27
STUXNET ….DUQU….FALME…..? Santosh Khadsar

Stuxnet flame

Embed Size (px)

DESCRIPTION

This is a ppt on Stuxnet and Flame virus. It covers similarities and evolution of the viruses

Citation preview

Page 1: Stuxnet flame

STUXNET ….DUQU….FALME…..?Santosh Khadsare

Page 2: Stuxnet flame

“Now we’re living in the era of cyber weapons. The world is different. Not just cyber hooligans, vandals. Not just criminals. But governments are in the game and I’m afraid for the worst, I’m still expecting, cyber terrorism.”

Eugene Kaspersky ,CEO of Kaspersky Lab

Page 3: Stuxnet flame

Stuxnet….Duqu….Flame•  Stuxnet is a computer work discovered in June 2010.

Stuxnet initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.

• Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The main component used in Duqu is designed to capture information such as keystrokes and system information. The exfiltrated data may be used to enable a future Stuxnet-like attack.

Page 4: Stuxnet flame

Stuxnet….Duqu….Flame

• Flame like Duqu, is designed to steal different databases. A completely new thing that Flame can be used for is audio spying. Flame detects and recognizes a microphone on the infected computer, turns the microphone on and then records every conversation taking place in this room. Recorded data is immediately transferred to the server from which the virus began to spread.

Page 5: Stuxnet flame
Page 6: Stuxnet flame

Stuxnet

• Spread on Microsoft Windows• Developed June 2009 • Spreading began late 2009/early 2010• Discovered in July 2010

oMicrosoft out-of-band patch released August 2010 - .lnk exploit

oMore patches with the September 'Patch Tuesday' - print spooler exploit

• Around half a megabyte• C, C++, and other object oriented

languages

Page 7: Stuxnet flame

What the news says it was

• Iranian centrifuge destroyer!o It's one goal was to destroy the Iranian nuclear program

• Developed by the United States and Israel

• Contributed to the Gulf oil leak• 'Mission: Impossible'-like virus• It will kill your unborn children

oAssuming they are born in a hospital using PLC machines

o *PLC: Programmable Logic Controller

o

Page 8: Stuxnet flame

How it did it• USB drive for initial infection, then spread on network• .lnk file exploit

o As soon as the shortcut is displayed, exploit is run • Windows vulnerabilities

o EoP  Task scheduler

o MS08-067 (Conficker) - Already patched!!!! (but not on these systems)

o Printspooler exploito Used at least 4 previously undiscovered

vulnerabilities  • Searched for WinCC and PCS 7 SCADA management

programso Tried default Siemens passwords to gain accesso If access is granted, PLC software could be

reprogrammed• Used stolen signed digital certificates

o looked like genuine software to antivirus scanners

*EoP: Elevation of Privileges

Page 9: Stuxnet flame

How it did it (cont.)• Installed a RPC server• Self-updating

o Machines check on other machines running Stuxnet and do a version checko Newer versions automatically push their version onto the other machineso Older versions automatically request newer version to be pushed

If central server goes down, updates still spread              

  

*RPC: Remote Procedure Call

Page 10: Stuxnet flame
Page 11: Stuxnet flame
Page 12: Stuxnet flame

Links• Stuxnet was the first cyber-weapon

targeting industrial facilities. The fact that Stuxnet also infected regular PCs worldwide  led to its discovery in June 2010, although the earliest known version of the malicious program was created one year before that.

• The next example of a cyber-weapon, now known as Duqu, was found in September 2011. Unlike Stuxnet, the main task of the Duqu Trojan was to serve as a backdoor to the infected system and steal private information (cyber-espionage).

• During the analysis of Duqu, strong similarities were discovered with Stuxnet, which revealed that the two cyber-weapons were created using the same attack platform known as the “Tilded Platform”. The name originated from the preferences of the malware developers for filenames of the form “~d*.*” – hence, “Tilde-d”.

Page 13: Stuxnet flame

Senior Virus Analyst Alexander GostevA Russian computer security company  (Kaspersky Lab’s) detected a new spyware program called Flame.

Page 14: Stuxnet flame

The Find……..Flame

• In April 2012, several computers of the National Iranian Oil Company, as well as several Iranian ministries, have been infected by an unknown virus. This case was just a single link in a chain of cyber attacks during which viruses like Stuxnet and Duqu were used.

• The International Telecommunication Union (ITU) has Kaspersky Labs to analyze the situation. They were searching for a virus called Wiper, but found something more terrible instead – the Flame.

• Flame is much more complicated, and the volume of its code is 20 times greater than that of Stuxnet.

Page 15: Stuxnet flame

The Find……..Flame

• The “Resource 207” module is an encrypted DLL file and it contains an executable file that’s the size of 351,768 bytes with the name “atmpsvcn.ocx”. This particular file, as it is now revealed by Kaspersky Lab’s investigation, has a lot in common with the code used in Flame.

• The list of striking resemblances includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming. 

• More than that, most sections of code appear to be identical or similar in the respective Stuxnet and Flame modules, which leads to the conclusion that the exchange between Flame and the Duqu/Stuxnet teams was done in a form of source code (i.e. not in binary form).

Page 16: Stuxnet flame
Page 17: Stuxnet flame

• Kaspersky Lab discovered that a module from the early 2009-version of Stuxnet, known as “Resource 207,” was actually a Flame plugin.

• This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed, and that in 2009, the source code of at least one module of Flame was used in Stuxnet.

• This module was used to spread the infection via USB drives. The code of the USB drive infection mechanism is identical in Flame and Stuxnet.

Page 18: Stuxnet flame

• The Flame module in Stuxnet also exploited a vulnerability which was unknown at the time and which enabled escalation of privileges, presumably MS09-025. Subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilized new vulnerabilities.

Page 19: Stuxnet flame
Page 20: Stuxnet flame
Page 21: Stuxnet flame

Flame: The sophisticated virus has been used to spy on computer systems

Page 22: Stuxnet flame
Page 23: Stuxnet flame
Page 24: Stuxnet flame
Page 25: Stuxnet flame

Daily Mail…..15 Jun 2012

• Both Flame and Stuxnet are believed to have been used by the U.S. government to wage online warfare against hostile regimes.

Page 26: Stuxnet flame

Washington Post ..17 Jun 2012• The recent disclosure that Stuxnet was approved by both Presidents

George W. Bush and Obama as a covert operation aimed at Iran sheds new light on a nascent U.S. offensive cyberweapons program that has largely existed in the shadows. Instead of forcing cyberweapons into deeper secrecy, the disclosure should prompt a more open and thorough policy debate about 21st-century threats and how they will be countered with American power.

• The virus, codenamed Olympic Games, was passed from President Bush to President Obama. Obama knew about each attack made against the Iranian nuclear program, deciding this was a good alternative to a physical war

Page 27: Stuxnet flame

• This is just the beginning……………