Targeted attacks of recent days

1
Targeted attacks of recent days

• Boldizsár Bencsáth PhD
• Laboratory of Cryptography and System Security
  (CrySyS)
• Budapest University of Technology and Economics
• www.crysys.hu
• this is joint work with Gábor Pék, Levente
  Buttyán, Márk Félegyházi, others

2
Targeted Attacks

• Although many expected, nobody knew how the era
  of targeted attack, cyber warfare will start.
• Hype began with Stuxnet, but maybe not the first
  case (Hydraq, DoS attacks, etc.)
• Lot of new cases Stuxnet, Duqu, RSA, Chemical
  plants, Mitsubishi Heavy Industries, Illinois
  water system (?),
• (Additionally Anonymous, Lulzsec, etc..)
• APT Advanced Persistent Threat -gt this
  definition emphasizes power of the attacker over
  of our inability to have control on our system
• New approach is needed against APT, Targeted
  Attacks

3
What we have done in Duqu case?

• Yes, we are the Lab who discovered Duqu.
• We will share with you what we can but more
  information on the ongoing case is under NDA.
  Technical details are already public.
• In early September, during the investigation of
  an incident CrySyS Lab found a suspicious
  executable, the reference info stealer /
  keylogger component of Duqu.
• Later during forensics activities we identified
  components used for the incident. We made an
  initial analysis and shared our results with
  competent organizations.The cut-down version of
  our analysis was embedded into Symantecs report
  as an appendix (18/Oct/2011)
• We continued the analysis of Duqu and as a result
  we identified the dropper/installer component.
  After proving that it contains a 0-day
  vulnerability, we initiated the collaborated
  handling of the threat. On 01/Nov/2011 we
  announced the identification of the dropper file.

4
Duqu/Stuxnet comparison at a glance
Feature Stuxnet Duqu
Modular malware ? ?
Kernel driver based rootkit ? ? very similar
Valid digital signature on driver Realtek, JMicron C-Media
Injection based on A/V list ? ? seems based on Stux.
Imports based on checksum ? ? different alg.
3 Config files, all encrypted, etc. ? ? almost the same
Keylogger module Duqu ? ?
PLC functionality ? ? (different goal) Stuxnet ?
Infection through local shares ? Possible Symantec
Exploits, 0-day ? Zero-day word, win32k.sys
DLL with modules as resources ? (many) ? (one)
RPC communication ? ?
Port 80/443, TLS based CC ? ? similar
Special magic keys, e.g. 790522, AE ? ? lots of similar
Virtual file based access to modules ? ?
Careful error handling ? ?
Initial, dropper, deactivation timer ? ?
Configurable starting in safe mode/dbg ? ? (exactly same mech.)
5
Duqudetector toolkit a new way of thinking
about threats like Stuxnet

• The Crysys DuquDetector Toolkit was publicly
  released on 09/Nov/2011.
• We have to go forward and get rid of
  signature-only approaches
• Our tool tries to identify anything suspicious,
  even if that generates lots of false positive.
• Currently the toolkit is configured for Duqu,
  but the aim is a bit more general
• Entropy based detection of strange PNF files
• Suspicious files with missing counterparts
• Search for data files left by keylogger/infosteale
  r/data siphoning tools of the malware by its
  signatures (file name, magic strings)
• Our tool might be able to find traces on
  infections even after the malware was already
  deleted by self-destructing logics.