Fault Tolerant Command and Control Networks

cool I'm Nick I'm going to giving a talk on fault tolerant command and control networks today um so here's the agenda um intro going to go over a little bit of thought net history um little explanation of what C2 is a little um in-depth on how a very common form of C2 is used um and then an idea for a C2 Network that was inspired by IRSC um not using IRC but inspired off of how IRC Works um then the goals for the project that actually came in my head and then a little bit of a demo um and then questions and special thanks and references so who am I um Nick that's me uh fourth year bsms computer security R

um I was the tech lead and vice president of rc3 U if you don't know rc3 it's R competitive cyber security club um last year and then this year I'll be the uh vice president again um I was the captain of R's first ever um Collegiate penetration testing team um we are going to hopefully do that competition again this year and do some fun stuff and I'm looking to get into more pentest stuff which is kind of why my head was wrapped around bot Nets and such um and this is my first talk at a con ever yeah so let's let's talk a little bit about what's in scope um basically we're going to be talking about command and

control servers um how they communicate each with each other and the clients um it's mainly going to focus on server to server communication and just a little bit of client check-in um what's not in scope are the clients in general I'm not going to go in depth on how the clients are going to be managing the call back domains not going to be managing them um how the clients are going to be connecting to the network just how the network is going to facilitate the clients um also not going to be going into any reverse engineering on clients to make sure that you don't expose these domains in other word your implant is bad and you should feel bad is not

something that will be covered in this talk and I don't want to hear cool so little bit of an overview on botnets right Wikipedia States the botnet has a whole bunch of computers that talk to each other this long-winded stuff basically it's a whole bunch of computers that talk to each other or servers that get them information that's on things to do so you can have a malicious bot net or you can have a benign botn net there's the infamous Zeus um banking Trojan botn net which ex traded tons and tons of Bank credentials and Bank information and money right or you can have something that's benign like seti at home if you don't know what

seti is it's a whole bunch of people in South America I believe um that have big satellite dishes and they listen to space to see if aliens are talking and that's a lot of data because you got to process a whole bunch of signals with I don't know patterns that aren't specifically developed and stuff so they Outsource it right so you can sign up for study at home and basically enlist yourself in a botnet right it's for study it's for science right but ultimately you're still in a botn net you're still receiving commands from um some sort of network so what can we use a botnet for a lot of what we see today is for dosses

umla service you have a whole bunch of machines hammering the website and bringing it down um email spam once again leverage a whole bunch of machines to spend send as much email as you want um you could use it to seed um Torrance from let's say a leak so let's say you leaked something like the Panama papers recently you've got terabytes of data that you're trying to get you seed it out to all of your clients this ensures that hey these these documents that you've leaked out always have somewhere to go down and they can't be brought down by some sort of um dnca where they go and just take down the one or two

servers that you're seating off of before it gets distributed out to everybody who has it or we see a lot of this nowadays um botnet as a service so you build a botn net you get it as big as you can and then you just hire like hire yourself and have people hire you so that you can do whatever they want to do so you say okay we'll let you this other criminal organization use rbot net to denial of service this site so just a few figures um one of the first botn Nets that um just figures from Wikipedia that they listed uh the big old botn net had about 230,000 nodes um Infamous coniger that's where we see

um ms08 064 uh 067 that's right m867 um one of those exploits um there was millions and millions of nodes that were um in that net with a portion of them that were in a botnet um and then the Zeus malware there were about 3 million nodes in in the us alone so let's get into some of the terms that we're going to be using to describe botn Nets right we've got bot master C2 servers relay nodes Bots I'm going to get into all of these and normally we have something that's organized like this you have the Bots at the bottom relay nodes in the middle C2 servers right there and then up at the

