“Now we’re living in the era of cyberweapons. The world is different. Not justcyber hooligans, vandals. Not just criminals.But governments are in the game and I’mafraid for the worst, I’m still expecting, cyberterrorism.” Eugene Kaspersky ,CEO of Kaspersky Lab
Stuxnet….Duqu….Flame• Stuxnet is a computer work discovered in June 2010. Stuxnet initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment. While it is not the first time that hackers have targeted industrial systems, it is the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.• Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The main component used in Duqu is designed to capture information such as
Stuxnet….Duqu….Flame• Flame like Duqu, is designed to steal different databases. A completely new thing that Flame can be used for is audio spying. Flame detects and recognizes a microphone on the infected computer, turns the microphone on and then records every conversation taking place in this room. Recorded data is immediately transferred to the server from which the virus began to spread.
Stuxnet• Spread on Microsoft Windows• Developed June 2009• Spreading began late 2009/early 2010• Discovered in July 2010 o Microsoft out-of-band patch released August 2010 - .lnk exploit o More patches with the September Patch Tuesday - print spooler exploit• Around half a megabyte• C, C++, and other object oriented languages
What the news says it was• Iranian centrifuge destroyer! o Its one goal was to destroy the Iranian nuclear program• Developed by the United States and Israel• Contributed to the Gulf oil leak• Mission: Impossible-like virus• It will kill your unborn children o Assuming they are born in a hospital using PLC machines
How it did it• USB drive for initial infection, then spread on network• .lnk file exploit o As soon as the shortcut is displayed, exploit is run• Windows vulnerabilities o EoP Task scheduler o MS08-067 (Conficker) - Already patched!!!! (but not on these systems) o Printspooler exploit o Used at least 4 previously undiscovered vulnerabilities• Searched for WinCC and PCS 7 SCADA management programs o Tried default Siemens passwords to gain access o If access is granted, PLC software could be reprogrammed• Used stolen signed digital certificates
How it did it (cont.)• Installed a RPC server• Self-updating o Machines check on other machines running Stuxnet and do a version check o Newer versions automatically push their version onto the other machines o Older versions automatically request newer version to be pushed If central server goes down, updates still spread *RPC: Remote Procedure Call
Links• Stuxnet was the first cyber-weapon targeting industrial facilities. The fact that Stuxnet also infected regular PCs worldwide led to its discovery in June 2010, although the earliest known version of the malicious program was created one year before that.• The next example of a cyber-weapon, now known as Duqu, was found in September 2011. Unlike Stuxnet, the main task of the Duqu Trojan was to serve as a backdoor to the infected system and steal private information (cyber-espionage).• During the analysis of Duqu, strong similarities
Senior Virus AnalystAlexander GostevA Russian computer security company (KasperskyLab’s) detected a new spyware program calledFlame.
The Find……..Flame• In April 2012, several computers of the National Iranian Oil Company, as well as several Iranian ministries, have been infected by an unknown virus. This case was just a single link in a chain of cyber attacks during which viruses like Stuxnet and Duqu were used.• The International Telecommunication Union (ITU) has Kaspersky Labs to analyze the situation. They were searching for a virus called Wiper, but found something more terrible instead – the Flame.
The Find……..Flame• The “Resource 207” module is an encrypted DLL file and it contains an executable file that’s the size of 351,768 bytes with the name “atmpsvcn.ocx”. This particular file, as it is now revealed by Kaspersky Lab’s investigation, has a lot in common with the code used in Flame.• The list of striking resemblances includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming.• More than that, most sections of code appear to be identical or similar in the respective Stuxnet and Flame modules, which leads to the
• Kaspersky Lab discovered that a module from the early 2009-version of Stuxnet, known as “Resource 207,” was actually a Flame plugin.• This means that when the Stuxnet worm was created in the beginning of 2009, the Flame platform already existed, and that in 2009, the source code of at least one module of Flame was used in Stuxnet.• This module was used to spread the infection via USB drives. The code of the USB drive infection mechanism is identical in Flame and Stuxnet.
• The Flame module in Stuxnet also exploited a vulnerability which was unknown at the time and which enabled escalation of privileges, presumably MS09-025. Subsequently, the Flame plugin module was removed from Stuxnet in 2010 and replaced by several different modules that utilized new vulnerabilities.
Flame: The sophisticated virus has been used to spy on computer systems
Daily Mail…..15 Jun 2012• Both Flame and Stuxnet are believed to have been used by the U.S. government to wage online warfare against hostile regimes.
Washington Post ..17 Jun 2012• The recent disclosure that Stuxnet was approved by both Presidents George W. Bush and Obama as a covert operation aimed at Iran sheds new light on a nascent U.S. offensive cyberweapons program that has largely existed in the shadows. Instead of forcing cyberweapons into deeper secrecy, the disclosure should prompt a more open and thorough policy debate about 21st-century threats and how they will be countered with American power.• The virus, codenamed Olympic Games, was passed from President Bush to President Obama. Obama knew about each attack made against the Iranian nuclear program, deciding this was a good alternative to a physical war