Download - Malware Freak Show

Transcript
Page 1: Malware Freak Show

Srinu

[email protected]

I do Malware analysis, Computer forensic & Pentesting

Page 2: Malware Freak Show

Agenda

Stuxnet

Duqu

Flame

Gauss

Page 3: Malware Freak Show

Stuxnet is discovered in June 2010 but the first variant of the worm

appeared in June 2009

Stuxnet is a first discovered malware includes a PLC Rootkit

Goal: To reprogram industrial control systems by modifying code on

programmable logic controllers to make them work in a manner the

attacker intended and to hide those changes from the operator of the

equipment

Page 4: Malware Freak Show

0

10

20

30

40

50

6058.31

17.83 9.96

3.4 1.4 1.1 0.9 0.7 0.6 0.5 5.5

Infection Statistics

Page 5: Malware Freak Show

Possible Attack Scenario

Once Stuxnet had infected a computer within the organization it began to spread in search of Field PGs . Since most of these computers are non-networked, Stuxnet would first try to spread to other computers on the LAN, infecting Step 7 projects, and through removable drives. Propagation through a LAN likely served as the first step and propagation through removable drives as a means to cover the last and final hop to a Field PG that is never connected to an untrusted network.

Page 6: Malware Freak Show

Communication

Before infection After infection

Page 7: Malware Freak Show

Technical Analysis

Exploited 4 zero day vulnerabilities

Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability

Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability

Win2000/XP Win32k.sys privilege elevation

Windows 7 task scheduler privilege elevation

Copies and executes itself on remote computers through network shares

Copies itself into Step 7 projects in such a way that it automatically executes

when the Step 7 project is loaded

Updates itself through a peer-to-peer mechanism within a LAN

Contains a Windows rootkit and a PLC rootkit

3 variants of stuxnet has been discovered.

Drivers signed with stolen certificate from Realtek & Jmicron

Page 8: Malware Freak Show

Stuxnet contains a DLL file and two encrypted configuration files stored in a

section named name called stub

It uses different types of Process injection techniques depends on antivirus

installed.

Technical Analysis (cont.)

Page 9: Malware Freak Show
Page 10: Malware Freak Show

Installation routine

Page 11: Malware Freak Show

Infection Routine

Page 12: Malware Freak Show

Demo

Analyzing STUXNET

Page 13: Malware Freak Show

Duqu is discovered on September 2011, Duqu shares a great deal of code with Stuxnet

Duqu got its name from the prefix "~DQ" it gives to the names of files it creates

Duqu’s purpose is to gather intelligence data and assets from entities

Duqu may have been written in Object Oriented C or in unknown high level language also called as Duqu framework

After 30 days of installation, the threat will automatically remove itself from the system.

Page 14: Malware Freak Show

Geographic distribution

Page 15: Malware Freak Show

Duqu exploited a zero day vulnerability (MS11-087) Win32k TrueType font

parsing engine and allows execution

Duqu uses a 54*54 pixel jpeg file and encrypted dummy

files as containers to smuggle data to is command and

control servers.

Drivers signed with stolen certificates from C-Media

Electronic Inc.

Technical Analysis

Page 16: Malware Freak Show

Duqu uses HTTP & HTTPS to communicate with C&C servers. C&C servers

are hosted in India, Belgium, and Vietnam

The C&C servers were configured to simply forward all port 80 and 443

traffic to other servers.

By using the C&C servers, the attacker were able to download additional

modules such as enumerating the network, recording keystrokes, and

gathering system information

Technical Analysis (cont.)

Page 17: Malware Freak Show

Installation

Page 18: Malware Freak Show

architecture

Page 19: Malware Freak Show
Page 20: Malware Freak Show

Flame is a modular computer malware discovered in 2012, Its discovery was

announced on 28 May 2012

Flame is most complex malware ever found and it is an uncharacteristically

large program for malware at 20 MB.

Partly written in Lua scripting language with compiled C++ code linked in

Flame uses five different encryption methods and an SQLite database to store

structured information

Flame supports “kill” command that makes it eliminate all traces of its files

and operation from a system

Flame was signed with a fraudulent certificate believed from the Microsoft

Enforced Licensing Intermediate PCA certificate authority

It can record audio, screenshots, keyboard activity and network traffic

Page 21: Malware Freak Show
Page 22: Malware Freak Show
Page 23: Malware Freak Show

Flame exploited known vulnerabilities which is used in Stuxnet

Replicates via USB, LAN and Windows update

Communication : SSL + SSH

Skywiper’s main executables:

mssecmgr.ocx – Main module

msglu32.ocx

nteps32.ocx

advnetcfg.ocx

soapr32.ocx

ccalc32.sys

Boot32drv.sys

Technical Analysis

Page 24: Malware Freak Show

Flame is a modular malware , it consists nearly 20 modules Beetlejuice

Microbe

Infectmedia

Autorun_infector

Euphoria

Limbo

Frog

Munch

Gadget

Snack

Boot_dll_loader

Weasel

Boost

Telemetry

Gator,

Security

Bunny, Dbquery, Driller, Headache

Technical Analysis(cont.)

Page 25: Malware Freak Show

Startup

sequence

Page 26: Malware Freak Show

Command & Control servers Operating system: 64-bit Debian 6.0.x

Virtualization: In most of cases running under OpenVZ

Programming languages used: PHP (most of code), Python, bash

Database: MySQL with InnoDB tables

Web server: Apache 2.x with self-signed certificates

Page 27: Malware Freak Show

Command & Control servers (cont.)

Page 28: Malware Freak Show

Demo

Analyzing Flame

Page 29: Malware Freak Show

Gauss is discovered by Kaspersky lab in June 2012, while searching for new,

unknown components.

Gauss is designed to collect as much information about infected machine as

possible, as well as to steal credentials for various banking systems and

social network, email and IM accounts.

Gauss was designed for 32-bit versions of windows. Some of the modules

do not work under windows 7 SP1

Page 30: Malware Freak Show

Functionality

Injecting its own modules into different browsers in order to intercept user

sessions and steal passwords, cookies and browser history.

Collecting information about the computer’s network connections.

Collecting information about processes and folders.

Collecting information about BIOS, CMOS RAM.

Collecting information about local, network and removable drives.

Infecting USB drives with a spy module in order to steal information from

other computers.

Installing the custom Palida Narrow font (purpose unknown).

Ensuring the entire toolkit’s loading and operation.

Interacting with the command and control server, sending the information

collected to it, downloading additional modules.

Page 31: Malware Freak Show

Infection statistics Lebanon 1660

Israel 483

Palestinian Territory 261

United States 43

United Arab Emirates 11

Germany 5

Egypt 4

Qatar 4

Jordan 4

Saudi Arabia 4

Syria 4

Page 32: Malware Freak Show
Page 33: Malware Freak Show
Page 34: Malware Freak Show

This is just the beginning. Think about all the services and

systems that we depend upon to keep society running smoothly.

Most of them run on computer networks. Even if the network

administrators isolate their computers from the rest of the

Internet, they could be vulnerable to a cyber attack.

Page 35: Malware Freak Show
Page 36: Malware Freak Show

Top Related