SlideShare ist ein Scribd-Unternehmen logo

Stuxnet redux. malware attribution & lessons learned

Yury Chemerkin
Yury Chemerkin
Technologie
1 von 73
Downloaden Sie, um offline zu lesen
Stuxnet Redux: Malware Attribution & Lessons Learned Blackhat DC 2011 Taking the guesswork out of cyber attribution Tom Parker tom.at.rooted.dot.net
Media & “Cyber War” Love Affair  WSJ “Wide Cyber Attack Is Linked to China”  60 Minutes “Sabotaging the System”  Google/Adobe “Aurora Incident”  Most Recently Targeted SCADA Malware
Cyber Conflict Lexicon  Cyber War  Adversary / Actor  Attribution  APT?  Stuxnet an APT?
P A T
Attribution – Why do we care?  LE/Actor Deterrents  Actor Intelligence  Profiling Adversarial Technical Capabilities  Insight into State Sponsored Programs  Creating Linkage Between Actor Groups  Tracking the Supply Chain  Differentiating Between Actors  State Sponsored or Crimeware?
Attribution: What are we looking for?  The obvious – An individual or group of individuals name(s), street address, social networking page etc..  However..  We often don’t care about this..  Doesn’t generally help develop countermeasures  Attributing to the actor/group level is often enough for profiling efforts
Attribution Continued..  Attribution at actor group level  Differentiation between groups  Identification of group geography  Indications of sponsorship  Nation State (China, Russia or Korea?)  Organized Crime (RBN et al?)  Activist Group  Where worlds collide  Code sharing between groups
Conventional Analysis Data Sources  Static and Runtime Binary Analysis  Memory Forensics  Vulnerability Exploitation & Payload Analysis  Command & Control  Post-Exploitation Forensics
Automated Analysis Today  Anti Virus:  Known Signature  Virus-Like Characteristics  Sandbox / Runtime Analysis  What does the code do?
Analysis Today Continued..  What Happened?  How did they get in?  What did they exploit to get in?  What was done once on the system?  Are they still there?  How can this be prevented in the future?
Analysis Today Continued..  Lots of R&D Associated with Modern AV/Analysis Technologies.  Typically Designed to Provide End User with a one or a zero, and no exposure to any shades of grey.  LOTS of useful metadata processed under the hood that we can make better use of.
Existing Attribution Research  2000 RAND Conference  Numerous CARC working group meetings  2004 Syngress Publication  Focus on:  Theoretical attack profiling  Who do we have to care about?  Post event/forensic approach  Forensic actor profile
Adversary attack fingerprints  Key Attack Meta Data  Attack sources  Other Relevant Packet Data  Attack tools and their origins  Attack methodology  Planning  Execution  Follow through
Attack tool meta data: Origins  All attack tools have their origins..  These can be put into two broad categories:  Public  Often simply prove a concept  Often not ‘robust’  Many contain backdoors  Private  Frequently more robust than public counterparts  Generally better written  May be based on private attack API’s
Attack tool meta data: Use  How easy is it to use a given attack tool  Prior technical knowledge required to use tool  Prior target knowledge required to use tool  Was it an appropriate tool to use for a given task?
Example Attack Scoring Matrix Web Application Flaws Public Private  Proprietary Application Penetration:  SQL Injection 3 5  Open Source Application Penetration:  SQL Injection 3 5  Proprietary Application Penetration:  Arbitrary Code Injection 2 4  Open Source Application Penetration:  Arbitrary Code Injection 2 4  Proprietary Application Penetration:  OS command execution using MSSQL Injection 3 5  Proprietary Application Penetration:  OS command execution using SyBase SQL Injection 3 5  Proprietary Application Penetration:  SQL Injection only (MS SQL) 4 6  Proprietary Application Penetration:  SQL Injection only (IBM DB2) 6 8  Proprietary Application Penetration:  SQL Injection only (Oracle) 6 8
Furthering the Toolset  Large Bodies of RE/Analysis Research  Almost all geared around traditional IR  In most cases; not appropriate for attribution  Clear Need for Reduction in Guesswork  Less art, more science  Use of Common Attribution Models
Adversary Profiling Today  Lots of science behind criminal profiling  Linguistics & Behavioral Analysis  Warm Touch
Application of Current Tool Set To Attribution Doctrine  Can be possible through..  Exploit /Payload Analysis  Known Tooling/Markings  Normally Requires Manual Effort to Identify  Binary Image Meta Data  Email Addresses  User Names  Etc..
Exploit Analysis  Exploits often re-worked for malware  Improved Reliability  Specific host type/OS level targeting  Possible to automate coloration with knowledge base of public exploits  ANI Exploit – Re-worked in malware to avoid IPS signatures for previous exploit
Exploit Reliability & Performance  Crashes & Loose Lips Sink Ships  Improved Performance  Advanced / Improved Shellcode  Re-patching Memory  Repairing Corrupted Heaps  Less Overhead  No Large Heap Sprays  Or Excessive CPU Overhead  Continued Target Process Execution
