Let's Make Malware But It Might Get Caught So The Malware Gets Worse

We have our next talk for today who is Alex talking about making malware. Let's welcome him to the stage. [applause] Hey everybody, morning. Um, just before we start, I just wanted to say thank you to INT80 from Dual Core Music for shouting out this talk at the end of his rap set last night. Nobody back home is going to believe me about that one. Um, but okay, let's do it. So, hello. My name is Alex. Um, but you can call me Alex in double quotes. And I hear many of you wondering what's why' you do that? What's with the double quotes? It's very simple. A few years ago, uh, some journalists wrote about me and

referred to me as a hacker who goes by the name Alex in double quotes. And Alex is also my real name. And so, it was at that moment I knew I had to do it. I had to make my hacker name Alex in double quotes. So, welcome. Uh, I also one time found former Australian Prime Minister Tony Abbott's passport number and phone number in a Quantis Advantage booking page, told him about it, and did not get arrested. And the journalist then called me a hacker in double quotes, whatever that is. Um, and also to everyone who's to everyone who's like asked me about this like over the last couple of days, I just want to say this was like one

time and it's like not like my regular thing. They're not and like yeah, there's one time. Um, but enough about me. Let's talk about work. Professionally, I've been doing red teaming as my career for a while and I've done red teaming at many places such as Atlassian. Anyway, now I don't work there anymore and now I work at nowhere because I am engaging in business ventures with my new business venture, Mango PDF communication, in which I teach hackers how to talk and write good at work so that people listen to them and understand them. Um, if basically I'm teaching people my ways and uh if you've seen me talk before then you know what you're in for. But if

you haven't seen me talk before, don't worry about it. Uh, it's okay. I'm a professional communicator. I know what I'm doing. and I will see you in 181 slides. But enough about work. Let's talk about malware. [snorts] Have you ever written code so bad that you've wondered at what at what point does this count as malware? Like when does it count? Hello and welcome to my talk. Uh you probably have heard about malware and you've probably even seen it and possibly quite possibly your job is to stop it from happening. And I think a lot of people have heard about that but probably you haven't. Some of you have, you probably haven't used malware or

made it yourself or designed it or hidden it and tried to make it not get caught or even if it does get caught, tried to make it not obviously attributable to you. But before we get started, I just want to get like some things out of the way cuz there's like a lot of confusion. I want to answer the question, what actually is malware? Malware is a Steam video game in which you attempt to navigate Windows installers without infecting your without infecting your computer. Uh, my name is Alex and I recommend downloading and installing malware to your personal device. Uh, I think this game actually inspired hackers to create what we call malware today. And the way that I way that I

explain that to people is malware is like remote control software that lets you remote control somebody else's computer. Or for like a slightly more computer explanation, it's kind of like if you could SSH into somebody else's computer. You can do all the things that you could do if you could SSH into the computer. You can control it. You can upload files, download files, all that stuff. And like why? It's a bit like who cares? Why would you want malware? What what are you going to do? Like why do you even want to have malware? Well, maybe it's because you are here to do crime and cyber crime and you need malware to do it. I love this picture.

How good is this picture? Um or maybe you're not here to do that, but your job is to act like someone who's doing that. Doing adversary emulation, which I believe is formerly known as red teaming. Um that's my experience uh doing adversary emulation, not not doing cyber crime. And that's what I wanted to share with you today. So, let's make let's try and make our first malware. Let's try and how how hard could it be? Let's make some. Hey, I have a question for you. Is Is this malware? If my malware like steals someone's SSH key and then puts it somewhere, is that malware? That sounds kind of like malware. Malware gets SSH keys. Well,

but like that just takes the SSH key from their computer and then like puts it back on their computer. And meanwhile, like you're like over here being like, why did I do that? What was the point of all that? What? So, okay, maybe okay, that let's try again. Maybe that's not right. Let's try again. U Well, can you know actually it would be good if you could SSH into somebody's computer. I would actually like that. So, can we can can I actually do that? No. Let's try it. So, let's open the terminal. Let's go SSH and like what's uh but what's the what's the what's the host name for their computer that doesn't exist? They probably don't have

