SlideShare ist ein Scribd-Unternehmen logo

Malware Freak Show

n|u - The Open Security Community
n|u - The Open Security Community

null Hyderabad Chapter - November 2012 Meet

Bildung
1 von 36
Downloaden Sie, um offline zu lesen
Srinu sr1nu@ymail.com I do Malware analysis, Computer forensic & Pentesting
Stuxnet Duqu Agenda Flame Gauss
Stuxnet is discovered in June 2010 but the first variant of the worm appeared in June 2009 Stuxnet is a first discovered malware includes a PLC Rootkit Goal: To reprogram industrial control systems by modifying code on programmable logic controllers to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment
Infection Statistics 58.31 60 50 40 30 17.83 20 9.96 10 3.4 5.5 1.4 1.1 0.9 0.7 0.6 0.5 0
Possible Attack Scenario Once Stuxnet had infected a computer within the organization it began to spread in search of Field PGs . Since most of these computers are non-networked, Stuxnet would first try to spread to other computers on the LAN, infecting Step 7 projects, and through removable drives. Propagation through a LAN likely served as the first step and propagation through removable drives as a means to cover the last and final hop to a Field PG that is never connected to an untrusted network.
Communication Before infection After infection
Technical Analysis Exploited 4 zero day vulnerabilities Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability Win2000/XP Win32k.sys privilege elevation Windows 7 task scheduler privilege elevation Copies and executes itself on remote computers through network shares Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded Updates itself through a peer-to-peer mechanism within a LAN Contains a Windows rootkit and a PLC rootkit 3 variants of stuxnet has been discovered. Drivers signed with stolen certificate from Realtek & Jmicron
Technical Analysis (cont.) Stuxnet contains a DLL file and two encrypted configuration files stored in a section named name called stub It uses different types of Process injection techniques depends on antivirus installed.
Installation routine
Infection Routine
Demo Analyzing STUXNET 
Duqu is discovered on September 2011, Duqu shares a great deal of code with Stuxnet Duqu got its name from the prefix "~DQ" it gives to the names of files it creates Duqu’s purpose is to gather intelligence data and assets from entities Duqu may have been written in Object Oriented C or in unknown high level language also called as Duqu framework After 30 days of installation, the threat will automatically remove itself from the system.
Geographic distribution
Technical Analysis Duqu exploited a zero day vulnerability (MS11-087) Win32k TrueType font parsing engine and allows execution Duqu uses a 54*54 pixel jpeg file and encrypted dummy files as containers to smuggle data to is command and control servers. Drivers signed with stolen certificates from C-Media Electronic Inc.
Technical Analysis (cont.) Duqu uses HTTP & HTTPS to communicate with C&C servers. C&C servers are hosted in India, Belgium, and Vietnam The C&C servers were configured to simply forward all port 80 and 443 traffic to other servers. By using the C&C servers, the attacker were able to download additional modules such as enumerating the network, recording keystrokes, and gathering system information
Installation
architecture
Flame is a modular computer malware discovered in 2012, Its discovery was announced on 28 May 2012 Flame is most complex malware ever found and it is an uncharacteristically large program for malware at 20 MB. Partly written in Lua scripting language with compiled C++ code linked in Flame uses five different encryption methods and an SQLite database to store structured information Flame supports “kill” command that makes it eliminate all traces of its files and operation from a system Flame was signed with a fraudulent certificate believed from the Microsoft Enforced Licensing Intermediate PCA certificate authority It can record audio, screenshots, keyboard activity and network traffic
Technical Analysis Flame exploited known vulnerabilities which is used in Stuxnet Replicates via USB, LAN and Windows update Communication : SSL + SSH Skywiper’s main executables: mssecmgr.ocx – Main module msglu32.ocx nteps32.ocx advnetcfg.ocx soapr32.ocx ccalc32.sys Boot32drv.sys
Technical Analysis(cont.) Flame is a modular malware , it consists nearly 20 modules Beetlejuice Microbe Infectmedia Autorun_infector Euphoria Limbo Frog Munch Gadget Snack Boot_dll_loader Weasel Boost Telemetry Gator, Security Bunny, Dbquery, Driller, Headache
Startup sequence
Command & Control servers Operating system: 64-bit Debian 6.0.x Virtualization: In most of cases running under OpenVZ Programming languages used: PHP (most of code), Python, bash Database: MySQL with InnoDB tables Web server: Apache 2.x with self-signed certificates
Command & Control servers (cont.)
Demo Analyzing Flame 
Gauss is discovered by Kaspersky lab in June 2012, while searching for new, unknown components. Gauss is designed to collect as much information about infected machine as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. Gauss was designed for 32-bit versions of windows. Some of the modules do not work under windows 7 SP1
Functionality Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history. Collecting information about the computer’s network connections. Collecting information about processes and folders. Collecting information about BIOS, CMOS RAM. Collecting information about local, network and removable drives. Infecting USB drives with a spy module in order to steal information from other computers. Installing the custom Palida Narrow font (purpose unknown). Ensuring the entire toolkit’s loading and operation. Interacting with the command and control server, sending the information collected to it, downloading additional modules.
Infection statistics Lebanon 1660 Israel 483 Palestinian Territory 261 United States 43 United Arab Emirates 11 Germany 5 Egypt 4 Qatar 4 Jordan 4 Saudi Arabia 4 Syria 4
This is just the beginning. Think about all the services and systems that we depend upon to keep society running smoothly. Most of them run on computer networks. Even if the network administrators isolate their computers from the rest of the Internet, they could be vulnerable to a cyber attack.
Malware Freak Show
Malware Freak Show