Exploit Failure  Where possible – failure may be silent  Exploit Self Clean-Up:  Java hs_err log files  System / Application Log files  *NIX Core files
Exploit Applicability  Reconnaissance Performed  Execution based on SW (browser) version?  Operating System  Less likely to function on ASLR / DEP
Exploit Selection  Lots of Attention Toward 0day  1+Day != Low End Adversary?  Old Attacks Often Re-Worked  Bypass IDS/IPS Signatures  Improved Payloads Demonstrate Capability
Code Isomorphism  Lots of Investment from Anti-Code Theft World  Small Prime Product  Create Large Prime # Per Function  Unique Prime # / Each Opcode  Resistant to Reordering  API Call Structure Analysis Prog1.Func Prog2.Func  Function Checksums  Variables / Constant Tracking RegSetValueEx RegSetValueEx MessageBox RegCreateKeyEx RegCreateKeyEx
Code Isomorphism Cont..  Seokwoo Choi, Heewan Park et al  A Static Birthmark of Binary Executables Based on API Call Structure  Halvar Flake  BinDiff & VxClass  Others..
Function Level Code Isomorphism Based Attribution  Reuse of Code Functions  Useful for closed-source projects  Good for tracking malware ‘genomes’  However..  Most malware based off of ‘kits’  In most cases - doesn't tell us much (or anything) about authors
Code Quality  Nested Statements  Compiler Optimization May Interfere  Unclosed File Handles  Memory Leaks  Unused Variables  Function Redundancy  Debug Strings Present
Nested Conditionals
Debug Symbols  Can indicate developer knowledge  Aware of tool markings assoc with compiler  PDB Locations may provide details of:  User Names  Operating System (Users VS Docume~1)
Stuxnet PDB References  Likely Forged  However…
Stuxnet PDB Contiued  b:myrtussrcobjfre_w2k_x86i386guava.pdb  Myrtaceae Family:  Myrtle  Clove  Guava  Stuxnet / mrxnet.sys  Feijoa  Allspice  Eucalyptus
Future Automation  Automation Vital for Scale  Too much badness, not enough analysts  Analyst time better spent on edge cases  LOTS of repetition in most current efforts; ex:  Isomorphic analysis  Cataloguing and identification of tool markings
BlackAxon  Designed as Proof of Concept  Utilizes int3 debugger breakpoints  Yes – you’re malware can detect me  User Sets the Rules  No preconceived notion of ‘badness’  XML Model Defines Functions of Interest  Identification of API call context  Defines weighting of API calls
Stuxnet (Dropper) Example
Nest Analysis 8000 7000 6000 5000 4000 3000 2000 1000 0 calc.exe nest test netcat stuxnet firefox Nuwar.R Nimda conficker dropper
API Call Hit/Context Tracing: Persistence CreateToolhelp32Snapshot Process32First OpenProcess CreateProcess VirtualAllocEx WriteProcessMemory (CREATE_SUSPENDED)
API Call Hit/Context Tracing: Persistence URLDownloadToFile Read & Xor CreateProcess UrlDownloadToFile CreateProcess
Further Development..  DETOURS Hooks  Kernel Hooks
Digital Evidence Forgery  Always a Possibility  Requires Knowledge of ‘What’ to Forge  Cost of Forgery May Outweigh ROI
When code analysis #fails  Code Analysis Can be Inconclusive  Out of Band Data Useful to Support Hypothesis  C&C Channel Hosts Correlation  Check-In Server Identification  Post-Incident Artifacts  AuxiliaryTools / Code Utilized  Data Exfiltrated  Secondary Targets Attacked
When code analysis #fails  Some automation available  Meta Data Link Analysis:  Maltego  Palantir  Analysts Desktop  Alternate data sources include..  Social Networking / Chat  Whois databases  Website Archives (archive.org)  DNS record archives (dnshistory.org)
Say Nay? “Budgets will get cut when politicians find out that most of those ‘APT’ attacks are not actually state sponsored” “Technical analysis useless because of code sharing/reuse” “Attack analysis tools should only be used by people with a high degree of technical skills” “Short code segments – there’s only a few ways to achieve certain functionality”
Stuxnet, stuxnet, stuxnet  Lots of speculation of origins .. and possible targeting  Some great analysis performed..  Symantec Stuxnet Dossier  Langer Communications blog  DHS ICS-CERT  ISIS Report
Stuxnet Public Disclosures  June 17th – VirusBlokAda Discovery  June 24th – VirusBlokAda White Paper  July 7th – Microsoft Malware Sigs Released  July 15th – Let the media circus commence!  July 16th – Microsoft Issue Advisory 2286198  August 2nd ‘Lnk’ Vulnerability Patched
What the Stux? Myrtus Stuxnet mrxnet.sys
Stuxnet Infection MS10-046 MS10-061 & MS08-067 MC7
Stuxnet Infection Profibus (Pro Field Bus) Comms
Stuxnet Attribution & Targeting  Several Popular Targeting Theories:  Israel targeting Bushehr Nuclear Plant  Israel targeting Natanz Enrichment Facility  And Attribution  Disgruntled Siemens Employee(s)  Nation State  Organized Crime  Lone actor
Developing Stuxnet..  PLC Programming (MC7 & STL)  Plant Process Specific Knowledge  Insider, Target-Specific Knowledge  Step7 & WinCC Program Suite Internals  S7P/TMP/MCP Files  Internal Step7 API’s  Windows Kernel/Rootkit Development  Exploit/shellcode development  Anti-Virus/Security Product Subversion R&D  Dropper, C&C & Persistence Components
