Symantec sta analizzando una nuova minaccia informatica - soprannominata Duqu - derivato di Stuxnet, con cui ha in comune buona parte del codice sorgente. L’obiettivo di Duqu è di raccogliere dati di intelligence da aziende, quali ad esempio produttori di sistemi di controllo industriali, in modo da semplificare attacchi futuri volti a colpire terze parti. Scopri insieme a noi ulteriori dettagli e come affrontare la minaccia Duqu. Scarica la presentazione del Webinar tenutosi oggi.
08448380779 Call Girls In Civil Lines Women Seeking Men
Duqu: il nuovo Stuxnet?
1. Duqu: Precursor to the Next Stuxnet
Antonio Forzieri
Security Practice Manager – Technology Sales Organization
Duqu: Precursor to the Next Stuxnet 1
2. Before starting…
Twitter
• You can follow our webinar on twitter in realtime.
Our twitter account is @StopBlackMarket
Duqu: Precursor to the Next Stuxnet
3. Before Starting…
Facebook
• You can follow us also on Facebook. Out
account is Stop Black Market
Duqu: Precursor to the Next Stuxnet
4. Before Staring…
Symantec
• You can access to all documents used for our webinars.
Our portal is http://www.symantec.it/blackmarket
Duqu: Precursor to the Next Stuxnet
6. Stuxnet
July 2010
www.premierfutbol.com
www.todaysfutbol.com
Duqu: Precursor to the Next Stuxnet 6
7. Stuxnet
Geographic Distribution of Infections
70,00
60,00 58,31
50,00
Unique IPs Contact C&C Server (%)
40,00
30,00
17,83
20,00
9,96
10,00
5,15
3,40
1,40 1,16 0,89 0,71 0,61 0,57
0,00
IRAN INDONESIA INDIA AZERBAIJAN PAKISTAN MALAYSIA USA UZBEKISTAN RUSSIA GREAT OTHERS
BRITAIN
Over 40,000 infected unique external IPs, from over 115 countries
Duqu: Precursor to the Next Stuxnet 7
8. Stuxnet
November 2010
S7-315 CPU CP-342-5 – 6 modules
...
31 Vacon or Fararo Paya frequency converters per module
... ...
... ...
Totaling up to 186 motors
Duqu: Precursor to the Next Stuxnet 8
9. Stuxnet
February 2011
• Symantec identified 5 domains as the target of Stuxnet
• All targets have a presence in Iran
5 Domains targeted
1800 domains infected
Duqu: Precursor to the Next Stuxnet 9
10. Stuxnet Runs Its Course
• Stuxnet files date between June 2009 and March 2010
• After March 2010 no new Stuxnet files appeared in wild
• But it changed many things
Duqu: Precursor to the Next Stuxnet 10
12. Limited internet access
• Financial networks
– E.g., ATMs, POS, SWIFTNet
• Engineering networks
– E.g., source code, design documents,
non-production code
Secure/No network access • Classified data networks
• Aviation & air traffic control systems
• Life critical and healthcare systems
• Law enforcement database networks
• Military communication systems
• Malware analysis networks
Duqu: Precursor to the Next Stuxnet 12
16. Duqu
• October 14th research lab
reached out to Symantec to
confirm a suspicion on newly
discovered threat
• We confirmed their suspicion
• This threat uses source code
from Stuxnet
Duqu: Precursor to the Next Stuxnet 16
17. Duqu: Key Facts
• New executables using Stuxnet source code have been discovered
– Developed since the last Stuxnet file was recovered
• New executables designed to capture information like keystrokes
& system information
• Current analysis shows no code related to industrial control systems,
exploits, or self-replication
• Executables found in limited number of organizations
– Including those involved in the manufacturing of industrial control systems
• Exfiltrated data may be used to enable a future Stuxnet-like attack
Duqu: Precursor to the Next Stuxnet 17
18. Source Code
Stuxnet
Duqu: Precursor to the Next Stuxnet 18
19. Source Code
Stuxnet
Duqu
Duqu: Precursor to the Next Stuxnet 19
23. Duqu
Deception
36 days
Duqu: Precursor to the Next Stuxnet 23
24. Stuxnet
Deception
• 2 stolen private
keys used to sign
the application
to allow
undetected
installation of
rootkits
Duqu: Precursor to the Next Stuxnet 24
25. Duqu
Deception
A stolen private key used to sign the application
to allow undetected installation of rootkits
Duqu: Precursor to the Next Stuxnet 25
26. Stuxnet
Reconnaissance
Limited internet access
Attacker
www.mypremierfutbol.com
www.todaysfutbol.com
• Infected machines check in with system
information
– OS version
– Computer name
– Domain
– IP addresses
– Configuration data
– Existence of ICS programming software (STEP7)
• And will send design documents if requested
Duqu: Precursor to the Next Stuxnet 26
27. Duqu
Reconnaissance
Limited internet access
Attacker
206.[REMOVED].97
• Download Infostealer to gather:
– Running processes, account details,
domains
– Driver names, shared drive info, etc
– Screenshots
– Keystrokes
– Network information
• Every 30 seconds
Duqu: Precursor to the Next Stuxnet 27
28. Duqu
Target
Limited internet access
Attacker
• Limited in number
• In Europe
• Involved in manufacturing
of industrial control systems
• We have found an
additional variant since we
went public
The compilation time on the
code was 10/17/2011
Duqu: Precursor to the Next Stuxnet 28
29. Symantec Customers Are Protected
• Those with updated AV
definitions
• Those using Insight
technology in SEP 12.1
– Low prevalence of Duqu
Duqu: Precursor to the Next Stuxnet 29
30. Recommended Defenses
Advanced Reputation Techniques
• Duqu is extremely targeted and thus, would have a low reputation profile
Host Intrusion Prevention Systems
• Implements host-lock-down as a means of hardening against malware infiltration
Removable Media Device Control
• Many infection vectors appear to be delivered by removable media
• Restrict automatic launch of content on removable media
Data Loss Prevention
• Core repositories of intellectual property are likely prequel targets on Enterprise LAN
Automated Compliance Monitoring
• Detecting default passwords on industrial control systems
Duqu: Precursor to the Next Stuxnet 30
31. What to Do?
1 Stay Current
on latest Duqu research with Twitter.com/threatintel
2 Stay Informed
on Symantec’s outbreak page at www.symantec.com/outbreak
3 Contact
Ask us for a Malicious Activity Assessment
Duqu: Precursor to the Next Stuxnet 31