Download - Malware Freak Show
Agenda
Stuxnet
Duqu
Flame
Gauss
Stuxnet is discovered in June 2010 but the first variant of the worm
appeared in June 2009
Stuxnet is a first discovered malware includes a PLC Rootkit
Goal: To reprogram industrial control systems by modifying code on
programmable logic controllers to make them work in a manner the
attacker intended and to hide those changes from the operator of the
equipment
0
10
20
30
40
50
6058.31
17.83 9.96
3.4 1.4 1.1 0.9 0.7 0.6 0.5 5.5
Infection Statistics
Possible Attack Scenario
Once Stuxnet had infected a computer within the organization it began to spread in search of Field PGs . Since most of these computers are non-networked, Stuxnet would first try to spread to other computers on the LAN, infecting Step 7 projects, and through removable drives. Propagation through a LAN likely served as the first step and propagation through removable drives as a means to cover the last and final hop to a Field PG that is never connected to an untrusted network.
Communication
Before infection After infection
Technical Analysis
Exploited 4 zero day vulnerabilities
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability
Win2000/XP Win32k.sys privilege elevation
Windows 7 task scheduler privilege elevation
Copies and executes itself on remote computers through network shares
Copies itself into Step 7 projects in such a way that it automatically executes
when the Step 7 project is loaded
Updates itself through a peer-to-peer mechanism within a LAN
Contains a Windows rootkit and a PLC rootkit
3 variants of stuxnet has been discovered.
Drivers signed with stolen certificate from Realtek & Jmicron
Stuxnet contains a DLL file and two encrypted configuration files stored in a
section named name called stub
It uses different types of Process injection techniques depends on antivirus
installed.
Technical Analysis (cont.)
Installation routine
Infection Routine
Demo
Analyzing STUXNET
Duqu is discovered on September 2011, Duqu shares a great deal of code with Stuxnet
Duqu got its name from the prefix "~DQ" it gives to the names of files it creates
Duqu’s purpose is to gather intelligence data and assets from entities
Duqu may have been written in Object Oriented C or in unknown high level language also called as Duqu framework
After 30 days of installation, the threat will automatically remove itself from the system.
Geographic distribution
Duqu exploited a zero day vulnerability (MS11-087) Win32k TrueType font
parsing engine and allows execution
Duqu uses a 54*54 pixel jpeg file and encrypted dummy
files as containers to smuggle data to is command and
control servers.
Drivers signed with stolen certificates from C-Media
Electronic Inc.
Technical Analysis
Duqu uses HTTP & HTTPS to communicate with C&C servers. C&C servers
are hosted in India, Belgium, and Vietnam
The C&C servers were configured to simply forward all port 80 and 443
traffic to other servers.
By using the C&C servers, the attacker were able to download additional
modules such as enumerating the network, recording keystrokes, and
gathering system information
Technical Analysis (cont.)
Installation
architecture
Flame is a modular computer malware discovered in 2012, Its discovery was
announced on 28 May 2012
Flame is most complex malware ever found and it is an uncharacteristically
large program for malware at 20 MB.
Partly written in Lua scripting language with compiled C++ code linked in
Flame uses five different encryption methods and an SQLite database to store
structured information
Flame supports “kill” command that makes it eliminate all traces of its files
and operation from a system
Flame was signed with a fraudulent certificate believed from the Microsoft
Enforced Licensing Intermediate PCA certificate authority
It can record audio, screenshots, keyboard activity and network traffic
Flame exploited known vulnerabilities which is used in Stuxnet
Replicates via USB, LAN and Windows update
Communication : SSL + SSH
Skywiper’s main executables:
mssecmgr.ocx – Main module
msglu32.ocx
nteps32.ocx
advnetcfg.ocx
soapr32.ocx
ccalc32.sys
Boot32drv.sys
Technical Analysis
Flame is a modular malware , it consists nearly 20 modules Beetlejuice
Microbe
Infectmedia
Autorun_infector
Euphoria
Limbo
Frog
Munch
Gadget
Snack
Boot_dll_loader
Weasel
Boost
Telemetry
Gator,
Security
Bunny, Dbquery, Driller, Headache
Technical Analysis(cont.)
Startup
sequence
Command & Control servers Operating system: 64-bit Debian 6.0.x
Virtualization: In most of cases running under OpenVZ
Programming languages used: PHP (most of code), Python, bash
Database: MySQL with InnoDB tables
Web server: Apache 2.x with self-signed certificates
Command & Control servers (cont.)
Demo
Analyzing Flame
Gauss is discovered by Kaspersky lab in June 2012, while searching for new,
unknown components.
Gauss is designed to collect as much information about infected machine as
possible, as well as to steal credentials for various banking systems and
social network, email and IM accounts.
Gauss was designed for 32-bit versions of windows. Some of the modules
do not work under windows 7 SP1
Functionality
Injecting its own modules into different browsers in order to intercept user
sessions and steal passwords, cookies and browser history.
Collecting information about the computer’s network connections.
Collecting information about processes and folders.
Collecting information about BIOS, CMOS RAM.
Collecting information about local, network and removable drives.
Infecting USB drives with a spy module in order to steal information from
other computers.
Installing the custom Palida Narrow font (purpose unknown).
Ensuring the entire toolkit’s loading and operation.
Interacting with the command and control server, sending the information
collected to it, downloading additional modules.
Infection statistics Lebanon 1660
Israel 483
Palestinian Territory 261
United States 43
United Arab Emirates 11
Germany 5
Egypt 4
Qatar 4
Jordan 4
Saudi Arabia 4
Syria 4
This is just the beginning. Think about all the services and
systems that we depend upon to keep society running smoothly.
Most of them run on computer networks. Even if the network
administrators isolate their computers from the rest of the
Internet, they could be vulnerable to a cyber attack.