SlideShare uma empresa Scribd logo

Duqu: il nuovo Stuxnet?

Symantec Italia
Symantec Italia

Symantec sta analizzando una nuova minaccia informatica - soprannominata Duqu - derivato di Stuxnet, con cui ha in comune buona parte del codice sorgente. L’obiettivo di Duqu è di raccogliere dati di intelligence da aziende, quali ad esempio produttori di sistemi di controllo industriali, in modo da semplificare attacchi futuri volti a colpire terze parti. Scopri insieme a noi ulteriori dettagli e come affrontare la minaccia Duqu. Scarica la presentazione del Webinar tenutosi oggi.

TecnologiaNegócios
1 de 32
Baixar para ler offline
Duqu: Precursor to the Next Stuxnet Antonio Forzieri Security Practice Manager – Technology Sales Organization Duqu: Precursor to the Next Stuxnet 1
Before starting… Twitter • You can follow our webinar on twitter in realtime. Our twitter account is @StopBlackMarket Duqu: Precursor to the Next Stuxnet
Before Starting… Facebook • You can follow us also on Facebook. Out account is Stop Black Market Duqu: Precursor to the Next Stuxnet
Before Staring… Symantec • You can access to all documents used for our webinars. Our portal is http://www.symantec.it/blackmarket Duqu: Precursor to the Next Stuxnet
Stuxnet June 2010 Duqu: Precursor to the Next Stuxnet 5
Stuxnet July 2010 www.premierfutbol.com www.todaysfutbol.com Duqu: Precursor to the Next Stuxnet 6
Stuxnet Geographic Distribution of Infections 70,00 60,00 58,31 50,00 Unique IPs Contact C&C Server (%) 40,00 30,00 17,83 20,00 9,96 10,00 5,15 3,40 1,40 1,16 0,89 0,71 0,61 0,57 0,00 IRAN INDONESIA INDIA AZERBAIJAN PAKISTAN MALAYSIA USA UZBEKISTAN RUSSIA GREAT OTHERS BRITAIN Over 40,000 infected unique external IPs, from over 115 countries Duqu: Precursor to the Next Stuxnet 7
Stuxnet November 2010 S7-315 CPU CP-342-5 – 6 modules ... 31 Vacon or Fararo Paya frequency converters per module ... ... ... ... Totaling up to 186 motors Duqu: Precursor to the Next Stuxnet 8
Stuxnet February 2011 • Symantec identified 5 domains as the target of Stuxnet • All targets have a presence in Iran 5 Domains targeted 1800 domains infected Duqu: Precursor to the Next Stuxnet 9
Stuxnet Runs Its Course • Stuxnet files date between June 2009 and March 2010 • After March 2010 no new Stuxnet files appeared in wild • But it changed many things Duqu: Precursor to the Next Stuxnet 10
Stuxnet accomplished its mission Duqu: Precursor to the Next Stuxnet 11
Limited internet access • Financial networks – E.g., ATMs, POS, SWIFTNet • Engineering networks – E.g., source code, design documents, non-production code Secure/No network access • Classified data networks • Aviation & air traffic control systems • Life critical and healthcare systems • Law enforcement database networks • Military communication systems • Malware analysis networks Duqu: Precursor to the Next Stuxnet 12
This changes everything… Duqu: Precursor to the Next Stuxnet 13
Much more can happen Duqu: Precursor to the Next Stuxnet 14
Stuxnet Duqu: Precursor to the Next Stuxnet 15
Duqu • October 14th research lab reached out to Symantec to confirm a suspicion on newly discovered threat • We confirmed their suspicion • This threat uses source code from Stuxnet Duqu: Precursor to the Next Stuxnet 16
