Targeted attacks of recent days

Boldizsár Bencsáth PhDLaboratory of Cryptography and System Security (CrySyS)

Budapest University of Technology and Economicswww.crysys.hu

this is joint work with Gábor Pék, Levente Buttyán, Márk Félegyházi, others

2Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Targeted Attacks

Although many expected, nobody knew how the era of targeted attack, cyber warfare will start.

Hype began with Stuxnet, but maybe not the first case (Hydraq, DoS attacks, etc.)

Lot of new cases: Stuxnet, Duqu, RSA, Chemical plants, Mitsubishi Heavy Industries, Illinois water system (?),…

(Additionally: Anonymous, Lulzsec, etc..) APT: Advanced Persistent Threat -> this definition

emphasizes power of the attacker over of our inability to have control on our system

New approach is needed against APT, Targeted Attacks

3Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

What we have done in Duqu case?

Yes, we are the Lab who discovered Duqu. We will share with you what we can but more information on the

ongoing case is under NDA. Technical details are already public. In early September, during the investigation of an incident CrySyS

Lab found a suspicious executable, the reference info stealer / keylogger component of Duqu.

Later during forensics activities we identified components used for the incident. We made an initial analysis and shared our results with competent organizations.The cut-down version of our analysis was embedded into Symantec’s report as an appendix (18/Oct/2011)

We continued the analysis of Duqu and as a result we identified the dropper/installer component. After proving that it contains a 0-day vulnerability, we initiated the collaborated handling of the threat. On 01/Nov/2011 we announced the identification of the dropper file.

4Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Duqu/Stuxnet comparison at a glanceFeature Stuxnet Duqu

Modular malware

Kernel driver based rootkit very similar

Valid digital signature on driver Realtek, JMicron C-Media

Injection based on A/V list seems based on Stux.

Imports based on checksum different alg.

3 Config files, all encrypted, etc. almost the same

Keylogger module Duqu

PLC functionality (different goal) Stuxnet

Infection through local shares Possible – Symantec

Exploits, 0-day Zero-day word, win32k.sys

DLL with modules as resources (many) (one)

RPC communication

Port 80/443, TLS based C&C ? similar

Special “magic” keys, e.g. 790522, AE lots of similar

Virtual file based access to modules

Careful error handling

Initial, dropper, deactivation timer

Configurable starting in safe mode/dbg (exactly same mech.)

5Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu

Duqudetector toolkit – a new way of thinking about threats like Stuxnet

The Crysys DuquDetector Toolkit was publicly released on 09/Nov/2011.

We have to go forward and get rid of signature-only approaches Our tool tries to identify anything suspicious, even if that generates

lots of false positive. Currently the toolkit is “configured” for Duqu, but the aim is a bit more

general Entropy based detection of strange PNF files Suspicious files with missing counterparts Search for data files left by keylogger/infostealer/data siphoning tools

of the malware by it’s signatures (file name, magic strings) Our tool might be able to find traces on infections even after the

malware was already deleted by self-destructing logics.