Resources Required  Access to hardware & software  including frequency converters  and probably centrifuges  Propagation Method  Stolen Certificates
Stuxnet 0days? MS10-046 (LNK Vulnerability) Almost two years old MS08-067 (Server Service) Patched for two years MS10-061 (Print Spooler) Disclosed over one year ago MOF ‘Feature’ Not a vulnerability? WinCC DBMS Password Original work Step7 Project Files Original work MS10-073 (Kbd Privilege Escalation) Original work
However…  Vulnerabilities chosen were  Unlikely to fail  If they did – failure should not result in a GPF  With exception of MS08-067..  Comparatively silent in exploitation  Creative exploitation (i.e. MOF)
The Dichotomy of Stuxnet  Costly due to:  Maintenance for at least eighteen months and as long as four years  R&D invested into R&D PLC Payload, Step7 Subversion & Delivery Framework  However..  Trivial C&C Channel  Lots of prior art re-use  We’re talking about it right now..
C&C #FAIL?  Trivial C&C Mechanism  More indicative of crime-ware  Two points of failure for control  (Updates a required feature)  Vulnerable to C&C Hijacking  No use of server-side cert validation
Story so far: who was the target?  Still difficult to say – however:  Unlikely to be Power Generation  Power Transmission / Distribution Unlikely  Oil Cracking & Refining Unlikely  Likely targets:  Manufacturing (incl Chemical Manufacturing)  Nuclear Enrichment
Who it was not..  Disgruntled employee / lone actor  Skill requirements preclude work of an individual acting alone  Western State advanced IO capabilities  Too much technical inconsistency  Large amount (and risk) of collateral damage  Greenpeace?
We now know that..  Stuxnet Targeted Specific Components  Almost exclusively utilized in enrichment  Frequencies referenced indicative of enrichment  Specifically 807Hz – 1210 Hz  Iran was beyond reasonable doubt the target  Supported by previous theories  and.. IAEA Safeguards & ISIS Report  Iran has admitted an impact on operations
Stuxnet Timeline  September 24th 2007 – Timestamp from MC7  June 17th 2010 – VirusBlokAda Discovery  June 24th 2010 – VirusBlokAda White Paper  July 7th 2010 – Microsoft Malware Sigs Released  July 15th 2010 – Let the media circus commence!  July 16th 2010 – Microsoft Issue Advisory 2286198  July 16th 2010 – Realtek Cert Revoked  July 17th 2010 – Variant Discovered with J-Micron Cert  July 22nd 2010 – J-Micron Cert Revoked  August 2nd 2010 ‘Lnk’ Vulnerability Patched  September 14th 2010 – Microsoft Patch MS10-061  October 12th 2010 – Microsoft Patch MS10-073  November 15th (approx.) – Iran halts Natanz enrichment  November 23rd 2010 – Statement by Ali Akbar Salehi  November 29th 2010 – Iran officially admits stuxnet impact
Actor Profile..  Small(er), technically astute nation state  Basic IO Capabilities  Full time staff of operators  Presently reliant on external assistance  Good connections to acquire it..  Compartmented approach to operations  Good HUMINT Capabilities  Access to restricted centrifuge technology
Fail #1 Chinese Theory  Various theories linking stuxnet to China  J-Micron & Realtek Taiwan locations  RealTek subsidiary in China  Vacon also located in China
Fail #2: Espionage VS Siemens  Goal: To disrupt deal with Rosatom  Suspect: Areva
Fail #3: Greenpeace Theory  Goal: Disrupt NPP / Enrichment Activities  Suspect: Greenpeace
Scenario #1 – Broken Arrow*  PLC Components likely to be older than primary assembly (pre-2008)  Digitally signed rootkit & load point components recyclable  Technical skills of component developers in excess of operators  However – highly targeted nature makes this less likely
Scenario #2 – A Joint Effort  Payload Components Developed Under Contract (Private or Public Partnership)  PLC work most likely of western origin  End-User Developed C&C + Entry Vector  Repackaged by End-User  Digital code signature could be either party  End-User localized access to target site
Stuxnet Countermeasures  PCN / Corp Network System Co-Mingling  System Baselines  LPD Bug Required Guest Account  Unrequired Services on PLC Dev Systems  Host Based Firewalls & HIPS  Default Passwords/Accounts  Siemens WinCC SQL DB  In the US – a likely violation of NERC CIP
Could Stuxnet have been worse?  Absolutely..  Vastly Improved C&C  Greater Propagation Discipline  Possible Supply Chain Influence  Improved Frequency Converter Targeting  PLC OS Rootkit?
Lessons Learned  Stuxnet should not have been a game changer  If it was… you already lost  Simple countermeasures would have reduced impact  Even those mandated in the US by NERC CIP-002 – 009  Control Systems world is far behind many others  Security Assurance  Compliance
Closing thoughts..  Lots still unconfirmed (un-confirmable?)  Extent of success unknown  Likely a set back for end-user/actor  Just the tip of the iceberg  Control systems are vulnerable  Investments are being made to attack them  Stuxnet could have been much worse
Questions?

