Win32/Duqu: involution of Stuxnet -...

Preview:

Click to see full reader

Citation preview

Win32/Duqu: involution of Stuxnet Aleksandr Matrosov

Eugene Rodionov

14.10 19.10 01.11 03.11 4.11 ?

CrySyS Lab

share info

about Duqu

on public

Duqu: the

precursor

to the next

Stuxnet

Dropper

found and

0-day

confirmed CVE-2011-3402

Microsoft

Security

Advisory

(2639658)

MS share

info about

exploit on

MAPP

What the

next?

Duqu infection scheme

RPC Function Stuxnet Duqu Rpc 1– return version of the worm

Rpc 2 – load module in into a new

process and execute export function

Rpc 3 – load module into existing

process and execute export #1

Rpc 4 – load module in a process and

execute its entry point

Rpc 5 – Build the worm dropper

Rpc 6 – run specified application

(calling CreateProcess API)

Rpc 7 – read data from specified file

Rpc 8 – write data into specified file

Rpc 9 – delete specified file Rpc 10 – work with target files

Finding exact date of infection

Config decryption algorithm

Finding date in UTC format

11/08/2011 at 07:50:01

18/08/2011 at 07:29:07

36

30

References

“Win32/Duqu: It’s A Date” http://blog.eset.com/2011/10/25/win32duqu-it’s-a-date

“Stuxnet Under the Microscope” http://go.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf

“Win32/Duqu analysis: the RPC edition” http://blog.eset.com/2011/10/28/win32duqu-analysis-the-rpc-edition

Follow ESET Threat Blog http://blog.eset.com

Thank you for your attention ;)

Aleksandr Matrosov matrosov@eset.sk

@matrosov

Eugene Rodionov rodionov@eset.sk

@vxradius

Recommended

Guide to Stuxnet
Documents
Uncovering Duqu - USENIX · Stuxnet was the first publicly known malware designed to cause “real” real-world damage Duqu shares many similarities but is used for espionage Both
Documents
Involution of Cefalopods
Documents
NAVAL POSTGRADUATE SCHOOLadvanced malware, such as Stuxnet, Duqu, Flame, and Red October, were observed to use XOR as the basis of a simple obfuscation algorithm to hide data that
Documents
Stuxnet dc9723
Technology
McAfee Labs Consolidated Threat Report: Duqu · is considered to be one of the most sophisticated, targeted, attacks in recent history. Stuxnet primarily targeted facilities in Iran,
Documents
Stuxnet Virus
Documents
THE UNBEARABLE LIGHTNESS · APT HISTORY 2015 2014 2013 2012 2011 2010 12 Aurora 13 Stuxnet Duqu RSA Hack 79 Carbanak Equation Duqu2 Casper Babar PlugX 24 Madi Flame Gauss Subpab Shamoon
Documents
Advanced Cyber Defense - Dell EMC Germany · Grey Goose Stuxnet Australian . Mining . Taidoor . RBA . Safe . Duqu Comodo Black Tulip Nitro . ... Design Technical Architecture . Design
Documents
STUXNET. Summary What is Stuxnet? Industial Control Systems The target/s of Stuxnet. How Stuxnet spreads. The impact of Stuxnet on PLC’s
Documents
W32 - Infopoint Security · 2017. 4. 12. · W32.Duqu: The precursor to the next Stuxnet Page 2 Security Response Our telemetry shows the threat has been highly targeted toward a
Documents
SCADA Security in a Post-Stuxnet World Oct 2011 (BYRES)V2 · The Stuxnet WormThe Stuxnet Worm • July, 2010: Stuxnet worm was discovered attacking Siemens PCS7 S7 PLC and WINSiemens
Documents
SUSTAINABLE INTENSIFICATION & AGRICULTURAL INVOLUTION …
Documents
Stuxnet under the_microscope
Education
Stuxnet Final
Documents
Flame: Modern Warfare Matthew Stratton. What is Flame? How it was found What are its capabilities How it is similar to Stuxnet and Duqu Implications
Documents
Analysis Stuxnet dissected
Documents
Involution Digital - About Us
Documents
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Technology
sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware ... · discovered info-stealer malware used in targeted attacks, we briefly compare sKyWIper to Duqu (and Stuxnet) in Table
Documents