targeted attacks of recent days boldizsár bencsáth phd laboratory of cryptography and system...
TRANSCRIPT
Targeted attacks of recent days
Boldizsár Bencsáth PhDLaboratory of Cryptography and System Security (CrySyS)
Budapest University of Technology and Economicswww.crysys.hu
this is joint work with Gábor Pék, Levente Buttyán, Márk Félegyházi, others
2Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Targeted Attacks
Although many expected, nobody knew how the era of targeted attack, cyber warfare will start.
Hype began with Stuxnet, but maybe not the first case (Hydraq, DoS attacks, etc.)
Lot of new cases: Stuxnet, Duqu, RSA, Chemical plants, Mitsubishi Heavy Industries, Illinois water system (?),…
(Additionally: Anonymous, Lulzsec, etc..) APT: Advanced Persistent Threat -> this definition
emphasizes power of the attacker over of our inability to have control on our system
New approach is needed against APT, Targeted Attacks
3Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
What we have done in Duqu case?
Yes, we are the Lab who discovered Duqu. We will share with you what we can but more information on the
ongoing case is under NDA. Technical details are already public. In early September, during the investigation of an incident CrySyS
Lab found a suspicious executable, the reference info stealer / keylogger component of Duqu.
Later during forensics activities we identified components used for the incident. We made an initial analysis and shared our results with competent organizations.The cut-down version of our analysis was embedded into Symantec’s report as an appendix (18/Oct/2011)
We continued the analysis of Duqu and as a result we identified the dropper/installer component. After proving that it contains a 0-day vulnerability, we initiated the collaborated handling of the threat. On 01/Nov/2011 we announced the identification of the dropper file.
4Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Duqu/Stuxnet comparison at a glanceFeature Stuxnet Duqu
Modular malware
Kernel driver based rootkit very similar
Valid digital signature on driver Realtek, JMicron C-Media
Injection based on A/V list seems based on Stux.
Imports based on checksum different alg.
3 Config files, all encrypted, etc. almost the same
Keylogger module Duqu
PLC functionality (different goal) Stuxnet
Infection through local shares Possible – Symantec
Exploits, 0-day Zero-day word, win32k.sys
DLL with modules as resources (many) (one)
RPC communication
Port 80/443, TLS based C&C ? similar
Special “magic” keys, e.g. 790522, AE lots of similar
Virtual file based access to modules
Careful error handling
Initial, dropper, deactivation timer
Configurable starting in safe mode/dbg (exactly same mech.)
5Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Duqudetector toolkit – a new way of thinking about threats like Stuxnet
The Crysys DuquDetector Toolkit was publicly released on 09/Nov/2011.
We have to go forward and get rid of signature-only approaches Our tool tries to identify anything suspicious, even if that generates
lots of false positive. Currently the toolkit is “configured” for Duqu, but the aim is a bit more
general Entropy based detection of strange PNF files Suspicious files with missing counterparts Search for data files left by keylogger/infostealer/data siphoning tools
of the malware by it’s signatures (file name, magic strings) Our tool might be able to find traces on infections even after the
malware was already deleted by self-destructing logics.