Empfohlen

The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to ExploitationSatria Ady Pradana
 
(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the SoftwareSatria Ady Pradana
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application BackdoorsTyler Shields
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 

Empfohlen

The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with FridaSatria Ady Pradana
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to ExploitationSatria Ady Pradana
 
(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the SoftwareSatria Ady Pradana
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application BackdoorsTyler Shields
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...Yandex
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware AnalysisJongWon Kim
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021Denis Zakharov
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malwareJoshua Saxe
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoorsn|u - The Open Security Community
 

Weitere ähnliche Inhalte

Was ist angesagt?

Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applicationsijtsrd
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious CodeSatria Ady Pradana
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...Yandex
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware AnalysisJongWon Kim
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malwareJoshua Saxe
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASPchadtindel
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonMandeep Jadon
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_EndgameInc
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationMalachi Jones
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 

Was ist angesagt? (20)

Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware Analysis
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 

Ähnlich wie Stuxnet redux. malware attribution & lessons learned

The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network SecurityHarish Chaudhary
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?EC-Council
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hackerbestip
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101ysurer
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPAmr Thabet
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingSoftware Guru
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamPriyanka Aash
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XSophos Benelux
 

Ähnlich wie Stuxnet redux. malware attribution & lessons learned (20)

The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
HackMiami-Final
HackMiami-FinalHackMiami-Final
HackMiami-Final
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 

Mehr von Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware descriptionYury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromiseYury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readmeYury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesYury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5sYury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd nsYury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityYury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesYury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirusYury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesYury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guideYury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesYury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisYury Chemerkin
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Yury Chemerkin
 

Mehr von Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 

Kürzlich hochgeladen

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 

Kürzlich hochgeladen (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Stuxnet redux. malware attribution & lessons learned

