In this edition of Lab Matters, Ryan Naraine interviews Kaspersky Lab CTO Nikolay Nikolay Grebennikov about malicious threats on mobile devices. Grebennikov talks about the taxonomy of threats and explains Kaspersky Lab's vision for protecting data on smart phones. The discussion touches on privacy issues, data protection, anti-theft recovery, social engineering, URL filtering and parental control.
As we continue to investigate the Duqu targeted attack, there is new information that suggests the malware was created to spy on Iran's nuclear program.
Some background and facts:
We can now confirm that some of the targets of Duqu were hit on April 21, using the same method involving CVE-2011-3402, a kernel level exploit in win32k.sys via embedded True Type Font (TTF) file.
According to analysis by IrCERT (Iran's Computer Emergency Response Team) Duqu is an upgraded version of "Stars":
If we are to believe these reports, then it means that Duqu was created in order to spy on Iran's nuclear program.
Just yesterday (November 4), the United Nations announced it was in possession of plans from Iran to make computer models of a nuclear warheads.
"The annex will also say that more than 10 nations have supplied intelligence suggesting Iran is secretly developing components of a nuclear arms program - among them an implosion-type."
It would not be surprising that Stars and Duqu were used to collect such information.
Tim Armstrong looks at the timeline of the Sony breach and pieces together the relevant details at each point in time. He discusses the known facts of the case and the potential future fallout.
This is an active investigation by Kaspersky Lab's Global Research & Analysis Team. We will be updating this FAQ document as necessary.
Duqu is a sophisticated Trojan which seems to have been written by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information. This is the main difference when compared to Stuxnet, which was created to conduct industrial sabotage. It's also important to point out that while Stuxnet is able to replicate from one computer to another using various mechanisms, Duqu is a Trojan that doesn't seem to replicate on its own.
Unlike Stuxnet, Duqu doesn't target PLC/SCADA equipment directly, although some of its subroutines could be used to steal information related to industrial installations. It appears that Duqu was created in order to collect intelligence about its targets, which can include pretty much anything that is available in digital format on the victim’s PC.
In the cases we have analysed, Duqu infects a computer through a targeted attack involving a Word document which exploits the CVE-2011-3402 vulnerability. This is a 0-day vulnerability in the Windows kernel component Win32k.sys which allows the attackers to run code with the highest privilege level, bypassing pretty much most of the protection mechanisms from Windows or security software. According to our knowledge, Duqu is the only malware using this vulnerability to infect computers. All Kaspersky Lab security solutions detect this vulnerability under the name Exploit.Win32.CVE-2011-3402.a as of November 6, 2011.
There is indeed a 0-day vulnerability being used to infect computers in the initial phase. Microsoft released an advisory (2639658) with basic information and mitigation steps.
Duqu was brought to the attention of the security community by the Hungarian Research Lab CrySyS. They were the first to point out the resemblance to Stuxnet and perform what remains the most thorough analysis of the malware yet.
The first Duqu attacks were spotted as early as mid-April 2011. The attacks continued in the following months, until October 18, when news about Duqu was made public.
It appears that there are at least seven variants of the Duqu drivers, together with a few other components. These are all detected with different names by various anti-virus companies, creating the impression that there are multiple different variants. At the time of writing, we are aware of two Infostealer components and seven different drivers. Additionally, we suspect the existence of at least another Infostealer component which had the capability to directly search and steal documents from the victim's machine.
While there are indeed reports indicating that the main goal of Duqu is to steal information from CAs, there is no clear evidence at this time to support this claim. On the contrary, we believe the main purpose of Duqu was different and CAs were just collateral victims.
One suspicion is that Duqu was used to steal certificates from CAs that can be used to sign malicious code in order to make it harder to catch. The functionality of the backdoor in Duqu is actually rather complex and it can be used for a lot more. Basically, it can steal everything, however, it looks like attackers were particularly interested in collecting passwords, making desktop screenshots (to spy on the user) and stealing various kinds of documents.
The initial Duqu C&C server, which was hosted in India is no longer active. Just like in the case of Stuxnet, it was pulled offline pretty quickly once the news broke. In addition to this, we are aware of another C&C server in Belgium, which was also quickly taken offline. Actually, it appears that every single Duqu targeted attack used a separate C&C server.
Maybe the author was a fan of round numbers, such as 6x6? :) Actually, the time for which Duqu is running in the system is defined by the configuration file and varies between the attacks. We have also seen instances where the duration was set to 30 days.
The same gang who was behind Stuxnet. Curiously, they seem to have picked up an interest in astronomy; the infostealer executable has a portion of a JPEG file picked up by the Hubble telescope (“Interacting Galaxy System NGC 6745”):
The picture portrays the aftermath of direct collision of two galaxies(!), several million of years ago. You can read the story here.
UPDATE (November 15, 2011):
When activated, the main Duqu program body connects to its C&C server and downloads updates and supplemental modules. One such module is the Duqu "infostealer," for which two versions are known and others are believed to have existed at various points in the time.
The "infostealer" module is downloaded in memory and executed through the process injection technique used by Stuxnet and Duqu to avoid temporary files. This is done in order to make sure that the "infostealer" component (and other Duqu updates) will not be intercepted or left behind on an infected machine. It also means that they have a limited lifetime, basically until the next system reboot.