Duqu: Key Facts • New executables using Stuxnet source code have been discovered – Developed since the last Stuxnet file was recovered • New executables designed to capture information like keystrokes & system information • Current analysis shows no code related to industrial control systems, exploits, or self-replication • Executables found in limited number of organizations – Including those involved in the manufacturing of industrial control systems • Exfiltrated data may be used to enable a future Stuxnet-like attack Duqu: Precursor to the Next Stuxnet 17
Source Code Stuxnet Duqu: Precursor to the Next Stuxnet 18
Source Code Stuxnet Duqu Duqu: Precursor to the Next Stuxnet 19
Stuxnet Extensive Infection Vectors  Network Shares   Print Spooler (MS10-061)  SMB   (MS08-067) Step7 WinCC SQL  P2P (Updating only) Duqu: Precursor to the Next Stuxnet 20
Duqu Infection Vectors Duqu: Precursor to the Next Stuxnet 21
Duqu Deception Duqu: Precursor to the Next Stuxnet 22
Duqu Deception 36 days Duqu: Precursor to the Next Stuxnet 23
Stuxnet Deception • 2 stolen private keys used to sign the application to allow undetected installation of rootkits Duqu: Precursor to the Next Stuxnet 24
Duqu Deception A stolen private key used to sign the application to allow undetected installation of rootkits Duqu: Precursor to the Next Stuxnet 25
Stuxnet Reconnaissance Limited internet access Attacker www.mypremierfutbol.com www.todaysfutbol.com • Infected machines check in with system information – OS version – Computer name – Domain – IP addresses – Configuration data – Existence of ICS programming software (STEP7) • And will send design documents if requested Duqu: Precursor to the Next Stuxnet 26
Duqu Reconnaissance Limited internet access Attacker 206.[REMOVED].97 • Download Infostealer to gather: – Running processes, account details, domains – Driver names, shared drive info, etc – Screenshots – Keystrokes – Network information • Every 30 seconds Duqu: Precursor to the Next Stuxnet 27
Duqu Target Limited internet access Attacker • Limited in number • In Europe • Involved in manufacturing of industrial control systems • We have found an additional variant since we went public The compilation time on the code was 10/17/2011 Duqu: Precursor to the Next Stuxnet 28
Symantec Customers Are Protected • Those with updated AV definitions • Those using Insight technology in SEP 12.1 – Low prevalence of Duqu Duqu: Precursor to the Next Stuxnet 29
Recommended Defenses Advanced Reputation Techniques • Duqu is extremely targeted and thus, would have a low reputation profile Host Intrusion Prevention Systems • Implements host-lock-down as a means of hardening against malware infiltration Removable Media Device Control • Many infection vectors appear to be delivered by removable media • Restrict automatic launch of content on removable media Data Loss Prevention • Core repositories of intellectual property are likely prequel targets on Enterprise LAN Automated Compliance Monitoring • Detecting default passwords on industrial control systems Duqu: Precursor to the Next Stuxnet 30
What to Do? 1 Stay Current on latest Duqu research with Twitter.com/threatintel 2 Stay Informed on Symantec’s outbreak page at www.symantec.com/outbreak 3 Contact Ask us for a Malicious Activity Assessment Duqu: Precursor to the Next Stuxnet 31
Thank you! Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Duqu: Precursor to the Next Stuxnet 32

