Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

THE DARK SIDE OF MALWARE ANALYSIS

Andrea Pompili

There are only 10 types of people in the world:

Those who understand binary, and those who don't

apompili@hotmail.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

203.131.222.102:8080

217.96.33.164:8000

88.53.215.64:8000

IP Sistemi Comando e Controllo #>

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Malware Analysis?

> Per capire i danni reali

> Per scoprire gli Indicatori di Compromissione

> Per stabilire il grado di preparazione/motivazione

dell’attaccante (Sun Tzu docet)

> Per ricostruire la vulnerabilità utilizzata (Magari uno 0-day :-|)

> Per catturare il cattivo

> Per rispondere alle domande della vita…

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

La nobile arte del Reverse Engineering

Ingegneria inversa def. «processo di analisi di un sistema software esistente, eseguito al fine di crearne una rappresentazione ad alto livello di astrazione»

Altri scopi dell'ingegneria inversa comprendono: verifiche di vulnerabilità, rimozione di protezione da copia, l'aggiramento di restrizioni d'accesso

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Ideal Reverse Engineering

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Full vs Adequate Analysis

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Reversing Malware is like

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Launcher

Dropper

Downloader

Module

Command & Control

Exploit

Vector

Module <01>

Malware Architecture

Infection Stage

Malware Core Module <XX>

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Launcher

Dropper Module

Command & Control

Vector

Module <01>

Malware Architecture > Infection Stage

Malware Core Module <XX>

Exploit

Downloader

Infection Stage

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Email contenenti link

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Email contenenti Allegati

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

La cara vecchia pennetta USB

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Vector

Malware Architecture > Downloader

Infection Stage

Downloader

Exploit

Command & Control

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

How is Encoded the Communication Channel? <#1> Fixed Byte XOR (evergreen) Identificabile (basta trovare un opcode xor nel binario)

<#2> Base64 Encoding Identificabile e automaticamente reversabile

<#3> Encryption Librerie Crypto ingombranti e riconoscibili gestire le chiavi?

<#4> G Channel Dipende dal tipo prova a farlo con uno Shellcode!!!

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Communication Channel: Spazio alla fantasia

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Downloader

Command & Control

Vector

Module <01>

Malware Architecture > Persistenza

Infection Stage Module <XX>

Exploit

Launcher

Dropper

Malware Core

Module

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Downloader #1

Malware Component

Command & Control #1

Vector

Malware Architecture > Chained Modules

Infection Stage

Exploit

Downloader #2

Command & Control #2

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Moduli e Plugin

> Infostealer

> Keylogging

> Sniffer

> Spyware

> Data Exfiltration

> Remote Control

> Identity Theft

> Ransomware

> Spambot

> Network Scanner

> DDoS Agent

> Targeted attacks

> Data manipulation

> Anonymous Proxy

> DNS Attack

> Warez Archive

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Static vs Dynamic Analysis?

> Il codice non viene MAI eseguito (o almeno non dovrebbe)

> L’analisi è effettuata trasformando o ri-organizzando il codice di un

artefatto per stadi successivi

> Uso di un numero importante di tool di analisi

> Necessità di gestire strumenti di elaborazione ad-hoc

> Attenzione ad eventuali exploit per i tool di analisi utilizzati!

> Analisi limitata o molto lunga in caso di packer o offuscamenti complessi

<#1> Analisi Statica

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

First of All

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

String Revealer

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Static Malware

<#1> Formato Nativo (PE/Elf)

<#2> Intermediate Language (Java/.NET/etc.)

<#3> Documenti Attivi (PDF/Office/etc.)

<#4

Stesso risultato == Approcci MOLTO diversi

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

La realtà dei fatti #1 <#1> Formato Nativo (PE/Elf)

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Interactive Disassembler

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Online Disassembler

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

How Malware Writers protect their

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

http://upx.sourceforge.net/

How Malware Writers protect their

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

How Malware Writers protect their

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

The way to Packers

Sections

DOS MZ Header

PE Header

Section Table

.text

.data

.resrc

Sections

DOS MZ Header

PE Header

Section Table

Unpacker Stub

TempSpace

Packed Data (orignal OEP)

OEP

Original Program Packed Program

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

FUD (Fully UnDetectable) Packers

UPX, Aspack, PE Compact, e il resto

http://it.wikipedia.org/wiki/Exe_Packer

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Static Resource Analyzer

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Internet helps

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

La realtà dei fatti #2 <#2> Intermediate Language (Java/.NET/etc.)

