malware freak show

of 36 /36
Srinu [email protected] I do Malware analysis, Computer forensic & Pentesting

Author: nu-the-open-security-community

Post on 11-May-2015




0 download

Embed Size (px)


null Hyderabad Chapter - November 2012 Meet


2. Stuxnet DuquAgenda Flame Gauss 3. Stuxnet is discovered in June 2010 but the first variant of the wormappeared in June 2009Stuxnet is a first discovered malware includes a PLC RootkitGoal: To reprogram industrial control systems by modifying code onprogrammable logic controllers to make them work in a manner theattacker intended and to hide those changes from the operator of theequipment 4. Infection Statistics 58.3160504030 17.8320 9.96103.45.51.4 1.1 0.90.7 0.6 0.5 0 5. Possible Attack ScenarioOnce Stuxnet had infected a computer withinthe organization it began to spread in search ofField PGs . Since most of these computers arenon-networked, Stuxnet would first try to spreadto other computers on the LAN, infecting Step 7projects, and through removable drives.Propagation through a LAN likely served as thefirst step and propagation through removabledrives as a means to cover the last and final hopto a Field PG that is never connected to anuntrusted network. 6. CommunicationBefore infection After infection 7. Technical AnalysisExploited 4 zero day vulnerabilitiesMicrosoft Windows Print Spooler Service Remote Code Execution VulnerabilityMicrosoft Windows Shortcut LNK/PIF Files Automatic File Execution VulnerabilityWin2000/XP Win32k.sys privilege elevationWindows 7 task scheduler privilege elevationCopies and executes itself on remote computers through network sharesCopies itself into Step 7 projects in such a way that it automatically executeswhen the Step 7 project is loadedUpdates itself through a peer-to-peer mechanism within a LANContains a Windows rootkit and a PLC rootkit3 variants of stuxnet has been discovered.Drivers signed with stolen certificate from Realtek & Jmicron 8. Technical Analysis (cont.)Stuxnet contains a DLL file and two encrypted configuration files stored in asection named name called stubIt uses different types of Process injection techniques depends on antivirusinstalled. 9. Installation routine 10. Infection Routine 11. DemoAnalyzing STUXNET 12. Duqu is discovered on September 2011, Duqu shares a great deal of codewith StuxnetDuqu got its name from the prefix "~DQ" it gives to the names of files itcreatesDuqus purpose is to gather intelligence data and assets from entitiesDuqu may have been written in Object Oriented C or in unknown high levellanguage also called as Duqu framework After 30 days of installation, the threat will automatically remove itself fromthe system. 13. Geographic distribution 14. Technical Analysis Duqu exploited a zero day vulnerability (MS11-087) Win32k TrueType font parsing engine and allows execution Duqu uses a 54*54 pixel jpeg file and encrypted dummyfiles as containers to smuggle data to is command andcontrol servers.Drivers signed with stolen certificates from C-MediaElectronic Inc. 15. Technical Analysis (cont.)Duqu uses HTTP & HTTPS to communicate with C&C servers. C&C serversare hosted in India, Belgium, and VietnamThe C&C servers were configured to simply forward all port 80 and 443traffic to other servers.By using the C&C servers, the attacker were able to download additionalmodules such as enumerating the network, recording keystrokes, andgathering system information 16. Installation 17. architecture 18. Flame is a modular computer malware discovered in 2012, Its discovery wasannounced on 28 May 2012Flame is most complex malware ever found and it is an uncharacteristicallylarge program for malware at 20 MB.Partly written in Lua scripting language with compiled C++ code linked inFlame uses five different encryption methods and an SQLite database to storestructured informationFlame supports kill command that makes it eliminate all traces of its filesand operation from a systemFlame was signed with a fraudulent certificate believed from the MicrosoftEnforced Licensing Intermediate PCA certificate authorityIt can record audio, screenshots, keyboard activity and network traffic 19. Technical AnalysisFlame exploited known vulnerabilities which is used in StuxnetReplicates via USB, LAN and Windows updateCommunication : SSL + SSHSkywipers main executables:mssecmgr.ocx Main modulemsglu32.ocxnteps32.ocxadvnetcfg.ocxsoapr32.ocxccalc32.sysBoot32drv.sys 20. Technical Analysis(cont.)Flame is a modular malware , it consists nearly 20 modules Beetlejuice Microbe Infectmedia Autorun_infector Euphoria Limbo Frog Munch Gadget Snack Boot_dll_loader Weasel Boost Telemetry Gator, Security Bunny, Dbquery, Driller, Headache 21. Startupsequence 22. Command & Control serversOperating system: 64-bit Debian 6.0.xVirtualization: In most of cases running under OpenVZProgramming languages used: PHP (most of code), Python, bashDatabase: MySQL with InnoDB tablesWeb server: Apache 2.x with self-signed certificates 23. Command & Control servers (cont.) 24. DemoAnalyzing Flame 25. Gauss is discovered by Kaspersky lab in June 2012, while searching for new,unknown components.Gauss is designed to collect as much information about infected machine aspossible, as well as to steal credentials for various banking systems andsocial network, email and IM accounts.Gauss was designed for 32-bit versions of windows. Some of the modulesdo not work under windows 7 SP1 26. FunctionalityInjecting its own modules into different browsers in order to intercept usersessions and steal passwords, cookies and browser history.Collecting information about the computers network connections.Collecting information about processes and folders.Collecting information about BIOS, CMOS RAM.Collecting information about local, network and removable drives.Infecting USB drives with a spy module in order to steal information fromother computers.Installing the custom Palida Narrow font (purpose unknown).Ensuring the entire toolkits loading and operation.Interacting with the command and control server, sending the informationcollected to it, downloading additional modules. 27. Infection statisticsLebanon 1660Israel483Palestinian Territory 261United States 43United Arab Emirates11Germany 5Egypt 4Qatar 4Jordan4Saudi Arabia4Syria 4 28. This is just the beginning. Think about all the services andsystems that we depend upon to keep society running smoothly.Most of them run on computer networks. Even if the networkadministrators isolate their computers from the rest of theInternet, they could be vulnerable to a cyber attack.