Recomendados

Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetDefconRussia
 
Stuxnet
StuxnetStuxnet
Stuxnetbueno buono good
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsKaspersky
 

Recomendados

Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetAleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of Stuxnet
Aleksandr Matrosov, Eugene Rodionov - Win32 Duqu - involution of StuxnetDefconRussia
 
Stuxnet
StuxnetStuxnet
Stuxnetbueno buono good
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Stuxnet - More then a virus.
Stuxnet - More then a virus.Stuxnet - More then a virus.
Stuxnet - More then a virus.Hardeep Bhurji
 
A Stuxnet for Mainframes
A Stuxnet for MainframesA Stuxnet for Mainframes
A Stuxnet for MainframesCheryl Biswas
 
Stuxnet flame
Stuxnet flameStuxnet flame
Stuxnet flameSantosh Khadsare
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
The Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsThe Duqu 2.0: Technical Details
The Duqu 2.0: Technical DetailsKaspersky
 
Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésFranck Franchin
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'informationFranck Franchin
 
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaquesCyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaquesELCA Informatique SA / ELCA Informatik AG
 
Principes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficientePrincipes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficienteELCA Informatique SA / ELCA Informatik AG
 
La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016Olivier DUPONT
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatiqueoussama Hafid
 
The 1-hour Guide to Stuxnet.ppt
The 1-hour Guide to Stuxnet.pptThe 1-hour Guide to Stuxnet.ppt
The 1-hour Guide to Stuxnet.pptSalman Naveed
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
SDARPiBot - VLES'16
SDARPiBot - VLES'16SDARPiBot - VLES'16
SDARPiBot - VLES'16Arun Joseph
 
Quantum Hardware Hacking
Quantum Hardware HackingQuantum Hardware Hacking
Quantum Hardware HackingMark Carney
 
Kumar cscl final
Kumar cscl finalKumar cscl final
Kumar cscl finalKumar Gaurav
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Stuxnet
StuxnetStuxnet
StuxnetSymantec
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco Canada
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisAxel Rennoch
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the futureHardeep Bhurji
 
Analysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeAnalysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeFrancesco Faenzi
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Mistral and StackStorm
Mistral and StackStormMistral and StackStorm
Mistral and StackStormDmitri Zimine
 
Messaging for the Internet of Awesome Things
Messaging for the Internet of Awesome ThingsMessaging for the Internet of Awesome Things
Messaging for the Internet of Awesome ThingsAndy Piper
 

Mais conteúdo relacionado

Destaque

Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésFranck Franchin
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'informationFranck Franchin
 
La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016Olivier DUPONT
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatiqueoussama Hafid
 

Destaque (6)

Cours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts ClésCours CyberSécurité - Concepts Clés
Cours CyberSécurité - Concepts Clés
 
Sécurité des systèmes d'information
Sécurité des systèmes d'informationSécurité des systèmes d'information
Sécurité des systèmes d'information
 
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaquesCyber Sécurité : Connaître son adversaire pour mieux parer les attaques
Cyber Sécurité : Connaître son adversaire pour mieux parer les attaques
 
Principes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficientePrincipes de bon sens pour une gouvernance cyber sécurité efficiente
Principes de bon sens pour une gouvernance cyber sécurité efficiente
 
La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016La securité informatique - Etat des Lieux - Nov. 2016
La securité informatique - Etat des Lieux - Nov. 2016
 
Sécurité informatique
Sécurité informatiqueSécurité informatique
Sécurité informatique
 

Semelhante a Duqu: il nuovo Stuxnet?

The 1-hour Guide to Stuxnet.ppt
The 1-hour Guide to Stuxnet.pptThe 1-hour Guide to Stuxnet.ppt
The 1-hour Guide to Stuxnet.pptSalman Naveed
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Byres Security Inc.
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfosec Europe
 
SDARPiBot - VLES'16
SDARPiBot - VLES'16SDARPiBot - VLES'16
SDARPiBot - VLES'16Arun Joseph
 
Quantum Hardware Hacking
Quantum Hardware HackingQuantum Hardware Hacking
Quantum Hardware HackingMark Carney
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco Canada
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisAxel Rennoch
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the futureHardeep Bhurji
 
Analysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeAnalysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeFrancesco Faenzi
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierAlireza Ghahrood
 
Mistral and StackStorm
Mistral and StackStormMistral and StackStorm
Mistral and StackStormDmitri Zimine
 
Messaging for the Internet of Awesome Things
Messaging for the Internet of Awesome ThingsMessaging for the Internet of Awesome Things
Messaging for the Internet of Awesome ThingsAndy Piper
 
Challenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewChallenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewbrouer
 
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPSEnhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPSShila044184
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueChris Sistrunk
 
IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015
IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015
IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015Christian Hallqvist
 

Semelhante a Duqu: il nuovo Stuxnet? (20)

The 1-hour Guide to Stuxnet.ppt
The 1-hour Guide to Stuxnet.pptThe 1-hour Guide to Stuxnet.ppt
The 1-hour Guide to Stuxnet.ppt
 
Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1Mission Critical Security in a Post-Stuxnet World Part 1
Mission Critical Security in a Post-Stuxnet World Part 1
 
Infrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLCInfrastructure Attacks - The Next generation, ESET LLC
Infrastructure Attacks - The Next generation, ESET LLC
 
SDARPiBot - VLES'16
SDARPiBot - VLES'16SDARPiBot - VLES'16
SDARPiBot - VLES'16
 
Quantum Hardware Hacking
Quantum Hardware HackingQuantum Hardware Hacking
Quantum Hardware Hacking
 
Kumar cscl final
Kumar cscl finalKumar cscl final
Kumar cscl final
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
 
BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.BSides London 2015 - Proprietary network protocols - risky business on the wire.
BSides London 2015 - Proprietary network protocols - risky business on the wire.
 
