Duqu: Precursor to the Next Stuxnet
Antonio Forzieri Security Practice Manager – Technology Sales Organization
1 Duqu: Precursor to the Next Stuxnet
Before starting…
• You can follow our webinar on twitter in realtime. Our twitter account is @StopBlackMarket
Duqu: Precursor to the Next Stuxnet
Before Starting…
• You can follow us also on Facebook. Out account is Stop Black Market
Duqu: Precursor to the Next Stuxnet
Before Staring…
Symantec
• You can access to all documents used for our webinars. Our portal is http://www.symantec.it/blackmarket
Duqu: Precursor to the Next Stuxnet
Stuxnet June 2010
Duqu: Precursor to the Next Stuxnet 5
Stuxnet July 2010
www.premierfutbol.com
www.todaysfutbol.com
Duqu: Precursor to the Next Stuxnet 6
Stuxnet Geographic Distribution of Infections
Over 40,000 infected unique external IPs, from over 115 countries
58,31
17,83
9,96
3,40 1,40 1,16 0,89 0,71 0,61 0,57
5,15
0,00
10,00
20,00
30,00
40,00
50,00
60,00
70,00
IRAN INDONESIA INDIA AZERBAIJAN PAKISTAN MALAYSIA USA UZBEKISTAN RUSSIA GREAT BRITAIN
OTHERS
Un
iqu
e IP
s C
on
tact
C&
C S
erv
er
(%)
Duqu: Precursor to the Next Stuxnet 7
S7-315 CPU CP-342-5 – 6 modules
. . .
. . .
. . .
Totaling up to 186 motors
Stuxnet November 2010
. . . . . .
31 Vacon or Fararo Paya frequency converters per module
Duqu: Precursor to the Next Stuxnet 8
Stuxnet February 2011
• Symantec identified 5 domains as the target of Stuxnet
• All targets have a presence in Iran
5 Domains targeted
1800 domains infected
Duqu: Precursor to the Next Stuxnet 9
Stuxnet Runs Its Course
• Stuxnet files date between June 2009 and March 2010
• After March 2010 no new Stuxnet files appeared in wild
• But it changed many things
Duqu: Precursor to the Next Stuxnet 10
Stuxnet accomplished its mission
Duqu: Precursor to the Next Stuxnet 11
• Financial networks
– E.g., ATMs, POS, SWIFTNet
• Engineering networks
– E.g., source code, design documents, non-production code
• Classified data networks
• Aviation & air traffic control systems
• Life critical and healthcare systems
• Law enforcement database networks
• Military communication systems
• Malware analysis networks
Secure/No network access
Limited internet access
Duqu: Precursor to the Next Stuxnet 12
This changes everything…
Duqu: Precursor to the Next Stuxnet 13
Much more can happen
Duqu: Precursor to the Next Stuxnet 14
Stuxnet
Duqu: Precursor to the Next Stuxnet 15
Duqu
16
• October 14th research lab reached out to Symantec to confirm a suspicion on newly discovered threat
• We confirmed their suspicion
• This threat uses source code from Stuxnet
Duqu: Precursor to the Next Stuxnet
Duqu: Key Facts
• New executables using Stuxnet source code have been discovered
– Developed since the last Stuxnet file was recovered
• New executables designed to capture information like keystrokes & system information
• Current analysis shows no code related to industrial control systems, exploits, or self-replication
• Executables found in limited number of organizations
– Including those involved in the manufacturing of industrial control systems
• Exfiltrated data may be used to enable a future Stuxnet-like attack
Duqu: Precursor to the Next Stuxnet 17
Source Code
Stuxnet
Duqu: Precursor to the Next Stuxnet 18
Source Code
Stuxnet
Duqu
Duqu: Precursor to the Next Stuxnet 19
Stuxnet Extensive Infection Vectors
WinCC
Network Shares
Step7 SQL
Print Spooler
(MS10-061)
SMB
(MS08-067)
P2P
(Updating only)
Duqu: Precursor to the Next Stuxnet 20
Duqu Infection Vectors
Duqu: Precursor to the Next Stuxnet 21
Duqu Deception
Duqu: Precursor to the Next Stuxnet 22
Duqu Deception
36 days
Duqu: Precursor to the Next Stuxnet 23
Stuxnet Deception
• 2 stolen private keys used to sign the application to allow undetected installation of rootkits
Duqu: Precursor to the Next Stuxnet 24
Duqu Deception
A stolen private key used to sign the application to allow undetected installation of rootkits
Duqu: Precursor to the Next Stuxnet 25
Limited internet access
• Infected machines check in with system information
– OS version
– Computer name
– Domain
– IP addresses
– Configuration data
– Existence of ICS programming software (STEP7)
• And will send design documents if requested
www.mypremierfutbol.com www.todaysfutbol.com
Attacker
Stuxnet Reconnaissance
Duqu: Precursor to the Next Stuxnet 26
Limited internet access
• Download Infostealer to gather:
– Running processes, account details, domains
– Driver names, shared drive info, etc
– Screenshots
– Keystrokes
– Network information
• Every 30 seconds
206.[REMOVED].97
Attacker
Duqu Reconnaissance
Duqu: Precursor to the Next Stuxnet 27
Limited internet access
Attacker
Duqu Target
• Limited in number
• In Europe
• Involved in manufacturing of industrial control systems
• We have found an additional variant since we went public
The compilation time on the code was 10/17/2011
Duqu: Precursor to the Next Stuxnet 28
Symantec Customers Are Protected
• Those with updated AV definitions
• Those using Insight technology in SEP 12.1
– Low prevalence of Duqu
Duqu: Precursor to the Next Stuxnet 29
Recommended Defenses
•Duqu is extremely targeted and thus, would have a low reputation profile
Advanced Reputation Techniques
• Implements host-lock-down as a means of hardening against malware infiltration
Host Intrusion Prevention Systems
•Many infection vectors appear to be delivered by removable media
•Restrict automatic launch of content on removable media
Removable Media Device Control
•Core repositories of intellectual property are likely prequel targets on Enterprise LAN
Data Loss Prevention
•Detecting default passwords on industrial control systems
Automated Compliance Monitoring
Duqu: Precursor to the Next Stuxnet 30
What to Do?
Duqu: Precursor to the Next Stuxnet 31
Stay Current on latest Duqu research with Twitter.com/threatintel 1
2
3
Stay Informed on Symantec’s outbreak page at www.symantec.com/outbreak
Contact Ask us for a Malicious Activity Assessment
Thank you!
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
Thank you!
32 Duqu: Precursor to the Next Stuxnet