Empfohlen

A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
Cheryl Biswas
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
webhostingguy
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
Stuxnet
StuxnetStuxnet
Stuxnet
bueno buono good
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.
Hardeep Bhurji
 

Empfohlen

A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for Mainframes
Cheryl Biswas
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
Ajinkya Nikam
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Presentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad AlmajaliPresentation Prepared By: Mohamad Almajali
Presentation Prepared By: Mohamad Almajali
webhostingguy
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flame
Santosh Khadsare
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
Stuxnet
StuxnetStuxnet
Stuxnet
bueno buono good
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.
Hardeep Bhurji
 
I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
Gil Megidish
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
Anuj Khandelwal
 
Rootkit
RootkitRootkit
Rootkit
tech2click
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
Hardeep Bhurji
 
Stuxnet
StuxnetStuxnet
Stuxnet
Shishir Aryal
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
Byres Security Inc.
 
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand..."Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
eLiberatica
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
Gregory Hanis
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
Andy Shutka
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and Now
Tyler Shields
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
shreyng
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
sommerville-videos
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
bora.gungoren
 
Stuxnet
StuxnetStuxnet
Stuxnet
Symantec
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
Syaiful Ahdan
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
n|u - The Open Security Community
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 
Network security and System Admin
Network security and System AdminNetwork security and System Admin
Network security and System Admin
MD SAHABUDDIN
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
phanleson
 
Calgary Computer Virus Removal
Calgary Computer Virus RemovalCalgary Computer Virus Removal
Calgary Computer Virus Removal
Matthew Horner
 
You can do that with a netbook
You can do that with a netbook You can do that with a netbook
You can do that with a netbook
Tami Brass
 

Weitere ähnliche Inhalte

Was ist angesagt?

"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand..."Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
eLiberatica
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
bora.gungoren
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
INSIGHT FORENSIC
 

Was ist angesagt? (20)

I Heart Stuxnet
I Heart StuxnetI Heart Stuxnet
I Heart Stuxnet
 
Research Paper on Rootkit.
Research Paper on Rootkit.Research Paper on Rootkit.
Research Paper on Rootkit.
 
Rootkit
RootkitRootkit
Rootkit
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2Mission Critical Security in a Post-Stuxnet World Part 2
Mission Critical Security in a Post-Stuxnet World Part 2
 
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand..."Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
"Viruses Exploits Rootkits the Dilemma of a Linux Product Manager" by Alexand...
 
Hacker bootcamp
Hacker bootcampHacker bootcamp
Hacker bootcamp
 
IoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfuaIoT security-arrow-roadshow #iotconfua
IoT security-arrow-roadshow #iotconfua
 
CarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and NowCarolinaCon 2008 Rootkits Then and Now
CarolinaCon 2008 Rootkits Then and Now
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Stuxnet worm
Stuxnet wormStuxnet worm
Stuxnet worm
 
Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
Chapter 7 security tools i
Chapter 7 security tools iChapter 7 security tools i
Chapter 7 security tools i
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
Network security and System Admin
Network security and System AdminNetwork security and System Admin
Network security and System Admin
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilities
 

Andere mochten auch

Computer Malware
Computer MalwareComputer Malware
Computer Malware
aztechtchr
 

Andere mochten auch (9)

Calgary Computer Virus Removal
Calgary Computer Virus RemovalCalgary Computer Virus Removal
Calgary Computer Virus Removal
 
You can do that with a netbook
You can do that with a netbook You can do that with a netbook
You can do that with a netbook
 
The Malware Menace
The Malware MenaceThe Malware Menace
The Malware Menace
 
What is cloud backup?
What is cloud backup?What is cloud backup?
What is cloud backup?
 