Stuxnet
StuxnetStuxnet
Stuxnet
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
 
Test Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysisTest Execution Infrastructure for IoT Quality analysis
Test Execution Infrastructure for IoT Quality analysis
 
Stuxnet - A weapon of the future
Stuxnet - A weapon of the futureStuxnet - A weapon of the future
Stuxnet - A weapon of the future
 
Analysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeAnalysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in Europe
 
Optional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet DossierOptional Reading - Symantec Stuxnet Dossier
Optional Reading - Symantec Stuxnet Dossier
 
Mistral and StackStorm
Mistral and StackStormMistral and StackStorm
Mistral and StackStorm
 
Messaging for the Internet of Awesome Things
Messaging for the Internet of Awesome ThingsMessaging for the Internet of Awesome Things
Messaging for the Internet of Awesome Things
 
Challenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of viewChallenges and experiences with IPTV from a network point of view
Challenges and experiences with IPTV from a network point of view
 
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPSEnhance Virtual Machine Security in OpenStack Using Suricata IPS
Enhance Virtual Machine Security in OpenStack Using Suricata IPS
 
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs BlueBlack Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
Black Hat USA 2022 - Arsenal Labs - Vehicle Control Systems - Red vs Blue
 
IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015
IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015
IDS-ETHZ - NSG-IDS-REPORTING_of_year_2015
 

Mais de Symantec Italia

Il Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del webIl Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del webSymantec Italia
 
Garantire la confidenzialità delle informazioni: la soluzione PGP per l'Encry...
Garantire la confidenzialità delle informazioni: la soluzione PGP per l'Encry...Garantire la confidenzialità delle informazioni: la soluzione PGP per l'Encry...
Garantire la confidenzialità delle informazioni: la soluzione PGP per l'Encry...Symantec Italia
 
Le minacce, le tecniche di attacco e i canali di vendita delle informazioni
Le minacce, le tecniche di attacco e i canali di vendita delle informazioniLe minacce, le tecniche di attacco e i canali di vendita delle informazioni
Le minacce, le tecniche di attacco e i canali di vendita delle informazioniSymantec Italia
 
Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Symantec Italia
 
Backup Exec 2010: la matrice di prodotto
Backup Exec 2010: la matrice di prodottoBackup Exec 2010: la matrice di prodotto
Backup Exec 2010: la matrice di prodottoSymantec Italia
 
Symantec Backup Exec 2010 per Windows Small Business Server
Symantec Backup Exec 2010 per Windows Small Business ServerSymantec Backup Exec 2010 per Windows Small Business Server
Symantec Backup Exec 2010 per Windows Small Business ServerSymantec Italia
 
Backup Exec 2010. Domande frequenti
Backup Exec 2010. Domande frequentiBackup Exec 2010. Domande frequenti
Backup Exec 2010. Domande frequentiSymantec Italia
 
Symantec Backup Exec 2010
Symantec Backup Exec 2010Symantec Backup Exec 2010
Symantec Backup Exec 2010Symantec Italia
 
Phishing Report Gennaio 2010
Phishing Report Gennaio 2010Phishing Report Gennaio 2010
Phishing Report Gennaio 2010Symantec Italia
 
Spam Report Gennaio 2010
Spam Report Gennaio 2010Spam Report Gennaio 2010
Spam Report Gennaio 2010Symantec Italia
 
Storage: le Tendenze per il 2010
Storage: le Tendenze per il 2010Storage: le Tendenze per il 2010
Storage: le Tendenze per il 2010Symantec Italia
 
Sicurezza Internet: tendenze e previsioni 2010
Sicurezza Internet: tendenze e previsioni 2010Sicurezza Internet: tendenze e previsioni 2010
Sicurezza Internet: tendenze e previsioni 2010Symantec Italia
 
Symantec Backup Exec System Recovery 2010
Symantec Backup Exec System Recovery 2010Symantec Backup Exec System Recovery 2010
Symantec Backup Exec System Recovery 2010Symantec Italia
 