The most powerful version of the "infostealer" has the ability to intercept keystrokes, it makes screenshots of the whole screen (first time) and of the active window, collects the IE browsing history and various data related to the system network configuration. There is also code which can do browsing of network shares. All this information is nicely packaged into a file that is written into the %TEMP% folder by default. It is a compressed BZIP2 format with modified headers. Thanks to the BZIP2 compression, the files are smaller than you'd think.
The "infostealer" components we have seen create files with the name "~DQx.tmp". In addition to this, we are aware of other files with the name "~DFxxxxx.tmp" and "~DOxxxxx.tmp". The "DF" and "DO" have a similar format and appear to have been generated by an earlier version of the "infostealer". They also contain more information, including various files the victim PC such as Word or Excel documents. The "~DF" files are generally much bigger, due to their additional file content.
In all cases, they are easy to recognize by the header "ABh91AY&SY". If you find such files in your PC then most likely you've been a victim of Duqu. If you'd like to scan your system for such files, the nice people at CrySyS have a set of tools that can help.
Duqu and Stuxnet have a lot of things in common. Usage of various encryption keys, including ones that haven't been made public prior to Duqu, injection techniques, the usage of zero-day exploits, usage of stolen certificates to sign the drivers, all of these make us believe both have been written by the same team.
So, what does that mean exactly? Simply put, different people might have worked on Duqu and Stuxnet, but most likely they worked for the same "publishing house." If you want an analogy, Duqu and Stuxnet are like Windows and Office. Both are from Microsoft, although different people might have worked on them.
In the incidents we have analyzed, Duqu arrives in the system in the form of a Microsoft Word Document. The document contains an exploit for the vulnerability known as CVE-2011-3402. This is a buffer overflow in a function of Win32k.sys which deals with True Type fonts. To exploit this specific vulnerability, an attacker needs to craft a special True Type Font and embed it into a document, for instance, a Word Document.
Now, for the connection part - in the incident we've analyzed (and this is also true for the other known incident), the attackers used a font presumably called "Dexter Regular", by "Showtime Inc.," (c) 2003. This is another prank pulled by the Duqu authors, since Showtime Inc. is the cable broadcasting company behind the TV series Dexter, about a CSI doctor who also happens to be a serial killer who avenges criminals in some post-modern perversion of Charles Bronson's character in Death Wish.
We hope they are just fans of Dexter.
Interestingly, the same constant can be found in Duqu as well. The Hungarian CrySyS lab was the first to point out the usage of 0xAE790509 in Duqu. In the case of Stuxnet, the integer 0x19790509 is used as an infection check; in the case of Duqu, the constant is 0xAE790509.
What is less known is that 0xAE790509 was also used in Stuxnet, however, prior to Duqu this was not included in any of the public analyses we are familiar with.
There are also many other places where the constant 0xAE is used, both in Duqu and Stuxnet.
Finally, the constant 0xAE240682 is used by Duqu as part of the decryption routine for one of the known PNF files. In case you are wondering, 24 June 1982 is indeed an interesting date - check out the case of BA flight 9.
* Research by Kaspersky Lab Global Research & Analysis Team.
Costin Raiu of Kaspersky Lab's Global Research and Analysis Team talks about the investigation into Duqu, the likelihood that it was written by the same team as Stuxnet, whether a government is behind its development and what mistakes the authors made.
Download the podcast from the Threatpost site.
On the first anniversary of Stuxnet, Roel Schouwenberg discusses gaping holes in Industrial Control Systems and the risks associated with these vulnerabilities.
BARCELONA -- The annual Virus Bulletin conference kicks off here tomorrow with anti-malware researchers discussing a wide range of important issues facing the industry.
Researchers from Kaspersky Lab will have a major presence at the conference this year -- nine speaker slots! -- with talks on the cyber-crime underground, mobile (Android) malware, web application security and social network threats.
I'd like to call attention to a few of the important Kaspersky Lab presentations:
Many security technologies rely on blacklisting malicious or suspicious files or applications in order to prevent users from running them. But that approach can have its limitations, and theidea of whitelisting applications and safe files has taken hold recently. In this video, Vladimir Zapolyansky talks about the benefits of application whitelisting, the way that the technology works and how it can help users protect their PCs more effectively.
Kaspersky Lab chief technology officer Nikolay Grebennikov joins Ryan Naraine to discuss the evolution of anti-malware software. Grebennikov talks about the changing face of the malicious threat facing desktop users and the additional components added to Kaspersky's anti-malware products to move beyond signature-based detection of threats. He goes into detail about heuristics and emulation, behavior-based detection and newer proactive technologies to handle real-time malware detection.
Arbor Networks researcher Jose Nazario talks about new DDoS bot families, most previously unidentified. Nazario provides a tour of recently discovered DDoS bots from around the world showing the proliferation of attack models, adoption of .Net, and new modular functionalities.
Kaspersky Lab is paying a lot of attention to IT security education & literacy development sharing its knowledge & experience actively through its educational program "Kaspersky Academy" which offers unique opportunities for students & young professionals to improve their knowledge of IT security, gain new experience and communicate with industry experts, realize their scientific potential as well as get exciting career opportunities & open the door to the professional world of IT security. Ram Herkanaidu, educational manager, is telling about academic initiatives of the company.