Cloned Boy
Professional
- Messages
- 1,177
- Reaction score
- 889
- Points
- 113
Famous carder Sergey Pavlovich continues his conversation with Sergey Nikitin, deputy head of the computer forensics laboratory at Group-IB, the main Russian private fighter against hackers, carders and other cybercriminals.
Enjoy reading!
Contents:
Pavlovich:
And, guys, we continue the interview with Sergei Nikitin from Group-IB. Or what is your patronymic?
Specialist:
Anatolyevich.
In what languages are Trojans written
? Pavlovich:
Sergei Anatolyevich.
Well, we continue and today Sergei is leaving for Singapore soon, as I already said in the previous issue, so now we will try to film as much as possible or we will have to do it later on Zoom, so every minute counts, my dear. In what languages are Trojans mainly written?
Expert:
Oh, very different, including recently Nagot, Rayan, mainly, naturally, it's C++, there are Delphi, well, that's what I'm saying, that is, there are all sorts of extravagant ones, now there are a bunch of all sorts of just PowerShell scripts, yes, which contain a piece of binary, well, that is, there are a huge number of options, but mainly, of course, C++ specifically for some kind of, for a DLL, yes, some kind, or even for a driver, of course, advantages.
Pavlovich:
Well, these are, as I said, some other low-level languages, like assembler, right? Something for drivers.
Expert:
It happens that they directly write some pieces of code in ASMI, there are direct assembler bets. Naturally, if we are talking about Android, then this is Java, but then again there are even Androids that replace some libraries, which, naturally, are written in C. Therefore, C++ is the best, but, I say, there is also Delphi, there is anything you like. The most widespread C++.
Yes, it simply, as a rule, gives the smallest size, the highest performance, in this vein.
The Begemot Project
Pavlovich:
But one of our advanced viewers writes in a question to you that you have one interesting non-public software called "Begemot". This is not a joke, that is the name. The software collects data on a person from public sources, social networks, with a park and so on, and the correlation of this data between people, is compared with people, and says, we held a conference on the results of
a pilot installation, they sold your software to someone, and says, to be honest, I was shocked by the result, I asked them about Begemot, what they would say, and whether they would say anything at all.
Specialist:
Well, I can say that such a thing exists, a large amount of information is collected there, including, for example, from shadow forums from the Darknet, intended for a wide range of tasks. Is it some kind of parser? It's like a parser, but it's sold as a service, it's not software, that is, you are sold access to a personal account, it's needed, for example, to check people you hire, and many other similar tasks are solved.
According to public sources? According to public sources, but we can say not publicly yet, it is all sorts of Darknet, it is not so easy to parse, let's say. But there are many sources there, and there is also customization of subclients, but this is a B2B service, for some of our trusted clients. It is not on the website, it is there anyway.
Pavlovich:
Well, so that they would not use it for penetration.
Specialist:
Yes, yes, yes, they do not promote it directly. That is, this is history, plus, as far as I know, it is currently being completely rewritten, it seems that even some business model will change there.
Pavlovich:
Reputation management can still be carried out through it.
Specialist:
Yes, but so far it has not been launched publicly, but such a name and such a service exist. Begemotik. Is this not an official working title? Well, it is tacked on, as I say, this project is not public. In short, this is the internal name.
"Kaspersky products look weak..."
Pavlovich:
You see, what advanced viewers we have, they even dug up non-public software from Group-IB.
Spitsy writes that Kaspersky products look weak for now. But everything is ahead.
Hacking NSA servers, pro-government hacker groups
Pavlovich:
Question. Have you studied the hacking of servers associated with the NSA Evacuation Group and their subsequent leak by Shadow Brokers?
Specialist:
I did not take part directly. Naturally, I read the reports, I did not directly participate in such cases. We will have a lot of questions about government hacker groups later. Yes, indeed, they exist, I took part in a huge number of attacks by Chinese APT against our state-owned enterprises, all sorts of different ones.
Pavlovich:
Are the Chinese getting into our state-owned enterprises?
Specialist:
Yes, and basically it's industrial espionage, that is, all sorts of factories, embassies, the army, all that stuff, they've been actively crawling for a long time, there are a lot of places where they exist, very diverse, and it's clear that this is history, let's say, custom Trojans for a specific enterprise, where some unique Virustotal did not appear,
they work there in single copies, and there are atomized small pieces, that is, let's say, not one Trojan per megabyte, but 50-10 Trojans, one only does a proxy, another does a forward, the third does something else.
Pavlovich:
Well, it's like in Taxnet, one login to the system ensures, the second germ ensures penetration, the third one already penetrates, if the second one did not penetrate.
"They penetrated everywhere, without James Bond"
Specialist:
Yes, yes, that's the story, and they really are actively attacking, and to be honest, it's scary to even imagine how many different unitary enterprises are infected in Russia, it seems to me that they have penetrated almost everywhere, they are actively getting into our defense industry, and the main problem is simply that local teams are poorly funded, they are not ready to respond, money for information security is allocated on a static basis.
So, and I, in general, cannot imagine how many of our drawings have already leaked without James Bond, who penetrated the plant and stole them, but simply because the computer of the person who works in the KAD, it was hacked a long time ago.
And, so that you understand, we had cases where the Chinese IPT, for example, it was there for seven years, that is, we found the oldest computers, there, from, say, I don't know, the fourteenth...
Pavlovich:
What about this instrument-making?
Expert:
No, I mean, from some 1913, say, yes, and it is clear that there may have been even older ones, they have simply been written off. Therefore, yes, this is a huge problem, well, the problem is also state security.
How do they identify pro-government hacker software, a Trojan?
Pavlovich:
And by what signs do you figure out that it is more likely a Trojan, by some specific piece of code or by its complexity, perhaps?
Expert:
Firstly, the complexity, secondly, the goal, that is, not to steal money or anything else, but industrial espionage, for a very long time, they transmit information in small pieces, they hide as much as possible.