Phishing Report Novembre 2009
Phishing Report Novembre 2009Phishing Report Novembre 2009
Phishing Report Novembre 2009Symantec Italia
 
Report on Rogue Security Software: a summary
Report on Rogue Security Software: a summaryReport on Rogue Security Software: a summary
Report on Rogue Security Software: a summarySymantec Italia
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security SoftwareSymantec Italia
 
Smb Disaster Preparedness Survey Italia
Smb Disaster Preparedness Survey ItaliaSmb Disaster Preparedness Survey Italia
Smb Disaster Preparedness Survey ItaliaSymantec Italia
 
I primi dieci vantaggi di Symantec Protection Suite e i primi dieci motivi pe...
I primi dieci vantaggi di Symantec Protection Suite e i primi dieci motivi pe...I primi dieci vantaggi di Symantec Protection Suite e i primi dieci motivi pe...
I primi dieci vantaggi di Symantec Protection Suite e i primi dieci motivi pe...Symantec Italia
 
Symantec Endpoint Protection: la tecnologia Antivirus Symantec di nuova gener...
Symantec Endpoint Protection: la tecnologia Antivirus Symantec di nuova gener...Symantec Endpoint Protection: la tecnologia Antivirus Symantec di nuova gener...
Symantec Endpoint Protection: la tecnologia Antivirus Symantec di nuova gener...Symantec Italia
 
Symantec Internet Security Threat Report, Volume XIV
Symantec Internet Security Threat Report, Volume XIVSymantec Internet Security Threat Report, Volume XIV
Symantec Internet Security Threat Report, Volume XIVSymantec Italia
 

Mais de Symantec Italia (20)

Il Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del webIl Cloud a difesa della mail e del web
Il Cloud a difesa della mail e del web
 
Garantire la confidenzialità delle informazioni: la soluzione PGP per l'Encry...
Garantire la confidenzialità delle informazioni: la soluzione PGP per l'Encry...Garantire la confidenzialità delle informazioni: la soluzione PGP per l'Encry...
Garantire la confidenzialità delle informazioni: la soluzione PGP per l'Encry...
 
Le minacce, le tecniche di attacco e i canali di vendita delle informazioni
Le minacce, le tecniche di attacco e i canali di vendita delle informazioniLe minacce, le tecniche di attacco e i canali di vendita delle informazioni
Le minacce, le tecniche di attacco e i canali di vendita delle informazioni
 
Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010Spam and Phishing Report - Marzo 2010
Spam and Phishing Report - Marzo 2010
 
Backup Exec 2010: la matrice di prodotto
Backup Exec 2010: la matrice di prodottoBackup Exec 2010: la matrice di prodotto
Backup Exec 2010: la matrice di prodotto
 
Symantec Backup Exec 2010 per Windows Small Business Server
Symantec Backup Exec 2010 per Windows Small Business ServerSymantec Backup Exec 2010 per Windows Small Business Server
Symantec Backup Exec 2010 per Windows Small Business Server
 
Backup Exec 2010. Domande frequenti
Backup Exec 2010. Domande frequentiBackup Exec 2010. Domande frequenti
Backup Exec 2010. Domande frequenti
 
Symantec Backup Exec 2010
Symantec Backup Exec 2010Symantec Backup Exec 2010
Symantec Backup Exec 2010
 
Phishing Report Gennaio 2010
Phishing Report Gennaio 2010Phishing Report Gennaio 2010
Phishing Report Gennaio 2010
 
Spam Report Gennaio 2010
Spam Report Gennaio 2010Spam Report Gennaio 2010
Spam Report Gennaio 2010
 
Storage: le Tendenze per il 2010
Storage: le Tendenze per il 2010Storage: le Tendenze per il 2010
Storage: le Tendenze per il 2010
 
Sicurezza Internet: tendenze e previsioni 2010
Sicurezza Internet: tendenze e previsioni 2010Sicurezza Internet: tendenze e previsioni 2010
Sicurezza Internet: tendenze e previsioni 2010
 
Symantec Backup Exec System Recovery 2010
Symantec Backup Exec System Recovery 2010Symantec Backup Exec System Recovery 2010
Symantec Backup Exec System Recovery 2010
 