a a publicly accessible like publicly routable SSH server running on their laptop that we can just connect to. Actually, probably some of you do have a publicly routable SSH server running on your laptop. Um I don't want to know about it. I don't want to know why you have that, but most people don't have that. So, that's probably not going to work. Even though that would be easy. Okay, maybe let's try and make them ourselves. Let's try and design it. So, what if uh instead what if we had a whole other separate server, a whole other separate computer with some cool domain name and when we put our malware on their computer, it would instead of

talking straight to our laptop, it would talk to that computer up on the internet and say, "Hello, I'm here. What what should I do, boss? What would you like me to do?" And it's like, "Oh, now you should execute this command." And it's like, "Okay, great. Here you go. And here's the result of that command. Here's the here's the output." And then meanwhile, you on your laptop can be like, "Hello." And you can talk to that server and be like, "Give me whatever that thing did. I I can control your your computer can control the server and the server can control the malware." So you can control the malware. That that was easy. That's not so bad. But uh I

hear you wondering, well that that would be nice, but like how what what is this? Where did you get this magical program that does all the stuff that you're talking about? And [snorts] you could write it yourself. Uh I mean you could write it yourself and there are some benefits to doing that. But one of the downsides to writing it yourself is that uh it's really obvious that it's you. Well, it's really obvious if you use it multiple places that it's you because it's very unique and no one else is using it. Uh something one thing people do to try and not make it obvious who they are is they use something that's really commonly used and publicly

available such as this is some this is a malware framework called sliver. It's kind of like metas-lo but without the exploits and it's this is not the best one or anything. It's just a malware framework and it's all on GitHub and you can just get it and you can download it right now for your personal malware needs. And this is what it looks like if you use it. It's got some like nerd CLI thing with cool font but the important part is it has this part. It has like a command which says hey I'd like to have malware. Please, can you generate me some more malware that uses HTTPS to talk to this server and then does some

nerd stuff, not important, whatever. But at the end, it actually makes you it actually makes you a file. Says, here you go, here's your malware binary. You can run this on someone else's computer and it will do malware. That's pretty good. Um, you didn't even have to write it. Okay. And so, like, okay, we did it. We made this malware. And I hear you wondering, okay, you made the malware, but like that's the easy part. The hard part is how do you actually get it to execute on someone else's laptop? Like their entire industries, their entire careers into getting your malware to execute on someone else's computer. And I just want to I'm sure you know where

this is going. I'm sure you know how I'm saying we're going to execute it on their computer. I just want to say trying to clear it up. Listen, social engineering isn't that hard. Everybody makes a big deal about it. But you just got to keep it simple. Huh? Like look at this. Simple and clean. That's like there's no way this doesn't work. It's going to work every time. Keep it simple, right? It's fine. So assuming that assuming that works as it does, then now we're on someone else's laptop and they've executed our malware binary program thing. And then if you go and look on your malware control server, your your malware will be like, "Hello,

I'm here. What would you like me to do?" And you did it. You're now in control of their computer. You can now execute mains. Now you've Why did I make this slide? Um, okay. And for a lot of people, they think for a lot of people, a lot of companies like they're like, "Oh, well, it's over cuz like it's been compromised. The end. That's it. That's the end of the talk. We did it. We hacked the computer." But like, yeah, okay, we did it. We executed malware on someone's computer, but like and we Yes. Okay. It's compromised, but like is that what we're here for really? Don't you have other goals? Don't you want to like

maybe keep it there for a while and then use it to like commit cyber crime of some sort? So, how do we do those parts? So, just as a really simple example, did anyone notice this? Like after they run the malware on their computer, it's like still running there and what if they what if they want to use their terminal again and they want to write more commands and they're like, oh, I'll just press control C. Okay, now I can use my terminal again. Good. And you're like regrets. Why did I let them do that? Like it's over. So, okay, maybe let's try again. Let's maybe let's make it slightly more resilient to people wanting to use the terminal again. And I

