent a lot of time on angler myself and I found that it wouldn't drop twice to the same IP I was curious if you experienced that and what the time was so dropping you mean like as far as using the same IP multiple times well if I hit like a blog i knew was compromised it would drop the exploit to me and I could watch it happen but then if i were to try to hit it again with a new sheepdip on the same IP it wouldn't go i had to go and get a new IP and then it would hit me again you know I hadn't really spent a lot of time research

that's interesting though I haven't mmm I'll have to check that the next time I'm uh I'm hunting i'll run stuff multiple times and see what happens great neighbor was sometimes sometimes a little bit different requesters dependent i would usually just clear out all the session Keys and start over with a new incognito or in private session how early in for merging you my father is or really hitting theatres in this case it was a blog specific blog page that was compromised so I had you know like five machines I just built so I plug one in and hit it and try to take a pcap of it or video whatever and then try it again and the second and so on

times it just wouldn't deliver the payload

I'm curious what kind of false positives you were seeing with your rules list selectively 30 2 chainz does remind me of like an OAuth flow or something like that and what other kiss things were you saying so I do see 302 sometimes I would stumble upon other exploit kits which is a fun coincidence but you a lot of that stuff is just about decreasing the data set it depends on out what you're starting with to try and eliminate some of the noise that's basically what the goal is there a question what do you think the future holds how can it get any scarier uh who knows I've never cease to be amazed by angler so you

never know what they're gonna be up to next probably more exploits who knows yeah yeah yeah I don't even get a chance to talk about that so there's so much more I mean there's the stuff that they're doing with the encoding of landing pages the stuff that they're doing for encoding and encrypting the payloads there's a lot more than anglers doing that I just didn't have time to talk about do you see this mostly coming from Eastern Europe or like China any particular country no there's not I mean not really tends to use some ASNs repeatedly but there's not really a lot of specific origin that I could say this this area is definitely where it's

coming from like where the copper my babies are where people to Antigua compromised ages are being that who made okay all right let's thank Allah Speaker of the day okay thanks a lot guys [Applause]