  • 1. Stuxnet Redux: Malware Attribution & Lessons Learned Blackhat DC 2011 Taking the guesswork out of cyber attribution Tom Parker tom.at.rooted.dot.net
  • 2. Media & “Cyber War” Love Affair  WSJ “Wide Cyber Attack Is Linked to China”  60 Minutes “Sabotaging the System”  Google/Adobe “Aurora Incident”  Most Recently Targeted SCADA Malware
  • 3. Cyber Conflict Lexicon  Cyber War  Adversary / Actor  Attribution  APT?  Stuxnet an APT?
  • 4. P A T
  • 5.
  • 6.
  • 7. Attribution – Why do we care?  LE/Actor Deterrents  Actor Intelligence  Profiling Adversarial Technical Capabilities  Insight into State Sponsored Programs  Creating Linkage Between Actor Groups  Tracking the Supply Chain  Differentiating Between Actors  State Sponsored or Crimeware?
  • 8. Attribution: What are we looking for?  The obvious – An individual or group of individuals name(s), street address, social networking page etc..  However..  We often don’t care about this..  Doesn’t generally help develop countermeasures  Attributing to the actor/group level is often enough for profiling efforts
  • 9. Attribution Continued..  Attribution at actor group level  Differentiation between groups  Identification of group geography  Indications of sponsorship  Nation State (China, Russia or Korea?)  Organized Crime (RBN et al?)  Activist Group  Where worlds collide  Code sharing between groups
  • 10. Conventional Analysis Data Sources  Static and Runtime Binary Analysis  Memory Forensics  Vulnerability Exploitation & Payload Analysis  Command & Control  Post-Exploitation Forensics
  • 11. Automated Analysis Today  Anti Virus:  Known Signature  Virus-Like Characteristics  Sandbox / Runtime Analysis  What does the code do?
  • 12. Analysis Today Continued..  What Happened?  How did they get in?  What did they exploit to get in?  What was done once on the system?  Are they still there?  How can this be prevented in the future?
  • 13. Analysis Today Continued..  Lots of R&D Associated with Modern AV/Analysis Technologies.  Typically Designed to Provide End User with a one or a zero, and no exposure to any shades of grey.  LOTS of useful metadata processed under the hood that we can make better use of.
  • 14. Existing Attribution Research  2000 RAND Conference  Numerous CARC working group meetings  2004 Syngress Publication  Focus on:  Theoretical attack profiling  Who do we have to care about?  Post event/forensic approach  Forensic actor profile
  • 15. Adversary attack fingerprints  Key Attack Meta Data  Attack sources  Other Relevant Packet Data  Attack tools and their origins  Attack methodology  Planning  Execution  Follow through
  • 16. Attack tool meta data: Origins  All attack tools have their origins..  These can be put into two broad categories:  Public  Often simply prove a concept  Often not ‘robust’  Many contain backdoors  Private  Frequently more robust than public counterparts  Generally better written  May be based on private attack API’s
  • 17. Attack tool meta data: Use  How easy is it to use a given attack tool  Prior technical knowledge required to use tool  Prior target knowledge required to use tool  Was it an appropriate tool to use for a given task?
  • 18. Example Attack Scoring Matrix Web Application Flaws Public Private  Proprietary Application Penetration:  SQL Injection 3 5  Open Source Application Penetration:  SQL Injection 3 5  Proprietary Application Penetration:  Arbitrary Code Injection 2 4  Open Source Application Penetration:  Arbitrary Code Injection 2 4  Proprietary Application Penetration:  OS command execution using MSSQL Injection 3 5  Proprietary Application Penetration:  OS command execution using SyBase SQL Injection 3 5  Proprietary Application Penetration:  SQL Injection only (MS SQL) 4 6  Proprietary Application Penetration:  SQL Injection only (IBM DB2) 6 8  Proprietary Application Penetration:  SQL Injection only (Oracle) 6 8
