Win32/Duqu: involution of StuxnetAleksandr MatrosovEugene Rodionov
14.10       19.10         01.11           03.11        4.11          ?CrySyS Lab   Duqu: the     Dropper          Microsof...
Duqu infection scheme
RPC Function                             Stuxnet   DuquRpc 1– return version of the worm                                  ...
Finding exact date of infection
Config decryption algorithm
Finding date in UTC format 11/08/2011 at 07:50:01                                             36                    18/08/...
References“Win32/Duqu: It’s A Date”http://blog.eset.com/2011/10/25/win32duqu-it’s-a-date“Stuxnet Under the Microscope”ht...
Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Upcoming SlideShare
Loading in …5
×

Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet

1,407 views

Published on

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,407
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
42
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet

  1. 1. Win32/Duqu: involution of StuxnetAleksandr MatrosovEugene Rodionov
  2. 2. 14.10 19.10 01.11 03.11 4.11 ?CrySyS Lab Duqu: the Dropper Microsoft MS shareshare info precursor found and Security What the info aboutabout Duqu to the next 0-day Advisory exploit on next?on public Stuxnet confirmed (2639658) CVE-2011-3402 MAPP
  3. 3. Duqu infection scheme
  4. 4. RPC Function Stuxnet DuquRpc 1– return version of the worm  Rpc 2 – load module in into a newprocess and execute export function  Rpc 3 – load module into existingprocess and execute export #1  Rpc 4 – load module in a process andexecute its entry point  Rpc 5 – Build the worm dropper  Rpc 6 – run specified application(calling CreateProcess API)  Rpc 7 – read data from specified file  Rpc 8 – write data into specified file  Rpc 9 – delete specified file  Rpc 10 – work with target files  
  5. 5. Finding exact date of infection
  6. 6. Config decryption algorithm
  7. 7. Finding date in UTC format 11/08/2011 at 07:50:01 36 18/08/2011 at 07:29:07 30
  8. 8. References“Win32/Duqu: It’s A Date”http://blog.eset.com/2011/10/25/win32duqu-it’s-a-date“Stuxnet Under the Microscope”http://go.eset.com/us/resources/white-papers/Stuxnet_Under_the_Microscope.pdf “Win32/Duqu analysis: the RPC edition”http://blog.eset.com/2011/10/28/win32duqu-analysis-the-rpc-editionFollow ESET Threat Bloghttp://blog.eset.com
  9. 9. Thank you for your attention ;) Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius

×