Pavlovich:
So as not to be detected in the traffic flow, right?
Specialist:
Yes, because the traffic volume there is usually not very large, well, because the Internet is cut there somehow, but still not good enough, plus there is a huge number of reports, completely public, about Chinese EPTs, they are there right at the same Crowdstrike, they are divided separately, against Russian EPTs there are different bears, well, and so for each country they have different totem animals.
And there is just a huge number of Chinese, you can read these EPTs there, they have numbers, some have separate names, some do not, but there are so many of them that there are certain intersections, that is, some pieces of code are used. Secondly, very often they work directly on some Chinese time, that is, you can see there that their military unit formation has ended, they have 7 am there, and they start working.
They have activated. Yes-yes-yes, that is, everyone there has worked, formation and went home. But again, where, how is all this given, transmitted, sometimes there are errors in translation, there are often phishing targeted mailings to infect someone, and it is clear that it was not translated from English.
Pavlovich:
Well, these are the same ones who translate product descriptions on Aliexpress.
Specialist:
No, it's usually much better there, but still, yes, that's why there are many signs, as I said, attribution is a thankless thing, but there can always be Americans pretending to be Chinese, yes, and all the time when Russian hackers are accused, you can never be sure whether these are really some kind of cyber troops or another information story, some kind of disinformation campaign.
But yes, specifically Chinese hackers, they are characteristic and we have met many different ones. This is a problem, yes, this is a problem, but mainly state-owned enterprises, because, again, they are not very interested in businessmen, they are interested in.
Pavlovich:
All sorts of secrets. Well, and better protected.
Specialist:
Yes, yes, yes.
Fines for unencrypted Wi-Fi, how to cover up tracks
Pavlovich:
And by the way, you started talking to me yourself, I get asked quite often, has anyone ever managed to successfully shift the blame onto another person? So you kind of make a backdoor on your computer and try to prove that it wasn’t me, that money was stolen through my computer, but it wasn’t me, look, there’s some kind of backdoor, the computer was hacked. Well, you understand.
Specialist:
Yes, I know of one decision, the court just overturned it, that is, the person was not charged, but did not receive a prison sentence. What did he do? He had open Wi-Fi. He did it after all. Yes, yes, yes. He had open Wi-Fi on purpose, he deliberately did not provide the password. And he says, yes, my IP is there, but it could have been anyone, because I have an open network, and all the apartments around it, and the parking lot in front of the house, you prove that it was me, and there was nothing on his computer, because the computer was new.
Clean. It was brand new, that's it. Well, that's it, and there wasn't enough evidence, there were problems with that, that's it. That's why in many countries there are fines for unencrypted Wi-Fi. For example, in Germany they have a special radio police that goes around, scans, if there is no open access point, finds and fines the owner, so that it would always be possible to identify the one who did it.
Pavlovich:
Well, the problem is also in default passwords, that is, often default passwords are set in routers, and when we install the Internet at home, we don't change the settings, via the web, you can go into the settings of your router, for example, and change everything there, but you don't change the password, or you change it but set it, well, my neighbor had it, it wasn't me who hacked it, just a kid was visiting me 12345678 where is such a password good for, that is, any program
for brute-forcing it will brute-force it there using a dictionary instantly, but I don't know how many seconds it took for that and right away.
Methods of operation of APT groups
Pavlovich:
Then, a follow-up question about APT groups, this is also from one of our very smart viewers. Have the methods of APT groups changed after the same source leaked a manual on how to recognize what group took part in ATAI by pieces of code?
Specialist:
I am sure, I have already partially said this, I am sure that after some time, and this is happening right now, now APT, whether Chinese, American, Russian, Arab and so on, they will try to mimic each other. That is exactly what will happen. And I repeat, the issue of attribution is always very difficult, because there is no obvious beneficial acquirer here, I mean no one got money there, yes, someone was collecting some information over a short period of time.
Who it could have been is a huge question.
5G, US sanctions for Huawei
Pavlovich:
Well, America for some reason probably deserved it, as if there is smoke without fire, I still convince you in my already quite long life that there is no such thing. America, of course, appoints China, not Russia, as its main enemy, well and in the sphere of cyber confrontation and in the economy.
Specialist:
Of course not, it is simply economic, yes, that is, well, what is Russia, there, percentage of GDP, yes, and what is China. And the production capacity of all IT, now there is a struggle of the 5G base, who will capture the market, who will dominate the manufacturing market.
Pavlovich:
Masalovich said, by the way, I will interrupt, that the sanctions against Huawei in America were connected precisely with the fact that they were pushed back a little, and so that American companies would take a leading position.
Specialist:
He is absolutely right, I agree with him, yes, that is, the main pressure is on Huawei, so that they simply do not become the dominators of the equipment, base stations first of all.
Pavlovich:
To gain time.
Specialist:
Yes, yes, because they accelerated very much, and the West simply did not have time, simply did not have time to refine, patent, release the equipment and they just needed to launch, otherwise Huawei would have been installed everywhere because the telecom market is pushing 5G with all its might and they don’t care, businessmen don’t care what to install, they need to launch as quickly as possible and get their bonuses and so on, if Huawei has ready equipment, and here it will be there in a year and a half, why not take Huawei then, everyone wants it, but it is impossible to ban it directly, it is only with sanctions.
So sanctions were actually introduced.
Regular encryption software, Ubuntu, the importance of updates
Pavlovich:
Well, about the problems in Russia, again, we discussed with Seryozha in previous issues, that it is connected with the military and so on, therefore in Russia again, we probably will not wait for a long time for normality. But here is a small specific question. My Ubuntu home folder is encrypted with a standard utility. Is it reliable?
Specialist:
Well, it depends on who you are protecting yourself from, yes. That is, it depends on what he calls a standard utility, in principle, luxury, yes, this is encryption in Linux, which exists, it is standard, it is quite strong, yes, use a strong password and that is already not bad. Here, again, Ubuntu is great, but do not forget to update it and update all the packages, because viruses for Nix, they exist, and they also use all sorts of stupid vulnerabilities, and we had a huge number of incidents when someone set up a web server on Nix, naturally, but almost all of them are on Nix.
