The document discusses several pieces of malware including Stuxnet, Duqu, Flame, and Gauss. Stuxnet was the first malware discovered to target industrial control systems and included a PLC rootkit. Duqu shares code with Stuxnet and gathered intelligence. Flame was a large and complex malware that supported eliminating traces of its files. Gauss was designed to steal credentials from banking and social media accounts. All of the malware discussed exploited vulnerabilities and some signed with stolen certificates to propagate and communicate with command and control servers.

1. Srinu
sr1nu@ymail.com
I do Malware analysis, Computer forensic & Pentesting

2. Stuxnet
Duqu
Agenda Flame
Gauss

3. Stuxnet is discovered in June 2010 but the first variant of the worm
appeared in June 2009
Stuxnet is a first discovered malware includes a PLC Rootkit
Goal: To reprogram industrial control systems by modifying code on
programmable logic controllers to make them work in a manner the
attacker intended and to hide those changes from the operator of the
equipment

4. Infection Statistics
58.31
60
50
40
30
17.83
20
9.96
10 3.4 5.5
1.4 1.1 0.9 0.7 0.6 0.5
0

5. Possible Attack Scenario
Once Stuxnet had infected a computer within
the organization it began to spread in search of
Field PGs . Since most of these computers are
non-networked, Stuxnet would first try to spread
to other computers on the LAN, infecting Step 7
projects, and through removable drives.
Propagation through a LAN likely served as the
first step and propagation through removable
drives as a means to cover the last and final hop
to a Field PG that is never connected to an
untrusted network.

6. Communication
Before infection After infection

7. Technical Analysis
Exploited 4 zero day vulnerabilities
Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability
Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability
Win2000/XP Win32k.sys privilege elevation
Windows 7 task scheduler privilege elevation
Copies and executes itself on remote computers through network shares
Copies itself into Step 7 projects in such a way that it automatically executes
when the Step 7 project is loaded
Updates itself through a peer-to-peer mechanism within a LAN
Contains a Windows rootkit and a PLC rootkit
3 variants of stuxnet has been discovered.
Drivers signed with stolen certificate from Realtek & Jmicron

8. Technical Analysis (cont.)
Stuxnet contains a DLL file and two encrypted configuration files stored in a
section named name called stub
It uses different types of Process injection techniques depends on antivirus
installed.

10. Installation routine

11. Infection Routine

12. Demo
Analyzing STUXNET 

13. Duqu is discovered on September 2011, Duqu shares a great deal of code
with Stuxnet
Duqu got its name from the prefix "~DQ" it gives to the names of files it
creates
Duqu’s purpose is to gather intelligence data and assets from entities
Duqu may have been written in Object Oriented C or in unknown high level
language also called as Duqu framework
After 30 days of installation, the threat will automatically remove itself from
the system.

14. Geographic distribution

15. Technical Analysis
Duqu exploited a zero day vulnerability (MS11-087) Win32k TrueType font
parsing engine and allows execution
Duqu uses a 54*54 pixel jpeg file and encrypted dummy
files as containers to smuggle data to is command and
control servers.
Drivers signed with stolen certificates from C-Media
Electronic Inc.

16. Technical Analysis (cont.)
Duqu uses HTTP & HTTPS to communicate with C&C servers. C&C servers
are hosted in India, Belgium, and Vietnam
The C&C servers were configured to simply forward all port 80 and 443
traffic to other servers.
By using the C&C servers, the attacker were able to download additional
modules such as enumerating the network, recording keystrokes, and
gathering system information

17. Installation

18. architecture

20. Flame is a modular computer malware discovered in 2012, Its discovery was
announced on 28 May 2012
Flame is most complex malware ever found and it is an uncharacteristically
large program for malware at 20 MB.
Partly written in Lua scripting language with compiled C++ code linked in
Flame uses five different encryption methods and an SQLite database to store
structured information
Flame supports “kill” command that makes it eliminate all traces of its files
and operation from a system
Flame was signed with a fraudulent certificate believed from the Microsoft
Enforced Licensing Intermediate PCA certificate authority
It can record audio, screenshots, keyboard activity and network traffic

23. Technical Analysis
Flame exploited known vulnerabilities which is used in Stuxnet
Replicates via USB, LAN and Windows update
Communication : SSL + SSH
Skywiper’s main executables:
mssecmgr.ocx – Main module
msglu32.ocx
nteps32.ocx
advnetcfg.ocx
soapr32.ocx
ccalc32.sys
Boot32drv.sys

24. Technical Analysis(cont.)
Flame is a modular malware , it consists nearly 20 modules
Beetlejuice
Microbe
Infectmedia
Autorun_infector
Euphoria
Limbo
Frog
Munch
Gadget
Snack
Boot_dll_loader
Weasel
Boost
Telemetry
Gator,
Security
Bunny, Dbquery, Driller, Headache

25. Startup
sequence

26. Command & Control servers
Operating system: 64-bit Debian 6.0.x
Virtualization: In most of cases running under OpenVZ
Programming languages used: PHP (most of code), Python, bash
Database: MySQL with InnoDB tables
Web server: Apache 2.x with self-signed certificates

27. Command & Control servers (cont.)

28. Demo
Analyzing Flame 

29. Gauss is discovered by Kaspersky lab in June 2012, while searching for new,
unknown components.
Gauss is designed to collect as much information about infected machine as
possible, as well as to steal credentials for various banking systems and
social network, email and IM accounts.
Gauss was designed for 32-bit versions of windows. Some of the modules
do not work under windows 7 SP1

30. Functionality
Injecting its own modules into different browsers in order to intercept user
sessions and steal passwords, cookies and browser history.
Collecting information about the computer’s network connections.
Collecting information about processes and folders.
Collecting information about BIOS, CMOS RAM.
Collecting information about local, network and removable drives.
Infecting USB drives with a spy module in order to steal information from
other computers.
Installing the custom Palida Narrow font (purpose unknown).
Ensuring the entire toolkit’s loading and operation.
Interacting with the command and control server, sending the information
collected to it, downloading additional modules.

31. Infection statistics
Lebanon 1660
Israel 483
Palestinian Territory 261
United States 43
United Arab Emirates 11
Germany 5
Egypt 4
Qatar 4
Jordan 4
Saudi Arabia 4
Syria 4

34. This is just the beginning. Think about all the services and
systems that we depend upon to keep society running smoothly.
Most of them run on computer networks. Even if the network
administrators isolate their computers from the rest of the
Internet, they could be vulnerable to a cyber attack.