Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Duqu: Precursor to the Next Stuxnet    Antonio Forzieri    Security Practice Manager – Technology Sales OrganizationDuqu: ...
Before starting…                             Twitter                             • You can follow our webinar on twitter i...
Before Starting…                             Facebook                             • You can follow us also on Facebook. Ou...
Before Staring…                             Symantec                             • You can access to all documents used fo...
StuxnetJune 2010Duqu: Precursor to the Next Stuxnet   5
StuxnetJuly 2010                   www.premierfutbol.com                                           www.todaysfutbol.comDuq...
Stuxnet               Geographic Distribution of Infections                                    70,00                      ...
StuxnetNovember 2010   S7-315 CPU                                CP-342-5 – 6 modules                                     ...
StuxnetFebruary 2011• Symantec identified 5 domains as the target of Stuxnet• All targets have a presence in Iran       5 ...
Stuxnet Runs Its Course• Stuxnet files date between June 2009 and March 2010• After March 2010 no new Stuxnet files appear...
Stuxnet accomplished its missionDuqu: Precursor to the Next Stuxnet   11
Limited internet access                                      • Financial networks                                        –...
This changes everything…Duqu: Precursor to the Next Stuxnet   13
Much more can happenDuqu: Precursor to the Next Stuxnet   14
StuxnetDuqu: Precursor to the Next Stuxnet   15
Duqu                                      • October 14th research lab                                        reached out t...
Duqu: Key Facts• New executables using Stuxnet source code have been discovered   – Developed since the last Stuxnet file ...
Source Code             StuxnetDuqu: Precursor to the Next Stuxnet   18
Source Code             Stuxnet                    DuquDuqu: Precursor to the Next Stuxnet   19
StuxnetExtensive Infection Vectors                                                     Network                           ...
DuquInfection VectorsDuqu: Precursor to the Next Stuxnet   21
DuquDeceptionDuqu: Precursor to the Next Stuxnet   22
DuquDeception                                      36 daysDuqu: Precursor to the Next Stuxnet         23
StuxnetDeception• 2 stolen private  keys used to sign  the application  to allow  undetected  installation of  rootkitsDuq...
DuquDeception         A stolen private key used to sign the application            to allow undetected installation of roo...
StuxnetReconnaissance    Limited internet access                                                                    Attack...
DuquReconnaissance    Limited internet access                                                                Attacker     ...
DuquTarget    Limited internet access                                                         Attacker                    ...
Symantec Customers Are Protected• Those with updated AV  definitions• Those using Insight  technology in SEP 12.1    – Low...
Recommended Defenses          Advanced Reputation Techniques          • Duqu is extremely targeted and thus, would have a ...
What to Do?    1            Stay Current                 on latest Duqu research with Twitter.com/threatintel    2        ...
Thank you!    Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or...
Upcoming SlideShare
Loading in …5
×

Duqu: il nuovo Stuxnet?

Symantec sta analizzando una nuova minaccia informatica - soprannominata Duqu - derivato di Stuxnet, con cui ha in comune buona parte del codice sorgente. L’obiettivo di Duqu è di raccogliere dati di intelligence da aziende, quali ad esempio produttori di sistemi di controllo industriali, in modo da semplificare attacchi futuri volti a colpire terze parti. Scopri insieme a noi ulteriori dettagli e come affrontare la minaccia Duqu. Scarica la presentazione del Webinar tenutosi oggi.

  • Be the first to comment

  • Be the first to like this

Duqu: il nuovo Stuxnet?