  • 19. Furthering the Toolset  Large Bodies of RE/Analysis Research  Almost all geared around traditional IR  In most cases; not appropriate for attribution  Clear Need for Reduction in Guesswork  Less art, more science  Use of Common Attribution Models
  • 20. Adversary Profiling Today  Lots of science behind criminal profiling  Linguistics & Behavioral Analysis  Warm Touch
  • 21. Application of Current Tool Set To Attribution Doctrine  Can be possible through..  Exploit /Payload Analysis  Known Tooling/Markings  Normally Requires Manual Effort to Identify  Binary Image Meta Data  Email Addresses  User Names  Etc..
  • 22. Exploit Analysis  Exploits often re-worked for malware  Improved Reliability  Specific host type/OS level targeting  Possible to automate coloration with knowledge base of public exploits  ANI Exploit – Re-worked in malware to avoid IPS signatures for previous exploit
  • 23. Exploit Reliability & Performance  Crashes & Loose Lips Sink Ships  Improved Performance  Advanced / Improved Shellcode  Re-patching Memory  Repairing Corrupted Heaps  Less Overhead  No Large Heap Sprays  Or Excessive CPU Overhead  Continued Target Process Execution
  • 24. Exploit Failure  Where possible – failure may be silent  Exploit Self Clean-Up:  Java hs_err log files  System / Application Log files  *NIX Core files
  • 25. Exploit Applicability  Reconnaissance Performed  Execution based on SW (browser) version?  Operating System  Less likely to function on ASLR / DEP
  • 26. Exploit Selection  Lots of Attention Toward 0day  1+Day != Low End Adversary?  Old Attacks Often Re-Worked  Bypass IDS/IPS Signatures  Improved Payloads Demonstrate Capability
  • 27.
  • 28. Code Isomorphism  Lots of Investment from Anti-Code Theft World  Small Prime Product  Create Large Prime # Per Function  Unique Prime # / Each Opcode  Resistant to Reordering  API Call Structure Analysis Prog1.Func Prog2.Func  Function Checksums  Variables / Constant Tracking RegSetValueEx RegSetValueEx MessageBox RegCreateKeyEx RegCreateKeyEx
  • 29. Code Isomorphism Cont..  Seokwoo Choi, Heewan Park et al  A Static Birthmark of Binary Executables Based on API Call Structure  Halvar Flake  BinDiff & VxClass  Others..
  • 30. Function Level Code Isomorphism Based Attribution  Reuse of Code Functions  Useful for closed-source projects  Good for tracking malware ‘genomes’  However..  Most malware based off of ‘kits’  In most cases - doesn't tell us much (or anything) about authors
  • 31. Code Quality  Nested Statements  Compiler Optimization May Interfere  Unclosed File Handles  Memory Leaks  Unused Variables  Function Redundancy  Debug Strings Present
  • 33. Debug Symbols  Can indicate developer knowledge  Aware of tool markings assoc with compiler  PDB Locations may provide details of:  User Names  Operating System (Users VS Docume~1)
  • 34. Stuxnet PDB References  Likely Forged  However…
  • 35. Stuxnet PDB Contiued  b:myrtussrcobjfre_w2k_x86i386guava.pdb  Myrtaceae Family:  Myrtle  Clove  Guava  Stuxnet / mrxnet.sys  Feijoa  Allspice  Eucalyptus
  • 36. Future Automation  Automation Vital for Scale  Too much badness, not enough analysts  Analyst time better spent on edge cases  LOTS of repetition in most current efforts; ex:  Isomorphic analysis  Cataloguing and identification of tool markings
  • 37. BlackAxon  Designed as Proof of Concept  Utilizes int3 debugger breakpoints  Yes – you’re malware can detect me  User Sets the Rules  No preconceived notion of ‘badness’  XML Model Defines Functions of Interest  Identification of API call context  Defines weighting of API calls
  • 39. Nest Analysis 8000 7000 6000 5000 4000 3000 2000 1000 0 calc.exe nest test netcat stuxnet firefox Nuwar.R Nimda conficker dropper