Here, and it works, everything is fine, but everyone forgets that it also needs to be updated periodically, to do something with it, and basically here it works and don't touch it, because all the dependencies can go, this is a whole separate hemorrhoid, and there is some service running, it cannot be stopped, in general, this is a whole problem.
Ubuntu is great, Lux is good, a strong password, timely updates, if you install something self-assembled from some packages, yes, this also needs to be updated, because your package manager may not see these updates, that is, you need to keep all this in mind and update it all in a timely manner.
Pavlovich:
You were right about the update, and sometimes you just don't get into it so that nothing goes wrong. Here is WordPress, I came across it on my personal sites, they ask to update the PHP version there, you update it, your main one goes wrong, half of your site does not work. That is probably why people do not update, but since we are already talking about WordPress, then plugins in WordPress need to be updated constantly. There is a utility, also a plugin in WordPress, Advanced, I have something called a plugin updater, and it automatically updates all of its plugins.
This is a really cool thing, because WordPress is mostly hacked, either by brute-forcing if you have a weak password, or by hacking with the help of unupdated, timely plugins. So update everything, update the operating system of your server, let's say, yes, of your site, and, of course, all installed plugins, and then, in addition, about Linux.
"90% of viruses are written for Windows"
Pavlovich:
By the way, how many in percentage terms, if we take all operating systems, yes, not mobile, let's say, but stationary PCs, servers, how many viruses are there for which system? That's how you would estimate in percentage terms.
Specialist:
Well, to be honest, Windows is probably 90 percent there. And the rest, maybe 8 percent or 9, are different Linuxes. Well, that is, the Linux community will probably be watching us there. And it is clear that there is RedHat, yes, it is a separate line and Debian has a separate line, and naturally I call all of this Nix-like, not all of them are Linux, some are Unix-like, but there is no point in taking words out of context,
everyone understands that these are some Linuxes, they are all some Linuxes, that is probably another 9 percent, and another percent are all sorts of strange operating systems, including Macs.
Viruses on iOS
Specialist:
Yes, including Macs, well, just because of the complexity of installation, and now on M1 these Macs, there is generally madness, since it is now again a mobile architecture, these are signatures, this is actually a small IOS, which is launched on a laptop, well, there with inboxing, although there was already a virus for M1, because Apple signed it.
That is, Apple signed a virus that ...
Pavlovich:
In Story in your application?
Specialist:
Not in Story, but there a person, it is not necessary to publish it directly in the AppStore, but you can get a separate signature that will ban it, that is, he receives a developer certificate from Apple directly, and signs the application with it, and it is considered trusted. And, in my opinion, 30 thousand computers were infected with some stupid virus, it could not really do anything. And Apple immediately revoked the certificate, and this stopped it from working. That is, it now works in such a way that without a certificate it can no longer start up to some kind of infection certificate.
Even if it is installed, it can no longer start. Cool. Here. And there they even wondered why it was needed, because there is some stupid virus, that it is nothing special. Perhaps it was a loader or stager for further attack. Even M1 is not a panacea, but the ease with which they fight it, close it all, it certainly makes viruses writing for Macs, especially modern ones.
Economically inexpedient first of all. A very dubious occupation.
Pavlovich:
Yes, very dubious, but it happens. Tim Cook, it's time for the Russian office of Apple, it's time for us to send Seryozha specifically and the B group, and me too, by the way, a few computers as a gift. Otherwise, we are already tired of advertising you for free.
"Build system for protection against special services"
Pavlovich:
And we are probably done about Linux and with Linux, or not. Which system, except BSD? Now there will be half of the words unfamiliar to me, unfortunately. What system, other than BSD, Kodachi and other systems that force Google, is best used to create an anonymous OS build to protect against intelligence agencies?
Expert:
Oh, well, it's hard for me to answer here, I mean, the answer will probably be pretty stupid. Like, if you're some kind of super Linux user, then why would you use someone else's build that you can't trust? Take Gintoo, compile everything from scratch, use only the packages that you need, and you can be sure of them. Yes, but it's obvious that this is absolutely not a user-friendly story. Well, it's always a question of trust. Yes, when we talked about VPN, that is, which one to use? Well, you can't trust any of them.
Yes, if you haven't personally checked everything, you can't trust them. The same goes for some builds. If some super anonymity is needed there, and you definitely understand it, do it yourself. If not, use anything from the list. It's a question of trust, just a question of trust.
Phishing videos on YouTube (YouTube)
Specialist:
Again, if this is some kind of life system, you booted into a flash drive, worked, and it disappeared after rebooting, well, what can we talk about, nothing will be saved anywhere, except for network traces, of course.
Pavlovich:
By the way, I remembered, they use, you know, YouTube for distributing stealers, ladders and other Trojans, like, that is, on YouTube, I talked to YouTube managers, or an outright scammer has some kind of phishing video there luring people to a phishing site, well, an outright scammer, it is practically impossible to delete the video, that is, hundreds of thousands of complaints about the video, well, everyone writes, they say there that the company even writes that a fraudulent video was posted there on our behalf, it just hangs there for months, what do they do? Either they lure people to a phishing site, or, for example, they hang a link directly to a stealer, and it is there, I don’t know, some kind of video, how to set up something on Windows. And they directly write that, they say, you, this is a crack, in fact, we give you a crack, in fact, accordingly, you turn off antiviruses, firewall, they will swear, but don’t be afraid, they swear at all cracks, Windows and so on, and so, therefore, please, you immediately turn off antiviruses, firewall, then install our crack, this is how they are distributed through YouTube by the hundreds, thousands are simply distributed.
