Notes for Diagram W32.Duqu threat
These files must be installed by another executable (the installer) which has not yet been recovered.
1. the installer get’s in and installed the all and register the files to
gather enumeration information and encrypts it.
Highly Targeted towards a limited number of organizations for their specific assets.
Enumerating the Network – Recording Keystrokes – Gathering System Information -
uses HTTP and HTTPS to communicate with a command-and-control
general remote access capabilities
gather intelligence from a private entity to aid future attacks on a third party
- The DLL offers nine main routines:
• 65h: List of running processes, account details, and domain information
- • 66h: Drive names and information, including those of shared drives
• 68h: Take a screenshot
• 69h: Network information (interfaces, routing tables, shares list, etc.)
• 67h: Keylogger
• 6Ah: Window enumeration
• 6Bh: Share enumeration
• 6Dh: File exploration on all drives, including removable drives
• 6Eh: Enumerate computers on the domain through NetServerEnum
- The log file contains records with the following fields:
• Type
• Size
• Flags
• Timestamp
- • Data
Key points:
• Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
• The executables are designed to capture information such as keystrokes and system information.
• Current analysis shows no code related to industrial control systems, exploits, or self-replication.
• The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
• The exfiltrated data may be used to enable a future Stuxnet-like attack.
The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.
Text of Diagram:
Stuxnet / Duqu
Architecture
Installation
Injection Procedure
USB Drives
Infection Routine Flow
Windows Computers
Stuxnet Updates Itself
Command and Control Server Communication
Internet Connection
Internal Networks
Remote Control
C&C Server
Compromised Computer -Client
GET
200 OK
GET index.php?data=[DATA]
DATA
OS Version
Machine Name
Workgroup Name
Exec RPC code
Responce Type 1:
200 OK execute RPC routine
Decrypt & exec.code
Responce Type 2:
200 OK encryption binary code
C&C Control
Check Internet Connection
Send system information to C&C
C&C response to execute to execute encrypted binary code
C&C reponse to execute RPC routine
Security Issues -Mitigation Techniques
Security Information
Event Management
Intrusion monitoring system intergrated with SIEM
Implement Extrusion Detection
Implement passive vulnerability scanners (PVS)
Control System
o
Secure Facility No Internet
Installation
Injection Procedure
USB Drives
Infection Routine Flow
Windows Computers
NO – Stuxnet Updates Itself
PLC Controllers
Industrial Motors
Command and Control Server Communication
Internet Connection
Internal Networks
Remote Control
PLC Controllers
Industrial Motors
PLC- Programmable logic controller
Duqu
Duqu – this capability to gather intelligence from a private entity to aid future attacks
Duqu – creators of Duqu had access to the source code of Stuxnet
Duqu – payload has been replaced with general remote access capabilities
Duqu – automatically remove itself from the system.
Duqu - threat is configured to run for 36 days
Duqu – C&C – primarily downloading or uploading what appear to be JPG files
Duqu – information is logged to a lightly encrypted and compressed local file
Duqu -gathering system information
Duqu – enumerating the network
DUQU – download additional executables
Duqu -HTTP and HTTPS to communicate
Duqu – signed with a valid digital certificate
Duqu – record keystrokes
DATA:
Lists of running processes, account details, and domain information
Drive names and other information, including those of shared drives
Screenshots
Network information (interfaces, routing tables, shares list, etc.)
Key Presses – Key Logger
Open Windows Names
File Exploration on all Drives, including removable Drives
Enumeration of computers in the Domain through NetServerEnum
SCADA
Process automation protocols DF-1 FOUNDATION fieldbus – H1 & HSE Profibus – by PROFIBUS International. PROFINET IO CC-Link Industrial Networks – Supported by the CLPA CIP (Common Industrial Protocol) – Can be treated as application layer common to DeviceNet, CompoNet, ControlNet and EtherNet/IP Controller Area Network utilised in many network implementations, including CANopen and DeviceNet ControlNet – an implementation of CIP, originally by Allen-Bradley DeviceNet – an implementation of CIP, originally by Allen-Bradley DirectNet – Koyo / Automation Direct proprietary, yet documented PLC interface EtherNet/IP – IP stands for “Industrial Protocol”. An implementation of CIP, originally created by Rockwell Automation Ethernet Powerlink – an open protocol managed by the Ethernet POWERLINK Standardization Group (EPSG). EtherCAT Interbus, Phoenix Contact’s protocol for communication over serial links, now part of PROFINET IO HART Protocol Modbus RTU or ASCII or TCP Modbus Plus Modbus PEMEX Ethernet Global Data (EGD) – GE Fanuc PLCs (see also SRTP) FINS, Omron’s protocol for communication over several networks, including ethernet. HostLink Protocol, Omron’s protocol for communication over serial links. MECHATROLINK – open protocol originally developed by Yaskawa. MelsecNet, supported by Mitsubishi Electric. Optomux – Serial (RS-422/485) network protocol originally developed by Opto 22 in 1982. The protocol was openly documented and over time used for industrial automation applications. Honeywell SDS – Smart Distributed System – Originally developed by Honeywell. Currently supported by Holjeron. SERCOS interface, Open Protocol for hard real-time control of motion and I/O SERCOS III, Ethernet-based version of SERCOS real-time interface standard GE SRTP – GE Fanuc PLCs Sinec H1 – Siemens SynqNet – Danaher TTEthernet – TTTech PieP – An Open Fieldbus Protocol BSAP – Bristol Standard Asynchronous Protocol, developed by Bristol Babcock Inc. RAPIEnet[1], Real-time Automation Protocols for Industrial Ethernet
Company Management
Internet
Local Control Offshore Platform
o
PLC-DCS - distributed control system (
PLC-RTU – Remote Terminal Unit
Valve Station
Stress Breach Station
Terminals
Internet
PLC Programmable Logic Controller
Stuxnet Seeks Specific Models S7-300 S7-400
Read Input of Device
Execute Program
Diagnostics & Communications
Update Output
PLC Scans
Communication Media
Sattelite
TelCom
Internet
SONET / SDH
Cellular Networks
SCADA Master
Internet
HMI
MTU
Web Server
Internet
Duqu – Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Duqu -Geographics
France, Netherland, Switzerland, Ukraine
India
Iran
Sudan
Vietnam
Duqu – Compile Time Wed Jun 01, 03:25:18 2011 Mon Oct 17 17:07:47 2011 Mon Oct 17 16:26:09 2011 Tue Aug 09 21:37:39 2011 Purpose Stealing information Reconnaissance module Lifespan extender Stealing information
How crazy is that? Of course a $26 software causes the problem…
Let’s let the defense boy’s use a PS3 (more secure) to fly these drones, better than a windows box, without a mirror of the OS as a fallback plan. Disaster Recovery Boy’s and girls. It’s becoming a SNL comedy skit, but it ain’t funny D: The last year it’s been all China, that is the question.