top we've got the master and I'm going to go all into these from the ground up so we're going to start with the Bots right the Bots or zombies as they're sometimes called is the malware that you have installed on the target it's sitting on the target um waiting calling back getting your instructions and executing whatever you want it checks in it sees okay I have a Dos command for this for x amount of time get this command perform it wait check in wait check in ideally you're going to have a lot of them because what is a botnet if you only have two two nodes you're not going to get too much accomplished with

two nodes out in the wild and ultimately it's to execute the commands that's given by the C2 servers um C2 stands for Comm control if I didn't make that clear um so we're going to move on to the relay nodes right so the relay nodes are for forwarding connections from the Bots to the servers ideally you don't want to expose your servers because if you only have a few of them like this diagram shows we have let's say three servers in this network um the bot master looks like it's updating each of those individually you really don't want to lose those right C2 servers are kind of like your crown jewels you don't want to

lose them so you spin up a whole bunch of relay nodes that that um facilitate Communications from the um thoughts to the servers this could be as simp as simple as like a socks Bry or um like netcat forwarding listening on one port forwarding and out the other and just facilitate facilitating a communication um or it could be as complex as rotating through hundreds and hundreds of domains or having a domain generation algorithm that the um attacker is going to register certain domains that are going to lead back to those servers um this is the layer in the traditional model that you want to be full tolerant right you want to have a lot of these so that if

you lose 50 of these relay nodes you still have aund of them left and the malware or the Bots still know how to get to the layer of relay nodes which know how to get to the C2 server layer so onto the C2 servers um so these are going to be holding all of the commands um it's going to be accepting connections from the Bots through the relay nodes or if you don't have a really no U Network set up it'll be accepting connections directly from the bot um you can hold files there um commands modules whatever you have your botet set up to do and there's this idea of command and control channels um

different methods of delivering the command so let's say you have one set of relay nodes that says to call back over HTTP and it downloads an HTML file parses it and that's your command um it could be HTTP or https you could have one that operates over over um icmp and just embed the data in like anmp Echo request um and you could have multiple channels in the same network depending on how complex and how tier you want to get your network and then the bot master um this is the person who's controlling it you're inserting all the commands I'm only through some sort of web interface or however your network is set up you're

putting the commands into the network so that your Bots can execute them um you can divide the bots in The Logical groups if you so choose um but ultimately you're limited by what the botnet is built on you can't dos something if the code isn't written for it um so on to C2 channels right C2 channels are the means of transmitting the information touched on this a little bit ago um many different protocols and the idea is to hide somewhat in plain sight you don't want something that's super crazy um obvious that's going to say hey this is me I'm beaconing back to this C2 server um like red team. domain. whatever is probably a bad idea or this

is like ac2 do whatever your domain is probably a bad idea if you're using DNS resolution um you want to look normal right and just some common protocols that you can use um IRC um drawback to IRC is that it's plain text traditionally so if you connect to the server you see all of the commands being broadcast in plain text you can see when someone checks in um but the advantage to that is there's multiple different actual IRC channels you can go through um HTTP and https yes would be a really good option probably your go-to option um I don't know of anybody that's going to be blocking web outbound so HTTP and https https would

obviously better because well it's encrypted um and just because you can you could do it over icmp if you wanted to probably going to get flag real quick um you could even try and do it over SSH or something that mimics an SSH session so I'm going to go into a little bit of how IRC used to and currently is used by C2 some the drawbacks and some of the advantages to it so we have the client like an IRC client that connects to the server in this case it's going to be our bot um it's going to be connected to a certain channel right so let's say we have um pound channel one right and it's

going to be checking in say hey I'm here waiting for commands it's going to be relying on um the IRC infrastructure to deliver the messages that the a certain user is going to be putting in so let's say you as the bot master would go and you would say hey this command now is to dods site a right all the Bots that are listening on that C2 Channel be like okay that's my command I'm going to do that and they execute whatever module it is right and you would have some sort of way to change channels if option whether it's through a command that says migrate to whatever and then whatever Bots are on there would just migrate to that