Malware
MalwareMalware
Malware
 
Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malware
 
Malware- Types, Detection and Future
Malware- Types, Detection and FutureMalware- Types, Detection and Future
Malware- Types, Detection and Future
 
Computer Malware
Computer MalwareComputer Malware
Computer Malware
 
Malware
MalwareMalware
Malware
 

Ähnlich wie Malware Freak Show

The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
Kaspersky
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
Alireza Ghahrood
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Tyler Shields
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toaster
guest66dc5f
 
Trojan backdoors
Trojan backdoorsTrojan backdoors
Trojan backdoors
seth edmond
 

Ähnlich wie Malware Freak Show (20)

The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical Details
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows Computer
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Stealthy Threats Driving a New Approach to IT Security
Stealthy Threats Driving a New Approach to IT SecurityStealthy Threats Driving a New Approach to IT Security
Stealthy Threats Driving a New Approach to IT Security
 
Slingshot APT - Critical Vulnerability through routers
Slingshot APT - Critical Vulnerability through routersSlingshot APT - Critical Vulnerability through routers
Slingshot APT - Critical Vulnerability through routers
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
Survey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital ForensicsSurvey of Rootkit Technologies and Their Impact on Digital Forensics
Survey of Rootkit Technologies and Their Impact on Digital Forensics
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
OS-Anatomy-Article
OS-Anatomy-ArticleOS-Anatomy-Article
OS-Anatomy-Article
 
Dror-Crazy_toaster
Dror-Crazy_toasterDror-Crazy_toaster
Dror-Crazy_toaster
 
Trojan backdoors
Trojan backdoorsTrojan backdoors
Trojan backdoors
 
News bytes Oct-2011
News bytes Oct-2011News bytes Oct-2011
News bytes Oct-2011
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 

Mehr von n|u - The Open Security Community

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
ssuserdda66b
 

Kürzlich hochgeladen (20)

Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
Google Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptxGoogle Gemini An AI Revolution in Education.pptx
Google Gemini An AI Revolution in Education.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701ComPTIA Overview | Comptia Security+ Book SY0-701
ComPTIA Overview | Comptia Security+ Book SY0-701
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdfVishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
Vishram Singh - Textbook of Anatomy Upper Limb and Thorax.. Volume 1 (1).pdf
 
Dyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptxDyslexia AI Workshop for Slideshare.pptx
Dyslexia AI Workshop for Slideshare.pptx
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptxSKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
SKILL OF INTRODUCING THE LESSON MICRO SKILLS.pptx
 