  • 40. API Call Hit/Context Tracing: Persistence CreateToolhelp32Snapshot Process32First OpenProcess CreateProcess VirtualAllocEx WriteProcessMemory (CREATE_SUSPENDED)
  • 41. API Call Hit/Context Tracing: Persistence URLDownloadToFile Read & Xor CreateProcess UrlDownloadToFile CreateProcess
  • 42. Further Development..  DETOURS Hooks  Kernel Hooks
  • 43. Digital Evidence Forgery  Always a Possibility  Requires Knowledge of ‘What’ to Forge  Cost of Forgery May Outweigh ROI
  • 44. When code analysis #fails  Code Analysis Can be Inconclusive  Out of Band Data Useful to Support Hypothesis  C&C Channel Hosts Correlation  Check-In Server Identification  Post-Incident Artifacts  AuxiliaryTools / Code Utilized  Data Exfiltrated  Secondary Targets Attacked
  • 45. When code analysis #fails  Some automation available  Meta Data Link Analysis:  Maltego  Palantir  Analysts Desktop  Alternate data sources include..  Social Networking / Chat  Whois databases  Website Archives (archive.org)  DNS record archives (dnshistory.org)
  • 46. Say Nay? “Budgets will get cut when politicians find out that most of those ‘APT’ attacks are not actually state sponsored” “Technical analysis useless because of code sharing/reuse” “Attack analysis tools should only be used by people with a high degree of technical skills” “Short code segments – there’s only a few ways to achieve certain functionality”
  • 47. Stuxnet, stuxnet, stuxnet  Lots of speculation of origins .. and possible targeting  Some great analysis performed..  Symantec Stuxnet Dossier  Langer Communications blog  DHS ICS-CERT  ISIS Report
  • 48. Stuxnet Public Disclosures  June 17th – VirusBlokAda Discovery  June 24th – VirusBlokAda White Paper  July 7th – Microsoft Malware Sigs Released  July 15th – Let the media circus commence!  July 16th – Microsoft Issue Advisory 2286198  August 2nd ‘Lnk’ Vulnerability Patched
  • 49. What the Stux? Myrtus Stuxnet mrxnet.sys
  • 50. Stuxnet Infection MS10-046 MS10-061 & MS08-067 MC7
  • 51. Stuxnet Infection Profibus (Pro Field Bus) Comms
  • 52. Stuxnet Attribution & Targeting  Several Popular Targeting Theories:  Israel targeting Bushehr Nuclear Plant  Israel targeting Natanz Enrichment Facility  And Attribution  Disgruntled Siemens Employee(s)  Nation State  Organized Crime  Lone actor
  • 53. Developing Stuxnet..  PLC Programming (MC7 & STL)  Plant Process Specific Knowledge  Insider, Target-Specific Knowledge  Step7 & WinCC Program Suite Internals  S7P/TMP/MCP Files  Internal Step7 API’s  Windows Kernel/Rootkit Development  Exploit/shellcode development  Anti-Virus/Security Product Subversion R&D  Dropper, C&C & Persistence Components
  • 54. Resources Required  Access to hardware & software  including frequency converters  and probably centrifuges  Propagation Method  Stolen Certificates
  • 55. Stuxnet 0days? MS10-046 (LNK Vulnerability) Almost two years old MS08-067 (Server Service) Patched for two years MS10-061 (Print Spooler) Disclosed over one year ago MOF ‘Feature’ Not a vulnerability? WinCC DBMS Password Original work Step7 Project Files Original work MS10-073 (Kbd Privilege Escalation) Original work
  • 56. However…  Vulnerabilities chosen were  Unlikely to fail  If they did – failure should not result in a GPF  With exception of MS08-067..  Comparatively silent in exploitation  Creative exploitation (i.e. MOF)
  • 57. The Dichotomy of Stuxnet  Costly due to:  Maintenance for at least eighteen months and as long as four years  R&D invested into R&D PLC Payload, Step7 Subversion & Delivery Framework  However..  Trivial C&C Channel  Lots of prior art re-use  We’re talking about it right now..
  • 58. C&C #FAIL?  Trivial C&C Mechanism  More indicative of crime-ware  Two points of failure for control  (Updates a required feature)  Vulnerable to C&C Hijacking  No use of server-side cert validation