other channel or it could be done automatically through the bot some of the advantages to using an IRC um it's pretty easy to set up all you have to do is have a channel and then have a pretty simple syntax that both the Bots um and the bot master understand um easy distributed commands because you're relying on irc's network and kind of send it in plain English it's easy to understand and easy to parse if it's your first thing to write disadvantages you're sending it in plain English right um unencrypted Communications and if the Bots aren't validating who's sending the command then it's relatively easy to hijack and shut down the network or make do what

you want to do so all this was kind of mulling around in my head I was kind of thinking hm so I want to do something with bot Nets I want to do something offensive right how would I set this up what if I built my own right but before that I was kind of thinking hm I want to program something let's try IRC it's a relatively simple protocol that's really well defined so I thought wait a minute what if I def like combined the two right so I one of this speci that I'm not using IRC for this Bru concept um not just making a about that connects to a channel listens to stuff it's using how IRC the protocol is

set up and defined to um Define the network of C2 servers and how they're going to be updating each other um so for a little background IRC works as a spanning tree um there's never a group of nodes that are going to be set in a loop or there never should be right if a B and C are all here A and C should not have a connection if they both connect to B because then you have a loop and bad things happen and that's just how the protocol is set up so why not use that right it's pretty set up I could just Fork IRC and modify it however I want right the problem with

that is that we're going for redundancy at the C2 layer right so the whole idea is that you don't need the relay noes oh that's sorry there we go cool is that we don't need the relay notes we're focusing just on the C2 server layer right now cool um imagine if you lose a branch that happens to be in the middle of your network of servers you're going to end up causing Network segmentation and you're going to have disjointed segments um so let's take this example IRC Network right IRC not the C2 PC that I've come up with we've got six servers uh two has links um then we've got they're all organized like that right so

if someone on server one wanted to send a message to server 6 it would go through server two then server 3 and out to server six um if someone on server 4 wanted to get out to server 3 it would broadcast to everybody um and the IRC server would only keep the message if it had clients that were on those channels right want to send the message it's going to travel along like this it's going to get duplicated and sent out to the other ones and it's going to get to there so from four all the way over to six we can see the message was there right so imagine if we're going to lose

one of these nodes let's focus on server one right if we lose server one the clients on server one are just out of luck they can't do anything right they can't talk to anyone else because the server's down right that's not too bad we've won we've lost an edge node right if we lose server three however we're going to have a problem so server 6 and server 2 are still functional right but we've lost server 3 which means we've lost the connection to servers 2 and so to server six so someone on server one won't be able to talk to server 6 right and um someone on server one can still talk to someone on

server 4 but they can't get over there and server six is live its own little world the worst case scenario for this topology is if we lose this node because we lose those links now we have three separate IRC networks that can't talk to each other so that's kind of where I came in is like wait a minute this spanning tree is a bad idea if we're going for redundancy at the C2 layer so let's expand it to a partial mesh um a full mesh would be ideal right all nodes know how to talk to each other everything's amazing you only need one update message goes out in one broadcast everything's updated and flowers and

rainbows yay um reality that's probably not what you're going to get you don't want one node or you don't want the ability for one um Defender to breach or watch one node and be able to know know all of the notes in your network because then they can just say hello government please shut these down it's doing malicious activity and here is the information about it um you can lose your entire network in a matter of days um so the idea of the partial mesh is that we're going to be forwarding the commands to the servers kind of like how we were forwarding with the how IRC was forwarding um yeah so what we're going to ensure

right now um is that each server is going to have the same database this is a shortterm goal for the proof of concept proof of concept is not finished yet it's far from it I'll get into that in a little bit later um but if we have the partial mess organized correctly we can be tolerant of um mild to medium losses so let's say someone takes out 20 servers in your 60 server Network you still have the clients which know enough about the rest of the network um to reconnect back to it um let's just assume for the rest of this talk that the clients have an algorithm that says okay we know how to get to a different