Social engineering, tribot virus (tribot virus)
Specialist:
There is an interesting point about this. There is a verstrigbot, it is also known to many there. Now recently they posted recordings of conversations, what they do. They are like this to a Western company, they send all sorts of phishing letters from Syria. You know, you have some kind of subscription, I mean, to a company. You need to turn it off, if you want, fill out a certain form.
And if anything happens, call such and such a number, or a contact number. That is, a call occurs, and there is a person with a Russian accent, like "Hello". He says something like "Yes, to cancel the subscription, you need to fill out a certain form. Here is a link to it, it is an Excel document. You open it, and now you need to enable macros to fill it out." And like "Yes, you enabled it, well done, now fill it out."
And he hangs there for a few more minutes so that the person remembers everything. He says, yes, now you send it by return email, but in fact, at the moment when the macro was enabled, the infection has already occurred. That is, the use of elements of social engineering, even conversations, some kind of persuasion that this is how it should be, we just have such a form, it needs macros, and it works great. People enable it, fill it out, get infected.
Secure browsers, protection from cross-site scripting
Pavlovich:
Well, any salesperson can do this, it is to remove the client's fears. That is, you explain in advance what it is needed for and so on, so that he does not ask stupid questions. And another question about local storage and cookies in browsers, which can be intercepted by any built-in script on the site for the extension. Is it possible to find a safe browser, and in general, is protection from cross-site scripting possible or not?
Malicious extensions for Google Chrome (Chrome)
Specialist:
Well, first of all, it should be implemented on the sites themselves, yes, so that XSS does not work, that's it. Here the question is how to protect against what. I recently came across a case where an extension for Chrome did very bad things.
Pavlovich:
What, for example?
Specialist:
Firstly, there were clickers that simply clicked ads on your behalf.
Secondly, there were real stealers who steal passwords saved in Chrome, because they have access directly to the entire content of the page, and they stole passwords. Thirdly, there was an extension that inserted ads everywhere itself. There was an extension that mines.
Pavlovich:
It's all in one....
Specialist:
It's different. That is, right... And what's the problem? This may also probably be interesting to viewers. What's the problem? It happens that 100 years ago you installed some extensions in Chrome, and then, when you have to transfer a new computer, you log in to your account and all these extensions are not sucked in automatically. That is, every time you register in Chrome, create a Google account, it sucks in all these extensions. So that's what happens.
Some extension, for example, is bought by some other author and releases a new version, and there is completely different code, other places, some malware is added there and makes money on this, until someone comes to their senses, does not notice that this happened.
Bitcoins were stolen, AppStore
Pavlovich:
How do they upgrade? That is, the code is simply obfuscated and does not reveal any anti-verifications.
Expert:
Google. Google is generally not very good at moderating properly. But here we can tell, by the way, about the story about Apple. Let's throw a stone at them. Just the other day there was a story about a person who installed some left-wing crypto wallet from the App Store directly on the iPhone, and it turned out that it was fraudulent. And the person entered his data there, his bitcoins were stolen. Well, he complained to Apple, Apple immediately deleted the application.
And the whole problem there was that there was not a single precedent. The person simply made an application, which, in fact, what is it? It is a form that sends this data somewhere, and it is impossible to calculate that they are fraudulent. That is, it is a left-wing crypto wallet that does not parody any, it does not parody, does not fake any.
Pavlovich:
Well, they would have figured out by the name that these are clones.
Specialist:
Yes, that is, it is not a clone, nothing, but it simply actually executes a form that sends this data somewhere and here, of course, there are questions for this guy himself, a large sum was stolen from him, several bitcoins, that is, several, not a dozen shares, but several bitcoins, you can google this story, but yes, indeed, like I missed it, but on the other hand, they did not even have any formal reasons to block it, to check there that this is really a fraudulent story, well, there are a lot of their applications, you should not enter any sensitive data, God knows where.
Data collection, voice bots
Specialist:
There may be problems with this. Again, there are all sorts of moments when you yourself provide access to your data. For example, recently such a moment arose that it was necessary to transfer music, there, from Yandex.Music to Spotify or somewhere else, to synchronize playlists. And a bunch of these services, they ask to give full access to Yandex.Information.
Just to the whole service why why well that's how it works
Pavlovich:
But most people will agree.
Specialist:
Yes, yes, yes there are all sorts of voice bots that intercept your SMS calls there to insert a voice assistant there again they will collect all the data about calls about SMS to incoming and people themselves provide these accesses and here I will again fall back to what I started do not forget that at some point the developer can change and everything will work completely differently.
The history of Skype, change of developer
Specialist:
I'll give you an example with Skype. Skype was conceived as a decentralized peer-to-peer network for communication that would be impossible to control. And then Microsoft bought them, they made supernodes that have keys and that give all the data to the secret services, including voice data.
Pavlovich:
It became impossible to use.
Specialist:
Yes, yes, yes. I just think that there are old-timers here who remember Skype when it started out as exclusively peer-to-peer, history, what it has turned into now. And here my idea is that if you have any old solutions in browsers, now almost everything is based on Chrome-Bastet, except for Safari.
Pavlovich:
Well, and apps on your phone as well.
Specialist:
Yes, yes, yes. Check, maybe with some next update it is not what it was at the very beginning, maybe you don't need them, delete the unnecessary ones.
Pavlovich:
This means that I just know people who are from the dating industry, for example, and now it is almost impossible to add a new dating app, a toro app, a numerology app to Apple. All this is impossible. And, accordingly, in order to add, well, not something fraudulent, absolutely legal, a dating app, for example, people are forced to buy up old apps and repurpose them, old developer accounts, so to speak. I don’t know how much it costs, I haven’t encountered it yet.
So, has everyone answered your questions?
Specialist:
Yes, it’s not bad, just always keep in mind that it can be used against you.
Enjoy reading!
Contents:
- What languages are Trojans written in?
- Project "Hippo"
- "Kaspersky's products look weak..."
- NSA Servers Hacked, Pro-Government Hacker Groups
- "They got everywhere, without James Bond"
- How do you identify pro-government hacker software, Trojan?