I hear many of you saying, "Oh, I know what to do here, right? We just background the malware." And now then now when they press control C it's okay. And it's true it does put this awfully suspicious number there. But it's true it does it does make it so they can keep using their terminal. But actually if what if they can keep using this terminal but what if they like close their terminal? I know who would do that. But some people do and they just close the entire terminal entirely. Then if your malware is trying to talk back to your server suddenly it's gone because the whole terminal is not there. So whoops. That's not going to work. The

reason that works the reason that closing the terminal kills kills the malware even if it's backgrounded is cuz the malware is a child process of like the actual bash process that made it. And so when you close when you end the batch process, it also ends the child process. That's how it works. And uh the solution a solution to this is to use this disown command thing. This is what I found. This is like welcome to my trial and error struggles. This is what I figured out. I use this disown command thing and it still prints out the awkward number. But now instead of it being like this, it's like this. And the bash process is like well I've never

heard of that malware process in my life. I don't know who that is. Whoa. Hey. And so if the bash process ends, the malware one's still okay. And so if you close the terminal then it's it's fine. It's still going. It's still there in the background. Nobody owns this one. Uh no problem. I think it has like a really awkward maybe slightly detectable thing where like the parent process ID is like minus one or something but whatever don't worry about it. Um and I hear you wondering about how to get rid of that very suspicious number and I probably hear a bunch of you being oh I know I'll you know I'll redirect standard output and standard error I'll

redirect it to to dev null we know about doing that and you slap on one of these guys actually know this doesn't work for some reason I was like a bit outraged by this and I don't know there's probably a better way to do this but I was just kind of like slapping even more of those guys on there being like shh don't try to talk it's fine. Um if you do that maybe it'll work. So, look, it's fine. It's all good now. Um, thanks. I'm I was a professional hacker for a time. I swear I know what I'm doing. Um, so now, can we check this stuff off? Can we Now, are we actually

keeping it there? I mean, like, maybe. But like, what if this person who we've hacked is like, hm, you know, I think I'm going to restart my computer just to feel something. And they go and like click this restart button and then I mean, your mware's running there using a cool thing and then they restart the computer and then why would it be still running there? You only ran it once. It's not going to run again when the computer restarts. So like whoops. Uh let's try again. Uh this this thing where you make the malware keep going even when the computer restarts or goes to sleep or whatever. This is commonly called persistence. And there are many

ways to do it. And this is a way of doing it. Um [snorts] have you seen this file on your computer called Z profile? It's kind of like bash C or Z shr but it's not. There's some like nerd reason it only run it only runs on some shells opening some other kinds of whatever. The important thing is whenever you open a new terminal most of the time this whatever's in this file gets executed. So if you put your malware in there then like oh now whenever they open a terminal we get a new malware running that's pretty good. Uh and you could just slam this in there in that directly into that file and it would totally work

but it kind of looks what if they're recreationally browsing their Z profile file and they like see this kind of looks kind of dodgy. It probably probably is malware. Um you know what looks much better than this? This kind of thing. Oh that looks like it could be legitimate and it looks like that because it is legitimate. There's a real software called NVM which this is what when you install it doesn't maybe it tells you. I didn't notice it telling you. It actually puts this in your Z profile file and uh people are people are nvming. People are using this. Everyone's out here doing this. And I'm like, "Oh, that's way better." And what this code actually does is it does some

node thing, but then the important thing is it like executes another script file. And that happens whenever you open a new terminal. And so you can just slam this guy into that file instead. No one's going to recreationally check that file. You could I don't even No one's going to do that. This this is what this is like one more layer of uh being one more layer of like being hidden. Um this is maybe overkill, but whatever. That is one way. So now whenever they restart the computer, your thing will run. Uh some of you some some astute viewers may have realized, doesn't that mean that every time they open a terminal, you get a new copy of the malware running? And

some people love terminals and aren't going to have like 20 copies of the same malware running. I mean like yes, currently it's the way it is. So you should probably put something in your malware that checks like is it already running or have a lock file or something or you could just have you know it's better than one shell. It's 20 shells. I'm just saying. So uh are we now are we keeping it there? No. No, the malware is still bad. Spoilers, the M is going to continue to being bad because uh you know how we're doing this and I'm always talking to this server up here. What if we want to hack more than one person? I

know, ambitious, but it can happen. And what if one of the people were hacking, I don't know, something happens and they notice they recreationally browse their Z profile file and the cyber police, by which I mean incident response team at where we're hacking, uh shows up and they're like, "Hey, there's like malware on this computer. Whoops." And they find it and then they go, "Wait a minute, this malware is talking to crime central.com. Who else is talking to crime central.com?" And then they find everybody that you've hacked because they're all all the malware is all talking to the same domain up there. And uh this is like a common problem when you're doing malware. And I want does

