1. Targeted attacks of recent days Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics www.crysys.hu this is joint work with Gábor Pék, Levente Buttyán, Márk Félegyházi, others

2. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 2 Targeted Attacks  Although many expected, nobody knew how the era of targeted attack, cyber warfare will start.  Hype began with Stuxnet, but maybe not the first case (Hydraq, DoS attacks, etc.)  Lot of new cases: Stuxnet, Duqu, RSA, Chemical plants, Mitsubishi Heavy Industries, Illinois water system (?),… (Additionally: Anonymous, Lulzsec, etc..)  APT: Advanced Persistent Threat -> this definition emphasizes power of the attacker over of our inability to have control on our system  New approach is needed against APT, Targeted Attacks

3. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 3 What we have done in Duqu case?  Yes, we are the Lab who discovered Duqu.  We will share with you what we can but more information on the ongoing case is under NDA. Technical details are already public.  In early September, during the investigation of an incident CrySyS Lab found a suspicious executable, the reference info stealer / keylogger component of Duqu.  Later during forensics activities we identified components used for the incident. We made an initial analysis and shared our results with competent organizations.The cut-down version of our analysis was embedded into Symantec’s report as an appendix (18/Oct/2011)  We continued the analysis of Duqu and as a result we identified the dropper/installer component. After proving that it contains a 0-day vulnerability, we initiated the collaborated handling of the threat. On 01/Nov/2011 we announced the identification of the dropper file.

4. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 4 Duqu/Stuxnet comparison at a glance FeatureStuxnetDuqu Modular malware Kernel driver based rootkit very similar Valid digital signature on driverRealtek, JMicronC-Media Injection based on A/V list seems based on Stux. Imports based on checksum different alg. 3 Config files, all encrypted, etc. almost the same Keylogger moduleDuqu PLC functionality  (different goal) Stuxnet Infection through local shares Possible – Symantec Exploits, 0-day Zero-day word, win32k.sys DLL with modules as resources (many) (one) RPC communication Port 80/443, TLS based C&C? similar Special “magic” keys, e.g. 790522, AE lots of similar Virtual file based access to modules Careful error handling Initial, dropper, deactivation timer Configurable starting in safe mode/dbg (exactly same mech.)

5. Laboratory of Cryptography and System Security CrySyS Adat- és Rendszerbiztonság Laboratórium www.crysys.hu 5 Duqudetector toolkit – a new way of thinking about threats like Stuxnet  The Crysys DuquDetector Toolkit was publicly released on 09/Nov/2011.  We have to go forward and get rid of signature-only approaches  Our tool tries to identify anything suspicious, even if that generates lots of false positive.  Currently the toolkit is “configured” for Duqu, but the aim is a bit more general  Entropy based detection of strange PNF files  Suspicious files with missing counterparts  Search for data files left by keylogger/infostealer/data siphoning tools of the malware by it’s signatures (file name, magic strings)  Our tool might be able to find traces on infections even after the malware was already deleted by self-destructing logics.