- Fines for unencrypted Wi-Fi, how to cover up tracks
- Methods of operation of APT groups
- 5G, US sanctions for Huawei
- Standard encryption programs, Ubuntu, the importance of updates
- "90% of viruses are written for Windows"
- Viruses on iOS
- "Assembly system for protection against special services"
- Phishing videos on YouTube
- Social engineering, tribot virus
- Secure Browsers, Cross-Site Scripting Protection
- Malicious extensions for Google Chrome
- Bitcoins stolen, AppStore
- Data collection, voice bots
- History of Skype, change of developer
Pavlovich:
And, guys, we continue the interview with Sergei Nikitin from Group-IB. Or what is your patronymic?
Specialist:
Anatolyevich.
In what languages are Trojans written
? Pavlovich:
Sergei Anatolyevich.
Well, we continue and today Sergei is leaving for Singapore soon, as I already said in the previous issue, so now we will try to film as much as possible or we will have to do it later on Zoom, so every minute counts, my dear. In what languages are Trojans mainly written?
Expert:
Oh, very different, including recently Nagot, Rayan, mainly, naturally, it's C++, there are Delphi, well, that's what I'm saying, that is, there are all sorts of extravagant ones, now there are a bunch of all sorts of just PowerShell scripts, yes, which contain a piece of binary, well, that is, there are a huge number of options, but mainly, of course, C++ specifically for some kind of, for a DLL, yes, some kind, or even for a driver, of course, advantages.
Pavlovich:
Well, these are, as I said, some other low-level languages, like assembler, right? Something for drivers.
Expert:
It happens that they directly write some pieces of code in ASMI, there are direct assembler bets. Naturally, if we are talking about Android, then this is Java, but then again there are even Androids that replace some libraries, which, naturally, are written in C. Therefore, C++ is the best, but, I say, there is also Delphi, there is anything you like. The most widespread C++.
Yes, it simply, as a rule, gives the smallest size, the highest performance, in this vein.
The Begemot Project
Pavlovich:
But one of our advanced viewers writes in a question to you that you have one interesting non-public software called "Begemot". This is not a joke, that is the name. The software collects data on a person from public sources, social networks, with a park and so on, and the correlation of this data between people, is compared with people, and says, we held a conference on the results of
a pilot installation, they sold your software to someone, and says, to be honest, I was shocked by the result, I asked them about Begemot, what they would say, and whether they would say anything at all.
Specialist:
Well, I can say that such a thing exists, a large amount of information is collected there, including, for example, from shadow forums from the Darknet, intended for a wide range of tasks. Is it some kind of parser? It's like a parser, but it's sold as a service, it's not software, that is, you are sold access to a personal account, it's needed, for example, to check people you hire, and many other similar tasks are solved.
According to public sources? According to public sources, but we can say not publicly yet, it is all sorts of Darknet, it is not so easy to parse, let's say. But there are many sources there, and there is also customization of subclients, but this is a B2B service, for some of our trusted clients. It is not on the website, it is there anyway.
Pavlovich:
Well, so that they would not use it for penetration.
Specialist:
Yes, yes, yes, they do not promote it directly. That is, this is history, plus, as far as I know, it is currently being completely rewritten, it seems that even some business model will change there.
Pavlovich:
Reputation management can still be carried out through it.
Specialist:
Yes, but so far it has not been launched publicly, but such a name and such a service exist. Begemotik. Is this not an official working title? Well, it is tacked on, as I say, this project is not public. In short, this is the internal name.
"Kaspersky products look weak..."
Pavlovich:
You see, what advanced viewers we have, they even dug up non-public software from Group-IB.
Spitsy writes that Kaspersky products look weak for now. But everything is ahead.
Hacking NSA servers, pro-government hacker groups
Pavlovich:
Question. Have you studied the hacking of servers associated with the NSA Evacuation Group and their subsequent leak by Shadow Brokers?
Specialist:
I did not take part directly. Naturally, I read the reports, I did not directly participate in such cases. We will have a lot of questions about government hacker groups later. Yes, indeed, they exist, I took part in a huge number of attacks by Chinese APT against our state-owned enterprises, all sorts of different ones.
Pavlovich:
Are the Chinese getting into our state-owned enterprises?
Specialist:
Yes, and basically it's industrial espionage, that is, all sorts of factories, embassies, the army, all that stuff, they've been actively crawling for a long time, there are a lot of places where they exist, very diverse, and it's clear that this is history, let's say, custom Trojans for a specific enterprise, where some unique Virustotal did not appear,
they work there in single copies, and there are atomized small pieces, that is, let's say, not one Trojan per megabyte, but 50-10 Trojans, one only does a proxy, another does a forward, the third does something else.
Pavlovich:
Well, it's like in Taxnet, one login to the system ensures, the second germ ensures penetration, the third one already penetrates, if the second one did not penetrate.
"They penetrated everywhere, without James Bond"
Specialist:
Yes, yes, that's the story, and they really are actively attacking, and to be honest, it's scary to even imagine how many different unitary enterprises are infected in Russia, it seems to me that they have penetrated almost everywhere, they are actively getting into our defense industry, and the main problem is simply that local teams are poorly funded, they are not ready to respond, money for information security is allocated on a static basis.
So, and I, in general, cannot imagine how many of our drawings have already leaked without James Bond, who penetrated the plant and stole them, but simply because the computer of the person who works in the KAD, it was hacked a long time ago.
And, so that you understand, we had cases where the Chinese IPT, for example, it was there for seven years, that is, we found the oldest computers, there, from, say, I don't know, the fourteenth...
Pavlovich:
What about this instrument-making?
Expert:
No, I mean, from some 1913, say, yes, and it is clear that there may have been even older ones, they have simply been written off. Therefore, yes, this is a huge problem, well, the problem is also state security.
How do they identify pro-government hacker software, a Trojan?