Phishing Report Novembre 2009
Phishing Report Novembre 2009Phishing Report Novembre 2009
Phishing Report Novembre 2009
 
Report on Rogue Security Software: a summary
Report on Rogue Security Software: a summaryReport on Rogue Security Software: a summary
Report on Rogue Security Software: a summary
 
Report on Rogue Security Software
Report on Rogue Security SoftwareReport on Rogue Security Software
Report on Rogue Security Software
 
Smb Disaster Preparedness Survey Italia
Smb Disaster Preparedness Survey ItaliaSmb Disaster Preparedness Survey Italia
Smb Disaster Preparedness Survey Italia
 
I primi dieci vantaggi di Symantec Protection Suite e i primi dieci motivi pe...
I primi dieci vantaggi di Symantec Protection Suite e i primi dieci motivi pe...I primi dieci vantaggi di Symantec Protection Suite e i primi dieci motivi pe...
I primi dieci vantaggi di Symantec Protection Suite e i primi dieci motivi pe...
 
Symantec Endpoint Protection: la tecnologia Antivirus Symantec di nuova gener...
Symantec Endpoint Protection: la tecnologia Antivirus Symantec di nuova gener...Symantec Endpoint Protection: la tecnologia Antivirus Symantec di nuova gener...
Symantec Endpoint Protection: la tecnologia Antivirus Symantec di nuova gener...
 
Symantec Internet Security Threat Report, Volume XIV
Symantec Internet Security Threat Report, Volume XIVSymantec Internet Security Threat Report, Volume XIV
Symantec Internet Security Threat Report, Volume XIV
 

Último

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

Duqu: il nuovo Stuxnet?