area of the network logically right so if a client on the left side of the network um knows that there are nodes in the middle of the network and the right side of the network let's just assume that the clients know how get how know how to get back to the network right um but we got to remember if someone dismantles 85% or more a huge number there's not really going to be much that you can recover from if you've got 10 servers and high availability and nine goes down you're going to have a bad time on that one server that's left um yeah so some of the design choices um go langang if you don't know

about go it was developed in released in 2006 I think 2006 or 2007 uh the year escaping me at the moment but it's a compiled language um it's open source managed by Google um it's got a pretty decent syntax it's kind of like if C and python had a baby um yeah so one of the problems with this um thing that I'm going to be showing you my idea for proof of concept is that redundant messages are going to be a problem but the way I'm going to solve that is that the servers are going to silently ignore it and that that's going to become a little more clear in a little bit um why did I choose to go

with the way I'm about to show you um I felt it would have been easier than you know just implementing a full peer-to-peer routing mechanism on a server that I'm going to be deploying and random places um I could use um Batman if you're not um familiar with Batman it's the better approach to mobile ad hoc networking um basically it's a layer 2 ad hoc networking protocol that's actually built into the Linux kernel now um that facilitates ad hoc networking and routing but I felt like that would probably be a hard thing to do and go and I probably have to write my own Library so let's just go with the partial mesh and a forwarding

and the silently ignoring the Redundant messages for now that might be a later work um and there's this idea of a a partial information Chain versus a full information chain um for right now we're going to define the information chain as the um servers that are going to be receiving an update um partial is going to include just the servers that are going to be receiving a full information chain um would be all servers that have received and sent the message um the problem with that is that you're going to increase traffic size exponentially with one or two nodes it's not that big but if you have a 50 node Network you're going to have a whole bunch of servers

hey hey 1 278 95736 I've all seen this and a whole bunch of me servers are going to be sending that around it's pretty conspicuous it's pretty easy to see um so the algorithm that I have for the servers is going to be that the server is going to be establishing um peer connections with other C2 servers um Whenever there is an update to the command database it's going to notify all other local peers the servers are only going to be knowledgeable of other peers that are in the network locally um one hop away it doesn't know anything more than one hop um so for the peer Server Connection um peers are going to contact each other

um ideally it's going to validate each other's um authenticity uh long-term goal that I have for this is to be able to turn it into a framework say generate a key at the beginning and that you have a TLS key or a TLS CT that's going to be valid for each of the nodes and if the CT doesn't match you don't connect to the network or don't accept any Communications from other nodes in the network so that's is resistant to hijacking um and you can either do it um at a periodic interval so you could do it like an HTV htvs check-in or you could have a constant session um but like medicating an SSH to or something

like that so whenever the command database is updated whether it be by the master or whether it received an update from another client um we're going to ignore any message that's duplicate it's going to save for now all messages that are there um and then the server is going to be notifying all of its local peers and for the server the server updates it's going to update all their peers that it did not receive the message from right so if we have servers A B C and D and B is connected to C D and a so we've got one in the middle and three on the outside if a sends an update to b b is going to

send it out to C and D but not a because it knows that it got it from a so we don't have an infinite bounce between the nodes um and then each of those updates is going to contain the partial information chain and I've got a bunch of diagrams that's going to display that later um so more information um on the partial information chain it's going to be containing the IDS of the server that the update's being sent to um and if the ID is listed as a peer it's not going to notify that server um and it's just remember that it's ignoring duplicate updates silently so let's take the simplest Network that we can have two

nodes of the C2 servers right we have a message with the partial information chain set to two because that's the destinations currently um you can think of the partial information chain as the destinations for all the messages or multicast um so we send the message over to two and then it gets it yay both of the databases were updated so if we expand this we have servers one two and three all organized in a line one wants to send a message updates the database sends the message out to two two gets it realizes that it can't send it to one because it got it to got it from one and it has to send it to three because