Pavlovich:
And by what signs do you figure out that it is more likely a Trojan, by some specific piece of code or by its complexity, perhaps?
Expert:
Firstly, the complexity, secondly, the goal, that is, not to steal money or anything else, but industrial espionage, for a very long time, they transmit information in small pieces, they hide as much as possible.
Pavlovich:
So as not to be detected in the traffic flow, right?
Specialist:
Yes, because the traffic volume there is usually not very large, well, because the Internet is cut there somehow, but still not good enough, plus there is a huge number of reports, completely public, about Chinese EPTs, they are there right at the same Crowdstrike, they are divided separately, against Russian EPTs there are different bears, well, and so for each country they have different totem animals.
And there is just a huge number of Chinese, you can read these EPTs there, they have numbers, some have separate names, some do not, but there are so many of them that there are certain intersections, that is, some pieces of code are used. Secondly, very often they work directly on some Chinese time, that is, you can see there that their military unit formation has ended, they have 7 am there, and they start working.
They have activated. Yes-yes-yes, that is, everyone there has worked, formation and went home. But again, where, how is all this given, transmitted, sometimes there are errors in translation, there are often phishing targeted mailings to infect someone, and it is clear that it was not translated from English.
Pavlovich:
Well, these are the same ones who translate product descriptions on Aliexpress.
Specialist:
No, it's usually much better there, but still, yes, that's why there are many signs, as I said, attribution is a thankless thing, but there can always be Americans pretending to be Chinese, yes, and all the time when Russian hackers are accused, you can never be sure whether these are really some kind of cyber troops or another information story, some kind of disinformation campaign.
But yes, specifically Chinese hackers, they are characteristic and we have met many different ones. This is a problem, yes, this is a problem, but mainly state-owned enterprises, because, again, they are not very interested in businessmen, they are interested in.
Pavlovich:
All sorts of secrets. Well, and better protected.
Specialist:
Yes, yes, yes.
Fines for unencrypted Wi-Fi, how to cover up tracks
Pavlovich:
And by the way, you started talking to me yourself, I get asked quite often, has anyone ever managed to successfully shift the blame onto another person? So you kind of make a backdoor on your computer and try to prove that it wasn’t me, that money was stolen through my computer, but it wasn’t me, look, there’s some kind of backdoor, the computer was hacked. Well, you understand.
Specialist:
Yes, I know of one decision, the court just overturned it, that is, the person was not charged, but did not receive a prison sentence. What did he do? He had open Wi-Fi. He did it after all. Yes, yes, yes. He had open Wi-Fi on purpose, he deliberately did not provide the password. And he says, yes, my IP is there, but it could have been anyone, because I have an open network, and all the apartments around it, and the parking lot in front of the house, you prove that it was me, and there was nothing on his computer, because the computer was new.
Clean. It was brand new, that's it. Well, that's it, and there wasn't enough evidence, there were problems with that, that's it. That's why in many countries there are fines for unencrypted Wi-Fi. For example, in Germany they have a special radio police that goes around, scans, if there is no open access point, finds and fines the owner, so that it would always be possible to identify the one who did it.
Pavlovich:
Well, the problem is also in default passwords, that is, often default passwords are set in routers, and when we install the Internet at home, we don't change the settings, via the web, you can go into the settings of your router, for example, and change everything there, but you don't change the password, or you change it but set it, well, my neighbor had it, it wasn't me who hacked it, just a kid was visiting me 12345678 where is such a password good for, that is, any program
for brute-forcing it will brute-force it there using a dictionary instantly, but I don't know how many seconds it took for that and right away.
Methods of operation of APT groups
Pavlovich:
Then, a follow-up question about APT groups, this is also from one of our very smart viewers. Have the methods of APT groups changed after the same source leaked a manual on how to recognize what group took part in ATAI by pieces of code?
Specialist:
I am sure, I have already partially said this, I am sure that after some time, and this is happening right now, now APT, whether Chinese, American, Russian, Arab and so on, they will try to mimic each other. That is exactly what will happen. And I repeat, the issue of attribution is always very difficult, because there is no obvious beneficial acquirer here, I mean no one got money there, yes, someone was collecting some information over a short period of time.
Who it could have been is a huge question.
5G, US sanctions for Huawei
Pavlovich:
Well, America for some reason probably deserved it, as if there is smoke without fire, I still convince you in my already quite long life that there is no such thing. America, of course, appoints China, not Russia, as its main enemy, well and in the sphere of cyber confrontation and in the economy.
Specialist:
Of course not, it is simply economic, yes, that is, well, what is Russia, there, percentage of GDP, yes, and what is China. And the production capacity of all IT, now there is a struggle of the 5G base, who will capture the market, who will dominate the manufacturing market.
Pavlovich:
Masalovich said, by the way, I will interrupt, that the sanctions against Huawei in America were connected precisely with the fact that they were pushed back a little, and so that American companies would take a leading position.
Specialist:
He is absolutely right, I agree with him, yes, that is, the main pressure is on Huawei, so that they simply do not become the dominators of the equipment, base stations first of all.
Pavlovich:
To gain time.
Specialist:
Yes, yes, because they accelerated very much, and the West simply did not have time, simply did not have time to refine, patent, release the equipment and they just needed to launch, otherwise Huawei would have been installed everywhere because the telecom market is pushing 5G with all its might and they don’t care, businessmen don’t care what to install, they need to launch as quickly as possible and get their bonuses and so on, if Huawei has ready equipment, and here it will be there in a year and a half, why not take Huawei then, everyone wants it, but it is impossible to ban it directly, it is only with sanctions.
So sanctions were actually introduced.
Regular encryption software, Ubuntu, the importance of updates
Pavlovich:
Well, about the problems in Russia, again, we discussed with Seryozha in previous issues, that it is connected with the military and so on, therefore in Russia again, we probably will not wait for a long time for normality. But here is a small specific question. My Ubuntu home folder is encrypted with a standard utility. Is it reliable?
