Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
People First,Performance Now
Ministry of Science,Technology and Innovation
Nation State Sponsored Malware:Nation State Sponsored Malware: StuxnetGoh Su GimSecurity Advisor APAC, F-Secure Labs
07 November 2012
About meAbout me
Technology Evangelist
Protecting the irreplaceable | f-secure.com
Evangelist
• 16 November, 2012
F-Secure - Summary
1988 Founded
Today
1999 IPO (Helsinki Stock Exchange)
• “P t ti th i l bl ”• “Protecting the irreplaceable”
• Enabling the safe use of computers and smartphones
• Strong solution portfolio covering both consumers and business
h l d f ( ) f l b ll• The leading Software as a Service (SaaS) partner for operators globally
• Over 200 operator partnerships in more than 40 countries
• Strong market presence in Europe, North America and Asia
2007• Distributors/resellers in more than 100 countries
• 20 offices globally and over 800 professionals worldwide
Where it all started..
© F-Secure / PublicNovember 16, 20126
7
http://campaigns.f-secure.com/brain/index.html
© F-Secure / PublicNovember 16, 20128
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and InnovationStuxnetStuxnet
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
STUXNETWindows Uses 5Windows
WormUses 5Vulnerabilities*
Spreads via
USBUSB sticks
* 4 zero-days
People First,Performance Now
Ministry of Science,Technology and Innovation
5 Vulnerabilities, 4 Zero Day
• LNK (MS10-046)• Print Spooler (MS10 061)• Print Spooler (MS10-061)• Server Service (MS08-067)• Privilege escalation via Keyboard layout
file• Privilege escalation via Task Scheduler
People First,Performance Now
Ministry of Science,Technology and Innovation
LNK (MS10-046)• 1st surprise• Spreads first via removable and networkSpreads first via removable and network
storage
People First,Performance Now
Ministry of Science,Technology and Innovation
Server Service (MS08-067)• Conficker anyone?• Vulnerability in Server Service Could AllowVulnerability in Server Service Could Allow
Remote Code Execution (958644)
People First,Performance Now
Ministry of Science,Technology and Innovation
Server Service (MS08-067)• Here comes the best part• this vulnerability makes it possible forthis vulnerability makes it possible for
malicious code to be passed to, and then executed on a remote machineexecuted on, a remote machine
• Print Spooler Service Impersonation VulnerabilityVulnerability
People First,Performance Now
Ministry of Science,Technology and Innovation
Signed component the stolenSigned component – the stolen certificate
People First,Performance Now
Ministry of Science,Technology and Innovation
Stuxnet is bigStuxnet1 5 MB1,5 MB
AAverageMalware50-100 KB
People First,Performance Now
Ministry of Science,Technology and InnovationSiemens Simatic Step7 WinCC p
PLC
People First,Performance Now
Ministry of Science,Technology and Innovation
6es7-417
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
Bushehr / Natanz
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
The 20th day of the first month of the Iranian calendar year (Farvardin)The 20th day of the first month of the Iranian calendar year (Farvardin) which falls on April 8 this year, was announced as National Nuclear Technology Day by President Ahmadinejad last year.
The day marks the victory of the Iranian scientists in producing uranium enriched to 3 5 percent in Natanz facility two years agoenriched to 3.5 percent in Natanz facility two years ago.
The achievement made Iran self-sufficient in production of nuclear fuel and the country along with Brazil was recorded as the 8th country possessing nuclear fuel cycle in the world, thanks to the efforts of its young talented expertsexperts.
People First,Performance Now
Ministry of Science,Technology and Innovation
Case Flame• Flame is huge • It sends the stolen• Flame is huge• It has a keylogger and
a screengrabber
• It sends the stolen info out even from organizations with no network connectivity• Has SSH, SSL and
LUA libraries• It collects excerpts
network connectivity• It’s connected to
StuxnetIt collects excerpts from documents
• It collects coordinates from image files
• It spreads via Microsoft Update, is signed by Microsoft from image files
• Checks paired Bluetooth devices
g yand the Certificate has been brute-forced by a supercomputerby a supe co pute
People First,Performance Now
Ministry of Science,Technology and Innovation
So what about Nation States sponsored malware?
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
People First,Performance Now
Ministry of Science,Technology and Innovation
Protecting the irreplaceable | f-secure.com
Protecting the irreplaceable | f-secure.com
People First,Performance Now
Ministry of Science,Technology and InnovationWho fights the attackers?Who fights the attackers?
POLICE POLICE
People First,Performance Now
Ministry of Science,Technology and Innovation
Nuclear physics lost it's innocence in 1945
People First,Performance Now
Ministry of Science,Technology and Innovation
Computer science lost it's
6es7-315-2 / 6es7-417
innocence in 2009