  • 1. Duqu: Precursor to the Next Stuxnet Antonio Forzieri Security Practice Manager – Technology Sales Organization Duqu: Precursor to the Next Stuxnet 1
  • 2. Before starting… Twitter • You can follow our webinar on twitter in realtime. Our twitter account is @StopBlackMarket Duqu: Precursor to the Next Stuxnet
  • 3. Before Starting… Facebook • You can follow us also on Facebook. Out account is Stop Black Market Duqu: Precursor to the Next Stuxnet
  • 4. Before Staring… Symantec • You can access to all documents used for our webinars. Our portal is http://www.symantec.it/blackmarket Duqu: Precursor to the Next Stuxnet
  • 5. Stuxnet June 2010 Duqu: Precursor to the Next Stuxnet 5
  • 6. Stuxnet July 2010 www.premierfutbol.com www.todaysfutbol.com Duqu: Precursor to the Next Stuxnet 6
  • 7. Stuxnet Geographic Distribution of Infections 70,00 60,00 58,31 50,00 Unique IPs Contact C&C Server (%) 40,00 30,00 17,83 20,00 9,96 10,00 5,15 3,40 1,40 1,16 0,89 0,71 0,61 0,57 0,00 IRAN INDONESIA INDIA AZERBAIJAN PAKISTAN MALAYSIA USA UZBEKISTAN RUSSIA GREAT OTHERS BRITAIN Over 40,000 infected unique external IPs, from over 115 countries Duqu: Precursor to the Next Stuxnet 7
  • 8. Stuxnet November 2010 S7-315 CPU CP-342-5 – 6 modules ... 31 Vacon or Fararo Paya frequency converters per module ... ... ... ... Totaling up to 186 motors Duqu: Precursor to the Next Stuxnet 8
  • 9. Stuxnet February 2011 • Symantec identified 5 domains as the target of Stuxnet • All targets have a presence in Iran 5 Domains targeted 1800 domains infected Duqu: Precursor to the Next Stuxnet 9
  • 10. Stuxnet Runs Its Course • Stuxnet files date between June 2009 and March 2010 • After March 2010 no new Stuxnet files appeared in wild • But it changed many things Duqu: Precursor to the Next Stuxnet 10
  • 11. Stuxnet accomplished its mission Duqu: Precursor to the Next Stuxnet 11
  • 12. Limited internet access • Financial networks – E.g., ATMs, POS, SWIFTNet • Engineering networks – E.g., source code, design documents, non-production code Secure/No network access • Classified data networks • Aviation & air traffic control systems • Life critical and healthcare systems • Law enforcement database networks • Military communication systems • Malware analysis networks Duqu: Precursor to the Next Stuxnet 12
  • 13. This changes everything… Duqu: Precursor to the Next Stuxnet 13
  • 14. Much more can happen Duqu: Precursor to the Next Stuxnet 14
  • 15. Stuxnet Duqu: Precursor to the Next Stuxnet 15
  • 16. Duqu • October 14th research lab reached out to Symantec to confirm a suspicion on newly discovered threat • We confirmed their suspicion • This threat uses source code from Stuxnet Duqu: Precursor to the Next Stuxnet 16
  • 17. Duqu: Key Facts • New executables using Stuxnet source code have been discovered – Developed since the last Stuxnet file was recovered • New executables designed to capture information like keystrokes & system information • Current analysis shows no code related to industrial control systems, exploits, or self-replication • Executables found in limited number of organizations – Including those involved in the manufacturing of industrial control systems • Exfiltrated data may be used to enable a future Stuxnet-like attack Duqu: Precursor to the Next Stuxnet 17
  • 18. Source Code Stuxnet Duqu: Precursor to the Next Stuxnet 18
  • 19. Source Code Stuxnet Duqu Duqu: Precursor to the Next Stuxnet 19
  • 20. Stuxnet Extensive Infection Vectors  Network Shares   Print Spooler (MS10-061)  SMB   (MS08-067) Step7 WinCC SQL  P2P (Updating only) Duqu: Precursor to the Next Stuxnet 20
  • 21. Duqu Infection Vectors Duqu: Precursor to the Next Stuxnet 21
  • 22. Duqu Deception Duqu: Precursor to the Next Stuxnet 22
  • 23. Duqu Deception 36 days Duqu: Precursor to the Next Stuxnet 23
  • 24. Stuxnet Deception • 2 stolen private keys used to sign the application to allow undetected installation of rootkits Duqu: Precursor to the Next Stuxnet 24
  • 25. Duqu Deception A stolen private key used to sign the application to allow undetected installation of rootkits Duqu: Precursor to the Next Stuxnet 25
  • 26. Stuxnet Reconnaissance Limited internet access Attacker www.mypremierfutbol.com www.todaysfutbol.com • Infected machines check in with system information – OS version – Computer name – Domain – IP addresses – Configuration data – Existence of ICS programming software (STEP7) • And will send design documents if requested Duqu: Precursor to the Next Stuxnet 26
  • 27. Duqu Reconnaissance Limited internet access Attacker 206.[REMOVED].97 • Download Infostealer to gather: – Running processes, account details, domains – Driver names, shared drive info, etc – Screenshots – Keystrokes – Network information • Every 30 seconds Duqu: Precursor to the Next Stuxnet 27
  • 28. Duqu Target Limited internet access Attacker • Limited in number • In Europe • Involved in manufacturing of industrial control systems • We have found an additional variant since we went public The compilation time on the code was 10/17/2011 Duqu: Precursor to the Next Stuxnet 28
  • 29. Symantec Customers Are Protected • Those with updated AV definitions • Those using Insight technology in SEP 12.1 – Low prevalence of Duqu Duqu: Precursor to the Next Stuxnet 29
  • 30. Recommended Defenses Advanced Reputation Techniques • Duqu is extremely targeted and thus, would have a low reputation profile Host Intrusion Prevention Systems • Implements host-lock-down as a means of hardening against malware infiltration Removable Media Device Control • Many infection vectors appear to be delivered by removable media • Restrict automatic launch of content on removable media Data Loss Prevention • Core repositories of intellectual property are likely prequel targets on Enterprise LAN Automated Compliance Monitoring • Detecting default passwords on industrial control systems Duqu: Precursor to the Next Stuxnet 30
  • 31. What to Do? 1 Stay Current on latest Duqu research with Twitter.com/threatintel 2 Stay Informed on Symantec’s outbreak page at www.symantec.com/outbreak 3 Contact Ask us for a Malicious Activity Assessment Duqu: Precursor to the Next Stuxnet 31
  • 32. Thank you! Copyright © 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Duqu: Precursor to the Next Stuxnet 32