anyone does anyone think does anyone know the solution to this like malware like act this like blinking malware problem? Anyone know the solution to this? That's right. The solution is to go outside and touch grass and stop thinking about computers. Don't do any of that stuff. No, I'm I'm just kidding. I'm just kidding. The the solution is redirect infrastructure. Let's talk about it. Uh another the way you can do this is you can have another server in between the malware and the actual malware control server and it has some very cool normal domain name that's real. Um please no one register that domain name. And uh the server is an HTTP reverse proxy which just means like

it it passes everything you say to it back back uh back along to the malware control server and you can't tell it's a proxy if you're just talking to it. It looks like it's really just telling you that stuff by itself. And so basically just lets your mware talk to that server via another person. And I hear many of you wondering where where do I host this server? what what what what like hosting provider do I use? And I mean, you could just sign up for AWS like everybody else, but like since you want to look like cyber criminals, cyber criminals don't really do that because I don't know AWS doesn't like cyber doesn't like

cyber criminals. So, make sure when you do this, you buy the server from an extremely reputable offshore hosting provider such as this one I found, which is DMCA ignored offshore hosting Moldover. That's got to be good. Uh this is this is just the first one I found. This one this one looks like it's called Alex Host. That is a coincidence. Has nothing to do with the Alex brand. I don't know these I don't know these people. I what? I don't know whatever. Um, back back to this part. Uh, so now I have now like, okay, now I have this redirected infrastructure. Now I have this whole other server between my server and the malware. What's the point

of this? Well, the point of this is redirect a gang cuz you can make a lot of these. And now every single person, every single person who has malware on their computer has their own sort of private bespoke custom red server with different domain names, different everything. And that way all the malware is separate. Like there's nothing the same in between them. And so that way if the instant response team shows up and one of them gets investigated and gets taken down then the other ones are still okay. Uh or are they? Because what was wrong with this? The problem with this thing was that uh all the malware was using the same or something. They was

all using the same domain. And what's wrong with this? Depending on how you do it, what if all of these are the same binary exactly? They might not be, but what if they're the same exact binary? Cuz you know what's really easy for the incident response team to do is check where else have I seen that binary on all the computers I control? And then once they find that, you know, you get the idea. Uh so you need to go back and make you need to go back to your malware thing and generate an entirely new entirely new malware payload entire entirely new binary for each different uh redirector. Preferably you wouldn't even use the same malware framework use

a whole different malware framework for each one cuz you can kind of tell if they're all the same mware framework but whatever. And that way when the incident response team shows up and they find one of them and they check where where else have I seen this exact mware and then okay you get the idea. The other ones are okay. So now can we check this off? Maybe we can never check this one off. In fact, actually, we need to go back to the previous one because you don't want to actually ex you don't just want to execute your malware on anyone's computer. You want to make sure you're only executing this malware that you've

gone to great lengths to make on exactly the right person that you actually want to be compromising because you don't want to let people reverse engineer it. You don't want to let people find out what it is. You only want your actual target to get the final payload. And so, you know how every single time you want to hack a new person, you need a new redirecting, you need a new malware, and you need a domain name, you need all that. This is a lot of work making all those things. And you know how the current way that we're getting our malware on people's computers is using this state-of-the-art technique. Do you really want to like put your actual

malware binary like the final payload which has like the domain name in it and like do you do you really want to put that like publicly on GitHub? Cuz like what if somebody for some reason goes to this page and they're like wait a minute this is malware. This isn't this isn't GitHub like and they like actually investigate it then they just have your payload like right there and like everyone can see it as public. So uh and then then when the incident response people show up you haven't even got a shell. you haven't even executed code on someone's computer, but they can suddenly see that or they have your malware binary and they can see the

malware family or malware framework that you're using. They can see the redirector that you're talking to, the domain name, and they can check the hosting provider. And that means you have if you want to really keep all of your different like compromises separate, you have to make new ones of all those things. And if you don't make new ones of all those things, you might be attributed you might be attributed by them as the same bozo who did that GitHub thing earlier. So, you probably want to be different. And uh so I hear many of you wondering what's the solution to this. That's right. The solution is stage payload design. Let's talk about it. Uh so before we were

downloading malware directly from GitHub. But what if instead of downloading the malware, we downloaded a different program which we still downloaded and executed but that program goes into their computer and that program then downloads the malware from somewhere else and it says hey malware hosting server can you give me the malware now that I'm being executed on someone else's computer and like what's the point of these layers of what's the point of doing this? What's the point of these layers of malware servers? Uh the point is that oh and sorry after you download the malware it does its normal thing does this whole other normal thing but you download it from this special malware hosting server and many of you