Specialist:
Well, it depends on who you are protecting yourself from, yes. That is, it depends on what he calls a standard utility, in principle, luxury, yes, this is encryption in Linux, which exists, it is standard, it is quite strong, yes, use a strong password and that is already not bad. Here, again, Ubuntu is great, but do not forget to update it and update all the packages, because viruses for Nix, they exist, and they also use all sorts of stupid vulnerabilities, and we had a huge number of incidents when someone set up a web server on Nix, naturally, but almost all of them are on Nix.
Here, and it works, everything is fine, but everyone forgets that it also needs to be updated periodically, to do something with it, and basically here it works and don't touch it, because all the dependencies can go, this is a whole separate hemorrhoid, and there is some service running, it cannot be stopped, in general, this is a whole problem.
Ubuntu is great, Lux is good, a strong password, timely updates, if you install something self-assembled from some packages, yes, this also needs to be updated, because your package manager may not see these updates, that is, you need to keep all this in mind and update it all in a timely manner.
Pavlovich:
You were right about the update, and sometimes you just don't get into it so that nothing goes wrong. Here is WordPress, I came across it on my personal sites, they ask to update the PHP version there, you update it, your main one goes wrong, half of your site does not work. That is probably why people do not update, but since we are already talking about WordPress, then plugins in WordPress need to be updated constantly. There is a utility, also a plugin in WordPress, Advanced, I have something called a plugin updater, and it automatically updates all of its plugins.
This is a really cool thing, because WordPress is mostly hacked, either by brute-forcing if you have a weak password, or by hacking with the help of unupdated, timely plugins. So update everything, update the operating system of your server, let's say, yes, of your site, and, of course, all installed plugins, and then, in addition, about Linux.
"90% of viruses are written for Windows"
Pavlovich:
By the way, how many in percentage terms, if we take all operating systems, yes, not mobile, let's say, but stationary PCs, servers, how many viruses are there for which system? That's how you would estimate in percentage terms.
Specialist:
Well, to be honest, Windows is probably 90 percent there. And the rest, maybe 8 percent or 9, are different Linuxes. Well, that is, the Linux community will probably be watching us there. And it is clear that there is RedHat, yes, it is a separate line and Debian has a separate line, and naturally I call all of this Nix-like, not all of them are Linux, some are Unix-like, but there is no point in taking words out of context,
everyone understands that these are some Linuxes, they are all some Linuxes, that is probably another 9 percent, and another percent are all sorts of strange operating systems, including Macs.
Viruses on iOS
Specialist:
Yes, including Macs, well, just because of the complexity of installation, and now on M1 these Macs, there is generally madness, since it is now again a mobile architecture, these are signatures, this is actually a small IOS, which is launched on a laptop, well, there with inboxing, although there was already a virus for M1, because Apple signed it.
That is, Apple signed a virus that ...
Pavlovich:
In Story in your application?
Specialist:
Not in Story, but there a person, it is not necessary to publish it directly in the AppStore, but you can get a separate signature that will ban it, that is, he receives a developer certificate from Apple directly, and signs the application with it, and it is considered trusted. And, in my opinion, 30 thousand computers were infected with some stupid virus, it could not really do anything. And Apple immediately revoked the certificate, and this stopped it from working. That is, it now works in such a way that without a certificate it can no longer start up to some kind of infection certificate.
Even if it is installed, it can no longer start. Cool. Here. And there they even wondered why it was needed, because there is some stupid virus, that it is nothing special. Perhaps it was a loader or stager for further attack. Even M1 is not a panacea, but the ease with which they fight it, close it all, it certainly makes viruses writing for Macs, especially modern ones.
Economically inexpedient first of all. A very dubious occupation.
Pavlovich:
Yes, very dubious, but it happens. Tim Cook, it's time for the Russian office of Apple, it's time for us to send Seryozha specifically and the B group, and me too, by the way, a few computers as a gift. Otherwise, we are already tired of advertising you for free.
"Build system for protection against special services"
Pavlovich:
And we are probably done about Linux and with Linux, or not. Which system, except BSD? Now there will be half of the words unfamiliar to me, unfortunately. What system, other than BSD, Kodachi and other systems that force Google, is best used to create an anonymous OS build to protect against intelligence agencies?
Expert:
Oh, well, it's hard for me to answer here, I mean, the answer will probably be pretty stupid. Like, if you're some kind of super Linux user, then why would you use someone else's build that you can't trust? Take Gintoo, compile everything from scratch, use only the packages that you need, and you can be sure of them. Yes, but it's obvious that this is absolutely not a user-friendly story. Well, it's always a question of trust. Yes, when we talked about VPN, that is, which one to use? Well, you can't trust any of them.
Yes, if you haven't personally checked everything, you can't trust them. The same goes for some builds. If some super anonymity is needed there, and you definitely understand it, do it yourself. If not, use anything from the list. It's a question of trust, just a question of trust.
Phishing videos on YouTube (YouTube)
Specialist:
Again, if this is some kind of life system, you booted into a flash drive, worked, and it disappeared after rebooting, well, what can we talk about, nothing will be saved anywhere, except for network traces, of course.
Pavlovich:
By the way, I remembered, they use, you know, YouTube for distributing stealers, ladders and other Trojans, like, that is, on YouTube, I talked to YouTube managers, or an outright scammer has some kind of phishing video there luring people to a phishing site, well, an outright scammer, it is practically impossible to delete the video, that is, hundreds of thousands of complaints about the video, well, everyone writes, they say there that the company even writes that a fraudulent video was posted there on our behalf, it just hangs there for months, what do they do? Either they lure people to a phishing site, or, for example, they hang a link directly to a stealer, and it is there, I don’t know, some kind of video, how to set up something on Windows. And they directly write that, they say, you, this is a crack, in fact, we give you a crack, in fact, accordingly, you turn off antiviruses, firewall, they will swear, but don’t be afraid, they swear at all cracks, Windows and so on, and so, therefore, please, you immediately turn off antiviruses, firewall, then install our crack, this is how they are distributed through YouTube by the hundreds, thousands are simply distributed.