that's the only other Pier that it knows about then three gets it realizes that the only Pier that it has is two and will not send it to two because well that's the link that it came from and then everything's happying the databases were updated so let's expand this a little bit we have four servers now and then there's a triangle that we have between servers 2 3 and four um starting with server one it's going to be sending to server 2 so here is where we actually see where the partial information chain actually does something um so server 2 realizes that it has to send to servers three and four because those are the

other peers and it can't send it back to one so it sends it out servers four and three both realizes that the other server is going to get the message at the same time and then it says okay well I don't have to send it because they're already getting it and then everything's happy right all the databases were updated so let's expand this to six nodes this is essentially the IRC Network that we had earlier but instead of um having six being isolated only to three we've now connected it to five so that we have this big loop so we have an update that comes from server one it's going to go out to server two server two

realizes that it has to send it to servers three and five right and then server three over there says okay well I got it from Two and I'm going to send it to six server five says okay I've got peers um server 4 and server six and I got it from two so I'm not going to send it to two right so what we run into is both of the servers are going to be um notifying um the same Target server right server 4 is over in its own little world doesn't have any more peers that's okay but this is where the silent ignoring comes in and it's just going to silently ignore one of the

messages that totally looks green well that's supposed to be yellow okay well okay so it's going to silently ignore one of the messages um so where does this idea of the fault tolerance come in um It's a combination of things it's a combination of the command database updates and the command um synchron synchronization between the service and the network um and it's relying on the clients having a chain of domains to contact in the network like I was saying earlier they have the ability to contact UM far different areas of the network so if one side of the network is taken down the other side is still functional and the client can migrate to another side um and the

idea that yeah that's what I just said um so goals for the project um short-term goals what I have right now is that the server is going to be um accepting Communications from the client it's a little buggy um there's going to be a default Channel placement and then later on there's going to be the ability to segment it off into okay so like these are going to be my dosser Bots and these are going to be my data expl Bots that are going to act more like an implant that you're going to put on a Target um and you can divy up commands because you don't want to be issuing DOS commands to your ones that

are supposed to be sitting and hiding right you don't want a lot of traffic coming from those cuz it's saying hey guys look at me I'm here I'm doing bad things um server is going to be responding to the client's requests um and that database replication across all the servers is going to be enabled by default um a later work that could be done is that it functions more close to IRC and that it doesn't um contain any of the updates for clients that it does not have or channels that it does not have and if it does it queries the network to forward it but that would involve a lot more of the routing so

there's some design decisions that I have to make down the road if I want to continue this any further and add those things um so for long-term goals like I was saying the TLs search generation and the validation between all the servers to Ure that you can't just connect something into the network that's going to um update the database saying Hey I want you to Ping all these addresses so that I can know where all of your Bots are and I want the C2 service to notify this so I can have someone take them all down um full forwarding and database replication um and I'd like to I'd like to make it into a big project and put a

web Administration panel on it um have the ability to dispense different modules to clients so let's say you have a generic client that's in there you say okay well I'm going to check into the network and I'm going to download this information or I'm going to download these modules to perform uh persistence mod or persistence method X or persistence method y um the whole idea behind go is that it's a crossplatform language um you write things in go and it for the most part unless you're doing something extremely F or um system specific is going to be able to work on different systems so if you have an implant that's written in one those networks it can download things catered

to the OS that it's on um another big thing that I want to do is I want to make it into an HTTP or https C2 um I at the first part decided that I was just going to do with opening a raw connection and sending information at this point none of it's encrypted but that's just ay let's get it working before I actually organize things the way that I want to and then maybe expand it into a potential framework for an automated deployment and make it an open source framework um to say build a botn net it could be useful for um penetration testers who want to do um some long-term engagements um so that