Malware Freak Show

  • 1. Srinu sr1nu@ymail.com I do Malware analysis, Computer forensic & Pentesting
  • 2. Stuxnet Duqu Agenda Flame Gauss
  • 3. Stuxnet is discovered in June 2010 but the first variant of the worm appeared in June 2009 Stuxnet is a first discovered malware includes a PLC Rootkit Goal: To reprogram industrial control systems by modifying code on programmable logic controllers to make them work in a manner the attacker intended and to hide those changes from the operator of the equipment
  • 4. Infection Statistics 58.31 60 50 40 30 17.83 20 9.96 10 3.4 5.5 1.4 1.1 0.9 0.7 0.6 0.5 0
  • 5. Possible Attack Scenario Once Stuxnet had infected a computer within the organization it began to spread in search of Field PGs . Since most of these computers are non-networked, Stuxnet would first try to spread to other computers on the LAN, infecting Step 7 projects, and through removable drives. Propagation through a LAN likely served as the first step and propagation through removable drives as a means to cover the last and final hop to a Field PG that is never connected to an untrusted network.
  • 7. Technical Analysis Exploited 4 zero day vulnerabilities Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability Win2000/XP Win32k.sys privilege elevation Windows 7 task scheduler privilege elevation Copies and executes itself on remote computers through network shares Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded Updates itself through a peer-to-peer mechanism within a LAN Contains a Windows rootkit and a PLC rootkit 3 variants of stuxnet has been discovered. Drivers signed with stolen certificate from Realtek & Jmicron
  • 8. Technical Analysis (cont.) Stuxnet contains a DLL file and two encrypted configuration files stored in a section named name called stub It uses different types of Process injection techniques depends on antivirus installed.
  • 9.
  • 13. Duqu is discovered on September 2011, Duqu shares a great deal of code with Stuxnet Duqu got its name from the prefix "~DQ" it gives to the names of files it creates Duqu’s purpose is to gather intelligence data and assets from entities Duqu may have been written in Object Oriented C or in unknown high level language also called as Duqu framework After 30 days of installation, the threat will automatically remove itself from the system.
  • 15. Technical Analysis Duqu exploited a zero day vulnerability (MS11-087) Win32k TrueType font parsing engine and allows execution Duqu uses a 54*54 pixel jpeg file and encrypted dummy files as containers to smuggle data to is command and control servers. Drivers signed with stolen certificates from C-Media Electronic Inc.
  • 16. Technical Analysis (cont.) Duqu uses HTTP & HTTPS to communicate with C&C servers. C&C servers are hosted in India, Belgium, and Vietnam The C&C servers were configured to simply forward all port 80 and 443 traffic to other servers. By using the C&C servers, the attacker were able to download additional modules such as enumerating the network, recording keystrokes, and gathering system information
  • 19.
  • 20. Flame is a modular computer malware discovered in 2012, Its discovery was announced on 28 May 2012 Flame is most complex malware ever found and it is an uncharacteristically large program for malware at 20 MB. Partly written in Lua scripting language with compiled C++ code linked in Flame uses five different encryption methods and an SQLite database to store structured information Flame supports “kill” command that makes it eliminate all traces of its files and operation from a system Flame was signed with a fraudulent certificate believed from the Microsoft Enforced Licensing Intermediate PCA certificate authority It can record audio, screenshots, keyboard activity and network traffic
  • 21.
  • 22.
  • 23. Technical Analysis Flame exploited known vulnerabilities which is used in Stuxnet Replicates via USB, LAN and Windows update Communication : SSL + SSH Skywiper’s main executables: mssecmgr.ocx – Main module msglu32.ocx nteps32.ocx advnetcfg.ocx soapr32.ocx ccalc32.sys Boot32drv.sys
  • 24. Technical Analysis(cont.) Flame is a modular malware , it consists nearly 20 modules Beetlejuice Microbe Infectmedia Autorun_infector Euphoria Limbo Frog Munch Gadget Snack Boot_dll_loader Weasel Boost Telemetry Gator, Security Bunny, Dbquery, Driller, Headache
  • 26. Command & Control servers Operating system: 64-bit Debian 6.0.x Virtualization: In most of cases running under OpenVZ Programming languages used: PHP (most of code), Python, bash Database: MySQL with InnoDB tables Web server: Apache 2.x with self-signed certificates
  • 27. Command & Control servers (cont.)
  • 29. Gauss is discovered by Kaspersky lab in June 2012, while searching for new, unknown components. Gauss is designed to collect as much information about infected machine as possible, as well as to steal credentials for various banking systems and social network, email and IM accounts. Gauss was designed for 32-bit versions of windows. Some of the modules do not work under windows 7 SP1
  • 30. Functionality Injecting its own modules into different browsers in order to intercept user sessions and steal passwords, cookies and browser history. Collecting information about the computer’s network connections. Collecting information about processes and folders. Collecting information about BIOS, CMOS RAM. Collecting information about local, network and removable drives. Infecting USB drives with a spy module in order to steal information from other computers. Installing the custom Palida Narrow font (purpose unknown). Ensuring the entire toolkit’s loading and operation. Interacting with the command and control server, sending the information collected to it, downloading additional modules.
  • 31. Infection statistics Lebanon 1660 Israel 483 Palestinian Territory 261 United States 43 United Arab Emirates 11 Germany 5 Egypt 4 Qatar 4 Jordan 4 Saudi Arabia 4 Syria 4
  • 32.
  • 33.
  • 34. This is just the beginning. Think about all the services and systems that we depend upon to keep society running smoothly. Most of them run on computer networks. Even if the network administrators isolate their computers from the rest of the Internet, they could be vulnerable to a cyber attack.