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

> Metadati devono essere espliciti

(nomi Constant-Pool, variabili, metodi e classi)

> Gli opcode sono molto vicini ai costrutti del codice sorgente

(es. tableswitch)

> Non si può usare self-modifying code

> Non è possibile effettuare il branching su location arbitrarie,

ma solo all‘inizio di un‘istruzione, con il limite dello scope del

metodo corrente (controllato dal verifier)

Why Decompilation is easier

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

The «Easy» way to Source Code

JD-GUI http://jd.benow.ca/

JAD http://varaneckas.com/jad/

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

http://set.ee/jbe/

ByteCode Analysis & Manipulation

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

But things can go in the wrong

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Get your own ZKM String Custom Tool

java -jar ZKMTools.jar <CLASS_FILE>

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

What is Dynamic Analysis?

<#2> Live Execution Analysis

<#3> Sandbox based Analysis

<#1> Debugging

Non usare MAI il tuo PC per

eseguire Malware!!!

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Snapshot is the Way

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Debugging Principles <#1> Debugging

OllyDbg Debugger http://www.ollydbg.de/

Immunity Debugger http://www.immunitysec.com/products-immdbg.shtml

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Debugging World

x86 Ring 0

x86 Ring3

I Ring sono dei livelli di privilegio e/o di sicurezza forniti dal processore

Usermode

Kernel

HyperDbg, WinDbg, SoftICE http://www.woodmann.com/collaborative/ tools/index.php/Category:Ring_0_Debuggers

http://www.woodmann.com/collaborative/ tools/index.php/Category:Ring_3_Debuggers

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Two Assembler things you have to know Registri base x86/x64:

EAX registro general purpose #1 RAX a 64bit

EBX registro general purpose #2 RBX a 64bit

ECX registro general purpose #3 RCX a 64bit

EDX registro general purpose #4 RDX a 64bit

ESI puntatore sorgente operazioni su stringhe RSI a 64bit

EDI puntatore destinazione operazioni su stringhe RDI a 64bit

ESP puntatore alla posizione attuale dello stack RSP a 64bit

EBP puntatore alla base dello stack RBP a 64bit

EIP (Extended Instruction Pointer) puntatore

alla successiva istruzione da eseguire

Registri generici 64-bit mode-only

R8-R15

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Two Assembler things you have to know Stack x86/x64:

» Struttura LIFO (Last In First Out) mappata sulla memoria

» ESP punta alla posizione attuale in memoria

» EBP viene utilizzato come «marcatore»

per gestire il successivo stackframe

» I dati possono essere caricati mediante

istruzioni PUSH e POP

» Automaticamente salva l’indirizzo di ritorno

delle CALL

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

> Run-time stack (Stackframe)

> Contiene le variabili locali

> ESP punta al primo elemento dello stack

> EBP punta alla base dello Stackframe

> Ad ogni chiamata di procedura viene

riservato un nuovo stackframe (scope

della funzione) spostando ESP ed EBP

Instructions (.text)

global data (.data)

run-time stack

Device Registers

x0200

xFFFF

EPC

R4

ESP

EBP

x0000

xFE00

Trap Vectors

Op Sys

x3000

Heap

Intr Vectors x0100

Two Assembler things you have to know

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

» Usare il Debugger (es. OllyDbg o IDA Pro con Bochs) attraverso le varie routine di decryption impostando Breakpoint al termine di ogni ciclo

» Effettuare il Dump della memoria al termine del processo (e.g. OllyDumpEx)

Defeat Packers using Dubuggers

Best Practices: > Molti processi non sono resilienti (si eseguono ed escono subito) > Interrompere il processo al momento giusto > Step over istruzione per istruzione fino

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

<#2> Live Execution Analysis

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Start Debugging during Execution

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

How to Fake Servers during Execution

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

How to Monitor Traffic during Execution

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

<#3> Sandbox based Analysis

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Detailed Artifact Execution

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Screenshots Available!!!

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

The Online Cuckoo Service

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

but be careful to fully Understand Objectives!

Page ‹N› Except where otherwise noted, this work is licensed under http://creativecommons.org/licenses/by-nc-sa/3.0/

Andrea Pompili

apompili@hotmail.com – Xilogic Corp.

ROME 27-28.03.2015 www.codemotionworld.com

Domande? Italian

مطالب أيةArabic

¿Preguntas? Spanish

Questions? English

tupoQghachmey Klingon

Sindarin

Japanese

Ερωτήσεις? Greek

вопросы? Russian