  1. 1. Duqu: Precursor to the Next Stuxnet Antonio Forzieri Security Practice Manager – Technology Sales OrganizationDuqu: Precursor to the Next Stuxnet 1
  2. 2. Before starting… Twitter • You can follow our webinar on twitter in realtime. Our twitter account is @StopBlackMarketDuqu: Precursor to the Next Stuxnet
  3. 3. Before Starting… Facebook • You can follow us also on Facebook. Out account is Stop Black MarketDuqu: Precursor to the Next Stuxnet
  4. 4. Before Staring… Symantec • You can access to all documents used for our webinars. Our portal is http://www.symantec.it/blackmarketDuqu: Precursor to the Next Stuxnet
  5. 5. StuxnetJune 2010Duqu: Precursor to the Next Stuxnet 5
  6. 6. StuxnetJuly 2010 www.premierfutbol.com www.todaysfutbol.comDuqu: Precursor to the Next Stuxnet 6
  7. 7. Stuxnet Geographic Distribution of Infections 70,00 60,00 58,31 50,00Unique IPs Contact C&C Server (%) 40,00 30,00 17,83 20,00 9,96 10,00 5,15 3,40 1,40 1,16 0,89 0,71 0,61 0,57 0,00 IRAN INDONESIA INDIA AZERBAIJAN PAKISTAN MALAYSIA USA UZBEKISTAN RUSSIA GREAT OTHERS BRITAIN Over 40,000 infected unique external IPs, from over 115 countries Duqu: Precursor to the Next Stuxnet 7
  8. 8. StuxnetNovember 2010 S7-315 CPU CP-342-5 – 6 modules ... 31 Vacon or Fararo Paya frequency converters per module ... ... ... ... Totaling up to 186 motorsDuqu: Precursor to the Next Stuxnet 8
  9. 9. StuxnetFebruary 2011• Symantec identified 5 domains as the target of Stuxnet• All targets have a presence in Iran 5 Domains targeted 1800 domains infectedDuqu: Precursor to the Next Stuxnet 9
  10. 10. Stuxnet Runs Its Course• Stuxnet files date between June 2009 and March 2010• After March 2010 no new Stuxnet files appeared in wild• But it changed many thingsDuqu: Precursor to the Next Stuxnet 10
  11. 11. Stuxnet accomplished its missionDuqu: Precursor to the Next Stuxnet 11
  12. 12. Limited internet access • Financial networks – E.g., ATMs, POS, SWIFTNet • Engineering networks – E.g., source code, design documents, non-production code Secure/No network access • Classified data networks • Aviation & air traffic control systems • Life critical and healthcare systems • Law enforcement database networks • Military communication systems • Malware analysis networksDuqu: Precursor to the Next Stuxnet 12
  13. 13. This changes everything…Duqu: Precursor to the Next Stuxnet 13
  14. 14. Much more can happenDuqu: Precursor to the Next Stuxnet 14
  15. 15. StuxnetDuqu: Precursor to the Next Stuxnet 15
  16. 16. Duqu • October 14th research lab reached out to Symantec to confirm a suspicion on newly discovered threat • We confirmed their suspicion • This threat uses source code from StuxnetDuqu: Precursor to the Next Stuxnet 16
  17. 17. Duqu: Key Facts• New executables using Stuxnet source code have been discovered – Developed since the last Stuxnet file was recovered• New executables designed to capture information like keystrokes & system information• Current analysis shows no code related to industrial control systems, exploits, or self-replication• Executables found in limited number of organizations – Including those involved in the manufacturing of industrial control systems• Exfiltrated data may be used to enable a future Stuxnet-like attackDuqu: Precursor to the Next Stuxnet 17
  18. 18. Source Code StuxnetDuqu: Precursor to the Next Stuxnet 18
  19. 19. Source Code Stuxnet DuquDuqu: Precursor to the Next Stuxnet 19
  20. 20. StuxnetExtensive Infection Vectors  Network Shares   Print Spooler (MS10-061)  SMB   (MS08-067) Step7 WinCC SQL  P2P (Updating only)Duqu: Precursor to the Next Stuxnet 20
  21. 21. DuquInfection VectorsDuqu: Precursor to the Next Stuxnet 21
  22. 22. DuquDeceptionDuqu: Precursor to the Next Stuxnet 22
  23. 23. DuquDeception 36 daysDuqu: Precursor to the Next Stuxnet 23
  24. 24. StuxnetDeception• 2 stolen private keys used to sign the application to allow undetected installation of rootkitsDuqu: Precursor to the Next Stuxnet 24
  25. 25. DuquDeception A stolen private key used to sign the application to allow undetected installation of rootkitsDuqu: Precursor to the Next Stuxnet 25
  26. 26. StuxnetReconnaissance Limited internet access Attacker www.mypremierfutbol.com www.todaysfutbol.com • Infected machines check in with system information – OS version – Computer name – Domain – IP addresses – Configuration data – Existence of ICS programming software (STEP7) • And will send design documents if requestedDuqu: Precursor to the Next Stuxnet 26
  27. 27. DuquReconnaissance Limited internet access Attacker 206.[REMOVED].97 • Download Infostealer to gather: – Running processes, account details, domains – Driver names, shared drive info, etc – Screenshots – Keystrokes – Network information • Every 30 secondsDuqu: Precursor to the Next Stuxnet 27
  28. 28. DuquTarget Limited internet access Attacker • Limited in number • In Europe • Involved in manufacturing of industrial control systems • We have found an additional variant since we went public The compilation time on the code was 10/17/2011Duqu: Precursor to the Next Stuxnet 28
  29. 29. Symantec Customers Are Protected• Those with updated AV definitions• Those using Insight technology in SEP 12.1 – Low prevalence of DuquDuqu: Precursor to the Next Stuxnet 29
  30. 30. Recommended Defenses Advanced Reputation Techniques • Duqu is extremely targeted and thus, would have a low reputation profile Host Intrusion Prevention Systems • Implements host-lock-down as a means of hardening against malware infiltration Removable Media Device Control • Many infection vectors appear to be delivered by removable media • Restrict automatic launch of content on removable media Data Loss Prevention • Core repositories of intellectual property are likely prequel targets on Enterprise LAN Automated Compliance Monitoring • Detecting default passwords on industrial control systemsDuqu: Precursor to the Next Stuxnet 30
  31. 31. What to Do? 1 Stay Current on latest Duqu research with Twitter.com/threatintel 2 Stay Informed on Symantec’s outbreak page at www.symantec.com/outbreak 3 Contact Ask us for a Malicious Activity AssessmentDuqu: Precursor to the Next Stuxnet 31
  32. 32. Thank you! Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.Duqu: Precursor to the Next Stuxnet 32

×