Duqu: il nuovo Stuxnet?
1 like839 views
The document discusses Duqu, a malware identified as a precursor to the Stuxnet virus, highlighting its use of Stuxnet's source code to gather information from targeted organizations, particularly those involved in industrial control systems. It outlines the infection vectors and reconnaissance capabilities of Duqu, stressing the need for updated security measures against such targeted threats. Additionally, it advises users on staying informed about the latest research and recommended defenses against malware infiltration.
![Duqu
Reconnaissance
Limited internet access
Attacker
206.[REMOVED].97
• Download Infostealer to gather:
– Running processes, account details,
domains
– Driver names, shared drive info, etc
– Screenshots
– Keystrokes
– Network information
• Every 30 seconds
Duqu: Precursor to the Next Stuxnet 27](https://image.slidesharecdn.com/2710duquilnuovostuxnet-111027090717-phpapp02/85/Duqu-il-nuovo-Stuxnet-27-320.jpg)
Duqu: il nuovo Stuxnet?
- 1. Duqu: Precursor to the Next Stuxnet Antonio Forzieri Security Practice Manager – Technology Sales Organization Duqu: Precursor to the Next Stuxnet 1
- 2. Before starting… Twitter • You can follow our webinar on twitter in realtime. Our twitter account is @StopBlackMarket Duqu: Precursor to the Next Stuxnet
- 3. Before Starting… Facebook • You can follow us also on Facebook. Out account is Stop Black Market Duqu: Precursor to the Next Stuxnet
- 4. Before Staring… Symantec • You can access to all documents used for our webinars. Our portal is http://www.symantec.it/blackmarket Duqu: Precursor to the Next Stuxnet
- 5. Stuxnet June 2010 Duqu: Precursor to the Next Stuxnet 5
- 6. Stuxnet July 2010 www.premierfutbol.com www.todaysfutbol.com Duqu: Precursor to the Next Stuxnet 6
- 7. Stuxnet Geographic Distribution of Infections 70,00 60,00 58,31 50,00 Unique IPs Contact C&C Server (%) 40,00 30,00 17,83 20,00 9,96 10,00 5,15 3,40 1,40 1,16 0,89 0,71 0,61 0,57 0,00 IRAN INDONESIA INDIA AZERBAIJAN PAKISTAN MALAYSIA USA UZBEKISTAN RUSSIA GREAT OTHERS BRITAIN Over 40,000 infected unique external IPs, from over 115 countries Duqu: Precursor to the Next Stuxnet 7
- 8. Stuxnet November 2010 S7-315 CPU CP-342-5 – 6 modules ... 31 Vacon or Fararo Paya frequency converters per module ... ... ... ... Totaling up to 186 motors Duqu: Precursor to the Next Stuxnet 8
- 9. Stuxnet February 2011 • Symantec identified 5 domains as the target of Stuxnet • All targets have a presence in Iran 5 Domains targeted 1800 domains infected Duqu: Precursor to the Next Stuxnet 9
- 10. Stuxnet Runs Its Course • Stuxnet files date between June 2009 and March 2010 • After March 2010 no new Stuxnet files appeared in wild • But it changed many things Duqu: Precursor to the Next Stuxnet 10
- 11. Stuxnet accomplished its mission Duqu: Precursor to the Next Stuxnet 11
- 12. Limited internet access • Financial networks – E.g., ATMs, POS, SWIFTNet • Engineering networks – E.g., source code, design documents, non-production code Secure/No network access • Classified data networks • Aviation & air traffic control systems • Life critical and healthcare systems • Law enforcement database networks • Military communication systems • Malware analysis networks Duqu: Precursor to the Next Stuxnet 12
- 13. This changes everything… Duqu: Precursor to the Next Stuxnet 13
- 14. Much more can happen Duqu: Precursor to the Next Stuxnet 14
- 15. Stuxnet Duqu: Precursor to the Next Stuxnet 15
- 16. Duqu • October 14th research lab reached out to Symantec to confirm a suspicion on newly discovered threat • We confirmed their suspicion • This threat uses source code from Stuxnet Duqu: Precursor to the Next Stuxnet 16
- 17. Duqu: Key Facts • New executables using Stuxnet source code have been discovered – Developed since the last Stuxnet file was recovered • New executables designed to capture information like keystrokes & system information • Current analysis shows no code related to industrial control systems, exploits, or self-replication • Executables found in limited number of organizations – Including those involved in the manufacturing of industrial control systems • Exfiltrated data may be used to enable a future Stuxnet-like attack Duqu: Precursor to the Next Stuxnet 17
- 18. Source Code Stuxnet Duqu: Precursor to the Next Stuxnet 18
- 19. Source Code Stuxnet Duqu Duqu: Precursor to the Next Stuxnet 19
- 20. Stuxnet Extensive Infection Vectors Network Shares Print Spooler (MS10-061) SMB (MS08-067) Step7 WinCC SQL P2P (Updating only) Duqu: Precursor to the Next Stuxnet 20
- 21. Duqu Infection Vectors Duqu: Precursor to the Next Stuxnet 21
- 22. Duqu Deception Duqu: Precursor to the Next Stuxnet 22
- 23. Duqu Deception 36 days Duqu: Precursor to the Next Stuxnet 23
- 24. Stuxnet Deception • 2 stolen private keys used to sign the application to allow undetected installation of rootkits Duqu: Precursor to the Next Stuxnet 24
- 25. Duqu Deception A stolen private key used to sign the application to allow undetected installation of rootkits Duqu: Precursor to the Next Stuxnet 25
- 26. Stuxnet Reconnaissance Limited internet access Attacker www.mypremierfutbol.com www.todaysfutbol.com • Infected machines check in with system information – OS version – Computer name – Domain – IP addresses – Configuration data – Existence of ICS programming software (STEP7) • And will send design documents if requested Duqu: Precursor to the Next Stuxnet 26
- 27. Duqu Reconnaissance Limited internet access Attacker 206.[REMOVED].97 • Download Infostealer to gather: – Running processes, account details, domains – Driver names, shared drive info, etc – Screenshots – Keystrokes – Network information • Every 30 seconds Duqu: Precursor to the Next Stuxnet 27
- 28. Duqu Target Limited internet access Attacker • Limited in number • In Europe • Involved in manufacturing of industrial control systems • We have found an additional variant since we went public The compilation time on the code was 10/17/2011 Duqu: Precursor to the Next Stuxnet 28
- 29. Symantec Customers Are Protected • Those with updated AV definitions • Those using Insight technology in SEP 12.1 – Low prevalence of Duqu Duqu: Precursor to the Next Stuxnet 29
- 30. Recommended Defenses Advanced Reputation Techniques • Duqu is extremely targeted and thus, would have a low reputation profile Host Intrusion Prevention Systems • Implements host-lock-down as a means of hardening against malware infiltration Removable Media Device Control • Many infection vectors appear to be delivered by removable media • Restrict automatic launch of content on removable media Data Loss Prevention • Core repositories of intellectual property are likely prequel targets on Enterprise LAN Automated Compliance Monitoring • Detecting default passwords on industrial control systems Duqu: Precursor to the Next Stuxnet 30
- 31. What to Do? 1 Stay Current on latest Duqu research with Twitter.com/threatintel 2 Stay Informed on Symantec’s outbreak page at www.symantec.com/outbreak 3 Contact Ask us for a Malicious Activity Assessment Duqu: Precursor to the Next Stuxnet 31
- 32. Thank you! Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Duqu: Precursor to the Next Stuxnet 32