you have a network that you can build up and tear down and issue shut shut down commands to your network so things that definitely need to be improved a bit uh using an actual database rather than just storing data types memory there's some janky code in there now that definitely needs a fix and then currently the IDS for the clients and the servers have the same format um I'd like to differentiate those maybe just add a flag in there that says if one client if zero server so onto a little bit of a code demo we're going to walk through some of the functions that I have set up right

now so over in this pain over here no you can't see any of that

that are good yeah you can not read any of that can any can everybody read what's going on kind of can someone flick the lights in the back maybe it'll be better hopefully better good everybody okay with that for like five 10 minutes okay cool so over in this left pane um I have two separate repositories one for the server one for the client um over here we have all of the server stuff um launch the server the server reads from a command file so if we go into the commands directory we can see that I have um several things like add a command to channel and that's going to be like a w get command or a ping command those are

just the two commands that I chose to implement at the current time before I expanded into something else so that I have the ability to trans um transmit commands and then it's just a matter of um writing an execute function on the client um so if we see we're just starting on default Port yeah so we have the client which is over here listed as the implant and right now it connects to the server uh there's a few debug messages in there um and right now we're seeing the HTTP G right here so we've transferred the message and we've actually got it to execute but we get the error message saying we cannot get the URL um one. HTML just as an example

and then when we request again um the the client right now is set up so that it um does another request um every time you have the enter button that'll obviously be changed um and I have one or two bugs that cause the client to crash that came about like a day or two ago and I cannot seem to figure out how to fix it so I kind of have a little bit of a stunted demo right now um the server to server messaging is unfortunately not functional I would have loved to show that um that's one of my biggest oh darn why didn't I get this working about this talk um so that's why

I was trying to focus a little more heavily into the explanation of how it would go I ended up getting most of these supporting things but not the main thing OD darn so we can go through a little bit of the code review on the server side um

so cool so for the server we have this idea that it's going to be having an ID it's going to be having a listener that it's going to be receiving connection on um a list of clients um a certificate which at this moment is not being used um uh peers um the channels that it's going to be having and forwarding and replication those booleans am I going to be forwarding things on or am I not going to be um replicating the database um an idea that you might not want to forward some things on is maybe you have one or two servers you've implanted in a targets network uh you don't want the database replicating everything

for things that aren't connected to that Network so you'd want something that you're implanting um on the targets Network to be a little more covert um so like I was saying um the ID generation function um it's basically slapping together a random number and a hash of the time stamp and then hashing those together um currently those are the same I should probably add another field to differentiate between a client and a server um at this point I just have it sending server or client depending on what it is to connect to each other um

yeah so the channels are organized as such we have um list of clients and list of commands and ways to add clients add the commands um and do as such um currently this is what I was talking about saying um I should probably switch to something else other than just having um an array in there I should probably switch to using a database because it would allow me to actually support more and build out more currently the code only supports the first default Channel um in the server maybe one time I super early on time

um so um here's kind of the idea behind the commands for the current data structure no not that

file the idea behind the commands is that they have um an ID associated with them a description um and the parameters are going to be passed to them right now it's set up as a list of strings so that you can facilitate um any command that you'd like to do so right now the commands that I have only have um one parameter pass to it like the W get you only need a URL or the paying only need the target IP address or domain name right but what if I had um something for copy the folder copy the contents of these directories and exfiltrate them to my server um that's facilitating um multiple directories or um multiple

lists of things and when the information is transferred it's going to be put into a Json object and then Bas 64 um for transfer and then it's um labeled with a time stamp so that you know of the when it's attached to the channel um the list of commands that are in the channel it's going to look at the uh furthest right most entry the last entry in the list of commands and say what's the time stamp on that is that time stamp later than what I have if it is it's going to add it if not it's going to um just discard the message

silently yeah so that is unfortunately all that I have for code um it is multi-threaded so if we wanted

to we're I'm now facilitating um multiple multiple clients so it is accepting those clients from there but that is about all that I have for the code side of things

