Malware Freak Show
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Malware Freak Show

on

  • 5,068 views

null Hyderabad Chapter - November 2012 Meet

null Hyderabad Chapter - November 2012 Meet

Statistics

Views

Total Views
5,068
Views on SlideShare
4,688
Embed Views
380

Actions

Likes
0
Downloads
15
Comments
0

1 Embed 380

http://null.co.in 380

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Malware Freak Show Presentation Transcript

  • 1. Srinu sr1nu@ymail.comI do Malware analysis, Computer forensic & Pentesting
  • 2. Stuxnet DuquAgenda Flame Gauss
  • 3. Stuxnet is discovered in June 2010 but the first variant of the wormappeared in June 2009Stuxnet is a first discovered malware includes a PLC RootkitGoal: To reprogram industrial control systems by modifying code onprogrammable logic controllers to make them work in a manner theattacker intended and to hide those changes from the operator of theequipment
  • 4. Infection Statistics 58.3160504030 17.8320 9.9610 3.4 5.5 1.4 1.1 0.9 0.7 0.6 0.5 0
  • 5. Possible Attack ScenarioOnce Stuxnet had infected a computer withinthe organization it began to spread in search ofField PGs . Since most of these computers arenon-networked, Stuxnet would first try to spreadto other computers on the LAN, infecting Step 7projects, and through removable drives.Propagation through a LAN likely served as thefirst step and propagation through removabledrives as a means to cover the last and final hopto a Field PG that is never connected to anuntrusted network.
  • 6. CommunicationBefore infection After infection
  • 7. Technical AnalysisExploited 4 zero day vulnerabilities Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability Win2000/XP Win32k.sys privilege elevation Windows 7 task scheduler privilege elevationCopies and executes itself on remote computers through network sharesCopies itself into Step 7 projects in such a way that it automatically executeswhen the Step 7 project is loadedUpdates itself through a peer-to-peer mechanism within a LANContains a Windows rootkit and a PLC rootkit3 variants of stuxnet has been discovered.Drivers signed with stolen certificate from Realtek & Jmicron
  • 8. Technical Analysis (cont.)Stuxnet contains a DLL file and two encrypted configuration files stored in asection named name called stubIt uses different types of Process injection techniques depends on antivirusinstalled.
  • 9. Installation routine
  • 10. Infection Routine
  • 11. DemoAnalyzing STUXNET 
  • 12. Duqu is discovered on September 2011, Duqu shares a great deal of codewith StuxnetDuqu got its name from the prefix "~DQ" it gives to the names of files itcreatesDuqu’s purpose is to gather intelligence data and assets from entitiesDuqu may have been written in Object Oriented C or in unknown high levellanguage also called as Duqu framework After 30 days of installation, the threat will automatically remove itself fromthe system.
  • 13. Geographic distribution
  • 14. Technical Analysis Duqu exploited a zero day vulnerability (MS11-087) Win32k TrueType font parsing engine and allows execution Duqu uses a 54*54 pixel jpeg file and encrypted dummyfiles as containers to smuggle data to is command andcontrol servers. Drivers signed with stolen certificates from C-MediaElectronic Inc.
  • 15. Technical Analysis (cont.)Duqu uses HTTP & HTTPS to communicate with C&C servers. C&C serversare hosted in India, Belgium, and VietnamThe C&C servers were configured to simply forward all port 80 and 443traffic to other servers.By using the C&C servers, the attacker were able to download additionalmodules such as enumerating the network, recording keystrokes, andgathering system information
  • 16. Installation
  • 17. architecture
  • 18. Flame is a modular computer malware discovered in 2012, Its discovery wasannounced on 28 May 2012Flame is most complex malware ever found and it is an uncharacteristicallylarge program for malware at 20 MB.Partly written in Lua scripting language with compiled C++ code linked inFlame uses five different encryption methods and an SQLite database to storestructured informationFlame supports “kill” command that makes it eliminate all traces of its filesand operation from a systemFlame was signed with a fraudulent certificate believed from the MicrosoftEnforced Licensing Intermediate PCA certificate authorityIt can record audio, screenshots, keyboard activity and network traffic
  • 19. Technical AnalysisFlame exploited known vulnerabilities which is used in StuxnetReplicates via USB, LAN and Windows updateCommunication : SSL + SSHSkywiper’s main executables: mssecmgr.ocx – Main module msglu32.ocx nteps32.ocx advnetcfg.ocx soapr32.ocx ccalc32.sys Boot32drv.sys
  • 20. Technical Analysis(cont.)Flame is a modular malware , it consists nearly 20 modules Beetlejuice Microbe Infectmedia Autorun_infector Euphoria Limbo Frog Munch Gadget Snack Boot_dll_loader Weasel Boost Telemetry Gator, Security Bunny, Dbquery, Driller, Headache
  • 21. Startupsequence
  • 22. Command & Control serversOperating system: 64-bit Debian 6.0.xVirtualization: In most of cases running under OpenVZProgramming languages used: PHP (most of code), Python, bashDatabase: MySQL with InnoDB tablesWeb server: Apache 2.x with self-signed certificates
  • 23. Command & Control servers (cont.)
  • 24. DemoAnalyzing Flame 
  • 25. Gauss is discovered by Kaspersky lab in June 2012, while searching for new,unknown components.Gauss is designed to collect as much information about infected machine aspossible, as well as to steal credentials for various banking systems andsocial network, email and IM accounts.Gauss was designed for 32-bit versions of windows. Some of the modulesdo not work under windows 7 SP1
  • 26. FunctionalityInjecting its own modules into different browsers in order to intercept usersessions and steal passwords, cookies and browser history.Collecting information about the computer’s network connections.Collecting information about processes and folders.Collecting information about BIOS, CMOS RAM.Collecting information about local, network and removable drives.Infecting USB drives with a spy module in order to steal information fromother computers.Installing the custom Palida Narrow font (purpose unknown).Ensuring the entire toolkit’s loading and operation.Interacting with the command and control server, sending the informationcollected to it, downloading additional modules.
  • 27. Infection statisticsLebanon 1660Israel 483Palestinian Territory 261United States 43United Arab Emirates 11Germany 5Egypt 4Qatar 4Jordan 4Saudi Arabia 4Syria 4
  • 28. This is just the beginning. Think about all the services andsystems that we depend upon to keep society running smoothly.Most of them run on computer networks. Even if the networkadministrators isolate their computers from the rest of theInternet, they could be vulnerable to a cyber attack.