  • 59. Story so far: who was the target?  Still difficult to say – however:  Unlikely to be Power Generation  Power Transmission / Distribution Unlikely  Oil Cracking & Refining Unlikely  Likely targets:  Manufacturing (incl Chemical Manufacturing)  Nuclear Enrichment
  • 60. Who it was not..  Disgruntled employee / lone actor  Skill requirements preclude work of an individual acting alone  Western State advanced IO capabilities  Too much technical inconsistency  Large amount (and risk) of collateral damage  Greenpeace?
  • 61. We now know that..  Stuxnet Targeted Specific Components  Almost exclusively utilized in enrichment  Frequencies referenced indicative of enrichment  Specifically 807Hz – 1210 Hz  Iran was beyond reasonable doubt the target  Supported by previous theories  and.. IAEA Safeguards & ISIS Report  Iran has admitted an impact on operations
  • 62. Stuxnet Timeline  September 24th 2007 – Timestamp from MC7  June 17th 2010 – VirusBlokAda Discovery  June 24th 2010 – VirusBlokAda White Paper  July 7th 2010 – Microsoft Malware Sigs Released  July 15th 2010 – Let the media circus commence!  July 16th 2010 – Microsoft Issue Advisory 2286198  July 16th 2010 – Realtek Cert Revoked  July 17th 2010 – Variant Discovered with J-Micron Cert  July 22nd 2010 – J-Micron Cert Revoked  August 2nd 2010 ‘Lnk’ Vulnerability Patched  September 14th 2010 – Microsoft Patch MS10-061  October 12th 2010 – Microsoft Patch MS10-073  November 15th (approx.) – Iran halts Natanz enrichment  November 23rd 2010 – Statement by Ali Akbar Salehi  November 29th 2010 – Iran officially admits stuxnet impact
  • 63. Actor Profile..  Small(er), technically astute nation state  Basic IO Capabilities  Full time staff of operators  Presently reliant on external assistance  Good connections to acquire it..  Compartmented approach to operations  Good HUMINT Capabilities  Access to restricted centrifuge technology
  • 64. Fail #1 Chinese Theory  Various theories linking stuxnet to China  J-Micron & Realtek Taiwan locations  RealTek subsidiary in China  Vacon also located in China
  • 65. Fail #2: Espionage VS Siemens  Goal: To disrupt deal with Rosatom  Suspect: Areva
  • 66. Fail #3: Greenpeace Theory  Goal: Disrupt NPP / Enrichment Activities  Suspect: Greenpeace
  • 67. Scenario #1 – Broken Arrow*  PLC Components likely to be older than primary assembly (pre-2008)  Digitally signed rootkit & load point components recyclable  Technical skills of component developers in excess of operators  However – highly targeted nature makes this less likely
  • 68. Scenario #2 – A Joint Effort  Payload Components Developed Under Contract (Private or Public Partnership)  PLC work most likely of western origin  End-User Developed C&C + Entry Vector  Repackaged by End-User  Digital code signature could be either party  End-User localized access to target site
  • 69. Stuxnet Countermeasures  PCN / Corp Network System Co-Mingling  System Baselines  LPD Bug Required Guest Account  Unrequired Services on PLC Dev Systems  Host Based Firewalls & HIPS  Default Passwords/Accounts  Siemens WinCC SQL DB  In the US – a likely violation of NERC CIP
  • 70. Could Stuxnet have been worse?  Absolutely..  Vastly Improved C&C  Greater Propagation Discipline  Possible Supply Chain Influence  Improved Frequency Converter Targeting  PLC OS Rootkit?
  • 71. Lessons Learned  Stuxnet should not have been a game changer  If it was… you already lost  Simple countermeasures would have reduced impact  Even those mandated in the US by NERC CIP-002 – 009  Control Systems world is far behind many others  Security Assurance  Compliance
  • 72. Closing thoughts..  Lots still unconfirmed (un-confirmable?)  Extent of success unknown  Likely a set back for end-user/actor  Just the tip of the iceberg  Control systems are vulnerable  Investments are being made to attack them  Stuxnet could have been much worse