cool so does anybody have any questions um why did I decide to do this thing in that way um what do I want to yeah you can turn the lights back on thank you um any ideas for the network open up to questions yes Ed so how does theault sence work if say the link between if if you go back to the the example with I think the six or this one yes yeah yeah so if you skip forward a few times until there's a the five Collision so when you hit five yeah it assumes that that yeah so five knows that it needs to send a four and six previous one prev previous example it's the five node

one the four node one this one yes okay so if server four assumes that three got the message but if the link between two and three is broken how how is three going to get the message if four assumes that three got the message that's another one of the that's another one of the shortcomings of what I had short of implementing the full peer-to-peer routing okay so in L of implementing the full peer-to-peer routing would would be an end goal um for this that's that's one of the drawbacks is that if you do have a link down between one of them and there is some sort of loop there you're going to get servers that don't have the message

um and yes that is a problem any other questions does it matter what kind of client like what operating system what like how how much like what are you using as clients just Mach so for the client it's um a piece that I wrote um WR writing it and go just just because um the idea is that it tracks whatever operating system it is um so actually if we go over to I'm just going to mirror displays now but if we go over to the code this is my client code

right so over here we have the execute ping right so there's a library for executing a ping command and how it works is that you can say hey perform a ping and then the go compiler performs all of the operating system specific stuff so that's the idea of you write it in a language that actually transfers um to mult different systems that's one of the cool things about go is that a lot of it is designed so that you only have to worry about making it work for the go compiler and then it works for the other operating systems it's not like python which compiles to um a b code and then it gets run specifically through there

um it gets and I guess it is down to a bik code and then the bik code is specified within the compiler so I guess there is pre-compiler and then a operating system specific compiler um any other question questions yes back there so a couple things number one um did you consider using snmp2 or three to manage and that's number one and number two when you said that you want some of these servers especially the do servers to have to kind to have a level of a level of being being not seen can can you put like a firewall in front of them to prevent prevent unwanted traffic get into could you say like the last half of

that sentence I the last half of that you in front of them to prevent The Unwanted traffic from getting yeah so one of the ideas is that you would have the generic node um call back to the network the network would know hey any nodes that are um coming from something that resol like reverse DNS resolves to this domain name or like the like the company that I'm trying to Target let's say I'm trying to attack RIT right anything that's going to be calling back that um resolves to an R address I want to have this set of commands and be put into this Channel or something if I'm trying to attack MNT bank or someone who comes from like a um

T timeware Cable address I want them to be part of my um Doss location so the server Network would have the ability to differentiate okay based on these criteria let's put this client into the either the default Channel which most of them will be put into and will not be used as much um except for like updates and suchu to the Bots or um based on where they're coming from put them into a specific channel that you created go does all that processing like the scripting does all the processing yeah it would so the end goal for that is to be able to um create a rule set like that say through web interface for the

administrator say Okay anything coming from here add to this channel that I've created um and give it just instructions on how to divide them to the channel and that would um go right now is going to be the backend server I may switch it to something else um if go ends up not being the proper language to do exactly what I want um but for the current term yes go will facilitate all of that um someone else had a question yeah Brad you mentioned that you wanted to have the ability to push out updated modules for augmented performance of the implants correct yeah how you plan on doing that since go they compiles statically to a

binary so you can't really use system libraries with it unless you're pushing out a system based process or scrip with it so how are you going to try and do the so the idea could be that the um implant that you have is more of a driver for other pieces of malware that you have running or things that you could do you could have separate strips you could have separate um pieces of code running on the machine but ultimately the implant is going to be more of a driver for things and facilitates those other tasks staying afloat any other questions okay so um couple special thanks um thanks to Jamie for encouraging me to actually do this talk

um and then Brad for introducing me to go and general design assistance and such um those are my references um you can reach me at these things I literally made a Twitter like two days ago there's literally nothing on it but you can reach me there and that's my um email address so that is all I have thank you for coming to my talk