Social engineering, tribot virus (tribot virus)
Specialist:
There is an interesting point about this. There is a verstrigbot, it is also known to many there. Now recently they posted recordings of conversations, what they do. They are like this to a Western company, they send all sorts of phishing letters from Syria. You know, you have some kind of subscription, I mean, to a company. You need to turn it off, if you want, fill out a certain form.
And if anything happens, call such and such a number, or a contact number. That is, a call occurs, and there is a person with a Russian accent, like "Hello". He says something like "Yes, to cancel the subscription, you need to fill out a certain form. Here is a link to it, it is an Excel document. You open it, and now you need to enable macros to fill it out." And like "Yes, you enabled it, well done, now fill it out."
And he hangs there for a few more minutes so that the person remembers everything. He says, yes, now you send it by return email, but in fact, at the moment when the macro was enabled, the infection has already occurred. That is, the use of elements of social engineering, even conversations, some kind of persuasion that this is how it should be, we just have such a form, it needs macros, and it works great. People enable it, fill it out, get infected.
Secure browsers, protection from cross-site scripting
Pavlovich:
Well, any salesperson can do this, it is to remove the client's fears. That is, you explain in advance what it is needed for and so on, so that he does not ask stupid questions. And another question about local storage and cookies in browsers, which can be intercepted by any built-in script on the site for the extension. Is it possible to find a safe browser, and in general, is protection from cross-site scripting possible or not?
Malicious extensions for Google Chrome (Chrome)
Specialist:
Well, first of all, it should be implemented on the sites themselves, yes, so that XSS does not work, that's it. Here the question is how to protect against what. I recently came across a case where an extension for Chrome did very bad things.
Pavlovich:
What, for example?
Specialist:
Firstly, there were clickers that simply clicked ads on your behalf.
Secondly, there were real stealers who steal passwords saved in Chrome, because they have access directly to the entire content of the page, and they stole passwords. Thirdly, there was an extension that inserted ads everywhere itself. There was an extension that mines.
Pavlovich:
It's all in one....
Specialist:
It's different. That is, right... And what's the problem? This may also probably be interesting to viewers. What's the problem? It happens that 100 years ago you installed some extensions in Chrome, and then, when you have to transfer a new computer, you log in to your account and all these extensions are not sucked in automatically. That is, every time you register in Chrome, create a Google account, it sucks in all these extensions. So that's what happens.
Some extension, for example, is bought by some other author and releases a new version, and there is completely different code, other places, some malware is added there and makes money on this, until someone comes to their senses, does not notice that this happened.
Bitcoins were stolen, AppStore
Pavlovich:
How do they upgrade? That is, the code is simply obfuscated and does not reveal any anti-verifications.
Expert:
Google. Google is generally not very good at moderating properly. But here we can tell, by the way, about the story about Apple. Let's throw a stone at them. Just the other day there was a story about a person who installed some left-wing crypto wallet from the App Store directly on the iPhone, and it turned out that it was fraudulent. And the person entered his data there, his bitcoins were stolen. Well, he complained to Apple, Apple immediately deleted the application.
And the whole problem there was that there was not a single precedent. The person simply made an application, which, in fact, what is it? It is a form that sends this data somewhere, and it is impossible to calculate that they are fraudulent. That is, it is a left-wing crypto wallet that does not parody any, it does not parody, does not fake any.
Pavlovich:
Well, they would have figured out by the name that these are clones.
Specialist:
Yes, that is, it is not a clone, nothing, but it simply actually executes a form that sends this data somewhere and here, of course, there are questions for this guy himself, a large sum was stolen from him, several bitcoins, that is, several, not a dozen shares, but several bitcoins, you can google this story, but yes, indeed, like I missed it, but on the other hand, they did not even have any formal reasons to block it, to check there that this is really a fraudulent story, well, there are a lot of their applications, you should not enter any sensitive data, God knows where.
Data collection, voice bots
Specialist:
There may be problems with this. Again, there are all sorts of moments when you yourself provide access to your data. For example, recently such a moment arose that it was necessary to transfer music, there, from Yandex.Music to Spotify or somewhere else, to synchronize playlists. And a bunch of these services, they ask to give full access to Yandex.Information.
Just to the whole service why why well that's how it works
Pavlovich:
But most people will agree.
Specialist:
Yes, yes, yes there are all sorts of voice bots that intercept your SMS calls there to insert a voice assistant there again they will collect all the data about calls about SMS to incoming and people themselves provide these accesses and here I will again fall back to what I started do not forget that at some point the developer can change and everything will work completely differently.
The history of Skype, change of developer
Specialist:
I'll give you an example with Skype. Skype was conceived as a decentralized peer-to-peer network for communication that would be impossible to control. And then Microsoft bought them, they made supernodes that have keys and that give all the data to the secret services, including voice data.
Pavlovich:
It became impossible to use.
Specialist:
Yes, yes, yes. I just think that there are old-timers here who remember Skype when it started out as exclusively peer-to-peer, history, what it has turned into now. And here my idea is that if you have any old solutions in browsers, now almost everything is based on Chrome-Bastet, except for Safari.
Pavlovich:
Well, and apps on your phone as well.
Specialist:
Yes, yes, yes. Check, maybe with some next update it is not what it was at the very beginning, maybe you don't need them, delete the unnecessary ones.
Pavlovich:
This means that I just know people who are from the dating industry, for example, and now it is almost impossible to add a new dating app, a toro app, a numerology app to Apple. All this is impossible. And, accordingly, in order to add, well, not something fraudulent, absolutely legal, a dating app, for example, people are forced to buy up old apps and repurpose them, old developer accounts, so to speak. I don’t know how much it costs, I haven’t encountered it yet.
So, has everyone answered your questions?
Specialist:
Yes, it’s not bad, just always keep in mind that it can be used against you.