are probably thinking that this is overly paranoid and you know to do that and if you think this is overly paranoid then you're going to love this next part which is even more paranoid. Uh instead of just having this malware stager it's called if you really want to be styling on people you can not just don't just have this downloaded from the malware server the normal way when when you download this malware payload from the server you're probably doing like HTTP or something probably doing get malware. Make sure you use this user agent like because you you write you write the malware downloader and so you can make it do whatever you want and make sure

you just subtly include this user agent in the request. Um do anyone see why it's this user agent? That would be insane if anyone knew that. Uh here are the versions of Python of Python requests that exist. And you may notice that there is no 230.1 version. So probably no one is going to accidentally use this user version. Only you're going to use it because it there's something's gone horribly wrong if someone else is using this in their actual code. So that way uh if your if your binary uh if your actual uh stager if your actual malware downloader is the thing that's talking to the malware hosting server then it gets the actual malware payload. It's

it's crime time. But if anybody else does it then they can like download Fortnite on their work computer or something. You can give them whatever you can give them something else and that way random people just random people browsing your hosting server or like incident response people or whatever they don't get the malware. You only get the malware if you execute it from the malware downloader. Okay. So uh can we check this off? Can we say we're done now? Have we kept the malware there? I mean, you can kind of you can never really check this off for sure. You never really know for sure whether whether you're going to get caught or not. And also, no, we can't check this

off because this malware is still bad. There are many like this malware is not really obiscated like sliver does a bit, but like have you really tried to obiscate it? Also, there's no socks proxy. How do you like make your traffic go through it? Also, the malware just runs straight on the computer. Don't you want to run it in memory so that way the AV can't see it? And probably you shouldn't do this Z profile thing. You shouldn't risk it. You do something crazy like back to an electron app or use like JXA or do some cool advanced persistence thing or this obvious thing. And also the malware hosting server. Where do you host that server? You

should host it somewhere really legit like you should host it on cloud fun or something. So it looks like a normal place you might download things from. Also there are many other problems with this whole malware. At least it's far from perfect. I wouldn't I I don't think I can say this is good malware yet. And I hear many of you wondering what's the solution to this. That's right. It's AI. Thank you very much.

>> [applause] >> Um, does anybody have questions? I've got time for questions.

>> Crimes. >> Oh, I'm afraid I couldn't hear whatever that question was. It just sounded like somebody saying crimes a lot. So, I'll just have to I'm so sorry. I have to take a different question.

Hello. >> Oh, hello. >> Um, have you considered that instant response people might be slightly tipped off by the binary named malware? >> Have I considered that the question was have I considered that incident response people might be slightly tipped off by the binary being named malware? Is that right? >> I mean, have you heard of a double bluff? Because like surely nobody would do that. Um, I guess if you don't want to double bluff, you could name it something else, I suppose. But I I mean I surely never seen the double bluff before. I reckon go for it. Thank you for the question, though. >> Are there any other questions

as your official hacker name is now Alex with the two uh quotation marks. When you get quote uh quoted in newspapers in the future and they have to put more quotation marks around your alias, will you continue updating your uh your name until it just becomes a single page that is just the word Alex with a lot of quotation marks on the left and right of it. >> Hey, thank you so much for asking that question. I think it's a really important thing for the industry to be aware of and we don't really we don't we don't talk about it enough. So, thank you. Um, it hasn't happened yet, but like like I guess yes, I guess

I have to like I'm ready. I'm ready for all quotes.

Thanks, Alex. Amazing talk. Um, I have one question. Could Rust have fixed this? Really important. Um, uh, yes. Are there any other questions? >> Hey, Alex, are you here? Thanks for the talk. Um, if you don't mind, could you could you go over how to write the malware once more? >> Uh, could I go over how to write the malware? Um, see everybody next year at my next talk about how to write malware. Um, no, I didn't really cover that in this in this thing. I just I'm afraid there's just no time for that. I'm afraid there's just no time for that question. Maybe next year. Sorry. >> Um, did anyone download the file from

GitHub? >> Uh, did anyone download the file from GitHub? Um, I think I think the repo is still up there, so I guess you could download it if you really wanted to. Um, but no, I don't think so. I mean, who would fall for that?

There are no other questions. Let's thank Alex one last time.