Notes for Diagram W32.Duqu threat

These files must be installed by another executable (the installer) which has not yet been recovered.

1. the installer get’s in and installed the all and register the files to 

gather enumeration information and encrypts it.

 

Highly Targeted towards a limited number of organizations for their specific assets.

Enumerating the Network – Recording Keystrokes – Gathering System Information -

uses HTTP and HTTPS to communicate with a command-and-control

general remote access capabilities

gather intelligence from a private entity to aid future attacks on a third party

• The DLL offers nine main routines:
  • 65h: List of running processes, account details, and domain information
• • 66h: Drive names and information, including those of shared drives
  • 68h: Take a screenshot
  • 69h: Network information (interfaces, routing tables, shares list, etc.)
  • 67h: Keylogger
  • 6Ah: Window enumeration
  • 6Bh: Share enumeration
  • 6Dh: File exploration on all drives, including removable drives
  • 6Eh: Enumerate computers on the domain through NetServerEnum 

• The log file contains records with the following fields:
  • Type
  • Size
  • Flags
  • Timestamp
• • Data

Key points:

•    Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
•    The executables are designed to capture information such as keystrokes and system information.
•    Current analysis shows no code related to industrial control systems, exploits, or self-replication.
•    The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
•    The exfiltrated data may be used to enable a future Stuxnet-like attack.

The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.

 

Text of Diagram:

Stuxnet / Duqu

Architecture

Installation

Injection Procedure

USB Drives

Infection Routine Flow

Windows Computers

Stuxnet Updates Itself

Command and Control Server Communication

Internet Connection

Internal Networks

Remote Control

C&C Server

Compromised Computer -Client

GET

200 OK

GET index.php?data=[DATA]

DATA

OS Version

Machine Name

Workgroup Name

Exec RPC code

Responce Type 1:

200 OK execute RPC routine

Decrypt & exec.code

Responce Type 2:

200 OK encryption binary code

C&C Control

Check Internet Connection

Send system information to C&C

C&C response to execute to execute encrypted binary code

C&C reponse to execute RPC routine

Security Issues -Mitigation Techniques

Security Information

Event Management

Intrusion monitoring system intergrated with SIEM

Implement Extrusion Detection

Implement passive vulnerability scanners (PVS)

Control System

o

Secure Facility No Internet

Installation

Injection Procedure

USB Drives

Infection Routine Flow

Windows Computers

NO – Stuxnet Updates Itself

PLC Controllers

Industrial Motors

Command and Control Server Communication

Internet Connection

Internal Networks

Remote Control

PLC Controllers

Industrial Motors

PLC- Programmable logic controller

Duqu

Duqu – this capability to gather intelligence from a private entity to aid future attacks

Duqu – creators of Duqu had access to the source code of Stuxnet

Duqu – payload has been replaced with general remote access capabilities

Duqu – automatically remove itself from the system.

Duqu -  threat is configured to run for 36 days

Duqu – C&C – primarily downloading or uploading what appear to be JPG files

Duqu – information is logged to a lightly encrypted and compressed local file

Duqu -gathering system information

Duqu – enumerating the network

DUQU – download additional executables

Duqu -HTTP and HTTPS to communicate

Duqu – signed with a valid digital certificate

Duqu – record keystrokes

DATA:

Lists of running processes, account details, and domain information

Drive names and other information, including those of shared drives

Screenshots

Network information (interfaces, routing tables, shares list, etc.)

Key Presses – Key Logger

Open Windows Names

File Exploration on all Drives, including removable Drives

Enumeration of computers in the Domain through NetServerEnum

SCADA

Process automation protocols  DF-1 FOUNDATION fieldbus – H1 & HSE Profibus – by PROFIBUS International. PROFINET IO CC-Link Industrial Networks – Supported by the CLPA CIP (Common Industrial Protocol) – Can be treated as application layer common to DeviceNet, CompoNet, ControlNet and EtherNet/IP Controller Area Network utilised in many network implementations, including CANopen and DeviceNet ControlNet – an implementation of CIP, originally by Allen-Bradley DeviceNet – an implementation of CIP, originally by Allen-Bradley DirectNet – Koyo / Automation Direct proprietary, yet documented PLC interface EtherNet/IP – IP stands for “Industrial Protocol”. An implementation of CIP, originally created by Rockwell Automation Ethernet Powerlink – an open protocol managed by the Ethernet POWERLINK Standardization Group (EPSG). EtherCAT Interbus, Phoenix Contact’s protocol for communication over serial links, now part of PROFINET IO HART Protocol Modbus RTU or ASCII or TCP Modbus Plus Modbus PEMEX Ethernet Global Data (EGD) – GE Fanuc PLCs (see also SRTP) FINS, Omron’s protocol for communication over several networks, including ethernet. HostLink Protocol, Omron’s protocol for communication over serial links. MECHATROLINK – open protocol originally developed by Yaskawa. MelsecNet, supported by Mitsubishi Electric. Optomux – Serial (RS-422/485) network protocol originally developed by Opto 22 in 1982. The protocol was openly documented and over time used for industrial automation applications. Honeywell SDS – Smart Distributed System – Originally developed by Honeywell. Currently supported by Holjeron. SERCOS interface, Open Protocol for hard real-time control of motion and I/O SERCOS III, Ethernet-based version of SERCOS real-time interface standard GE SRTP – GE Fanuc PLCs Sinec H1 – Siemens SynqNet – Danaher TTEthernet – TTTech PieP – An Open Fieldbus Protocol BSAP – Bristol Standard Asynchronous Protocol, developed by Bristol Babcock Inc. RAPIEnet[1], Real-time Automation Protocols for Industrial Ethernet

Company Management

Internet

Local Control Offshore Platform

o

PLC-DCS -  distributed control system (

PLC-RTU – Remote Terminal Unit

Valve Station

Stress Breach Station

Terminals

Internet

PLC Programmable Logic Controller

Stuxnet Seeks Specific Models S7-300 S7-400

Read Input of Device

Execute Program

Diagnostics & Communications

Update Output

PLC Scans

Communication Media

Sattelite

TelCom

Internet

SONET / SDH

Cellular Networks

SCADA Master

Internet

HMI

MTU

Web Server

Internet

Duqu – Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu -Geographics

France, Netherland, Switzerland, Ukraine

India

Iran

Sudan

Vietnam

Duqu – Compile Time Wed Jun 01, 03:25:18 2011 Mon Oct 17 17:07:47 2011 Mon Oct 17 16:26:09 2011 Tue Aug 09 21:37:39 2011 Purpose Stealing information Reconnaissance module Lifespan extender Stealing information