RSA Conference Europe 2012 – Duqu, Flame, Gauss: Followers of Stuxnet

Boldizsar Bencsath, CrySys Lab

Stuxnet – 2010 – modified PLCs (Programmable Logic Controllers) in uranium enrichment facilities.  Most likely government backed and dubbed ‘the most menacing malware in history’ by wired magazine.

Duqu – discovered by CrySys Lab in the wild when responding to an incident.  Stuxnet destroyed Iranian centrifuges, Duqu is for information gathering.

However they are very similar in terms of design philosophy, internal structure and mechanisms, implementation details and the effort that would have been required to create them.  Additionally Duqu also used a digitally signed driver as with Stuxnet.

Duqu named as it creates temp files starting with the string ~DQ.

Actual relationship between the two and who created Duqu is not known, but suspected that Stuxnet creators at least had some involvement in creating Duqu.

Duqu is a very clean design that automatically downloaded only the modules it required from Command and Control (C&C) servers.  Thus investigators do not know the full extent of its capabilities as they can only see the modules that were downloaded to the targets they investigated.  The Duqu C&C servers may have hosted the Stuxnet PLC code for example.

The components of Duqu that were discovered included;

–          Registry data to point to components

–          Keyloggers

–          Multiple encrypted payloads

–          Pointers to how to decrypt the payloads

–          Of note different payloads were encrypted with different methods

From a CrySys Lab viewpoint they;

–          Discovered and named Duqu

–          Freely shared thei knowledge with AV vendors and Microsoft

–          Identified the dropper

–          Developed the Duqu detector toolkit

  • Focusing on heuristic anomaly detection
    • AV tools already have basic signature detection so no reason to duplicate this
  • Detects live Duqu instances and remnants of old ones
  • Also detects Stuxnet
  • Open source for anyone to use

Moving into 2012 another variant / descendant of Stuxnet / Duqu has been discovered.  This is known as Flame / Flamer / sKyWIper.  Flame has been described as the ‘most complex malware ever found’, its core component is 6MB in size.

Flame appears to follow the same main requirements / specifications to Duqu and Stuxnet, but has been developed in a very different way, using different programming languages etc.  Flame is another information stealer malways with functionality such as;

–          activating microphones and web cameras

–          logging key strokes

–          taking screen shots / screen scraping

–          extracting geolocation data from images

–          sending and receiving commands and data through Bluetooth, including enabling bluetooth when it is turned off

Flame infects computers my masquerading as a proxy for windows and has infected 1000s of victims mostly across Iran and the Middle East.

Gauss is another information stealing malware example that is based on the Flame platform.  This was also discovered in 2012, but infections date back to September 2011, again 1000s of victims, mainly in Lebanon, Israel and the Palestinian Territory.

Gauss have been further developed with the Gauss Godel module.  This has an advanced encrypted warhead using RC4 and the decryption key is not available in the malware itself.  This is in contrast to Stuxnet, Duqu and Flame that used simple XOR masking or byte substitution. This encrypted warhead can only be decrypted on the target system making the malware resistant to detailed analysis. The Gauss module is big enough to contain Stuxnet lake SCADA targeted attacks as well as the currently found information stealing attacks.

The talk also had some great graphics highlighting the structure of the various forms of malware discussed.

Lessons learnt from this research;

–          Current approaches for defending systems from targeted attacks as ineffective

  • Code signing is not bullet proof
  • Virus scanners should have improved heuristics and anomaly detection

–          Coordinating international / global threat mitigation and forensic analysis are challenging problems

  • How do we better share information quickly and while preserving evidence?
  • How do we identify and capture C&C servers quickly?
  • How do we track along the C&C proxy chain?

–          Attackers are using ever more advanced techniques

  • MD5 collision attack in Flame
  • Encrypted payload in Gauss

What can you do to better protect your organisation from similar attacks?

–          Extend protection beyond signature based techniques

  • Anomaly detection – Understand normal use patterns
  • Heuristics
  • Baits, traps, honeypots (I’d say these ones are pretty advanced and likely used by only the most security conscious and savvy organisations)

–          Educate your IT teams to spot and raise anomalies

–          Use Forensics – every organisation should have some forensic capabilities

–          Have an incident response plan, with methods to contact external professionals / experts if required

–          Look into ways to better share information!

It is well worth checking the CrySyS Lab blog for further information on the malware mentioned in this talk, plus many related topics;

This talk did a great job of highlighting how one advanced attack inspires many new variants, and how attacks and attackers are becoming ever more advanced and sophisticated.  What is in an advanced, state sponsored attack one day will be used in point and shoot hacking toolkits the next day..