2. “Now we’re living in the era of cyber
weapons. The world is different. Not just
cyber hooligans, vandals. Not just criminals.
But governments are in the game and I’m
afraid for the worst, I’m still expecting, cyber
terrorism.”
Eugene Kaspersky ,CEO of Kaspersky Lab
3. Stuxnet….Duqu….Flame
• Stuxnet is a computer work discovered in June
2010. Stuxnet initially spreads via Microsoft
Windows, and targets Siemens industrial software
and equipment. While it is not the first time that
hackers have targeted industrial systems, it is the
first discovered malware that spies on and
subverts industrial systems, and the first to include
a programmable logic controller (PLC) rootkit.
• Duqu is a computer worm discovered on 1
September 2011, thought to be related to the
Stuxnet worm. The main component used in Duqu
is designed to capture information such as
4. Stuxnet….Duqu….Flame
• Flame like Duqu, is designed to steal
different databases. A completely new
thing that Flame can be used for is audio
spying. Flame detects and recognizes a
microphone on the infected computer,
turns the microphone on and then records
every conversation taking place in this
room. Recorded data is immediately
transferred to the server from which the
virus began to spread.
5.
6. Stuxnet
• Spread on Microsoft Windows
• Developed June 2009
• Spreading began late 2009/early 2010
• Discovered in July 2010
o Microsoft out-of-band patch released
August 2010 - .lnk exploit
o More patches with the September 'Patch
Tuesday' - print spooler exploit
• Around half a megabyte
• C, C++, and other object oriented languages
7. What the news says it was
• Iranian centrifuge destroyer!
o It's one goal was to destroy the Iranian
nuclear program
• Developed by the United States and Israel
• Contributed to the Gulf oil leak
• 'Mission: Impossible'-like virus
• It will kill your unborn children
o Assuming they are born in a hospital using
PLC machines
8. How it did it
• USB drive for initial infection, then spread on network
• .lnk file exploit
o As soon as the shortcut is displayed, exploit is run
• Windows vulnerabilities
o EoP
Task scheduler
o MS08-067 (Conficker) - Already patched!!!! (but not on these
systems)
o Printspooler exploit
o Used at least 4 previously undiscovered vulnerabilities
• Searched for WinCC and PCS 7 SCADA management
programs
o Tried default Siemens passwords to gain access
o If access is granted, PLC software could be
reprogrammed
• Used stolen signed digital certificates
9. How it did it (cont.)
• Installed a RPC server
• Self-updating
o Machines check on other machines running Stuxnet and do a version check
o Newer versions automatically push their version onto the other machines
o Older versions automatically request newer version to be pushed
If central server goes down, updates still spread
*RPC: Remote Procedure Call
10.
11.
12. Links
• Stuxnet was the first cyber-weapon targeting
industrial facilities. The fact that Stuxnet also
infected regular PCs worldwide led to its
discovery in June 2010, although the earliest
known version of the malicious program was
created one year before that.
• The next example of a cyber-weapon, now known
as Duqu, was found in September 2011. Unlike
Stuxnet, the main task of the Duqu Trojan was to
serve as a backdoor to the infected system and
steal private information (cyber-espionage).
• During the analysis of Duqu, strong similarities
13. Senior Virus Analyst
Alexander Gostev
A Russian computer security company (Kaspersky
Lab’s) detected a new spyware program called
Flame.
14. The Find……..Flame
• In April 2012, several computers of the National
Iranian Oil Company, as well as several Iranian
ministries, have been infected by an unknown
virus. This case was just a single link in a chain
of cyber attacks during which viruses
like Stuxnet and Duqu were used.
• The International Telecommunication Union
(ITU) has Kaspersky Labs to analyze the
situation. They were searching for a virus called
Wiper, but found something more terrible instead
– the Flame.
15. The Find……..Flame
• The “Resource 207” module is an encrypted
DLL file and it contains an executable file that’s
the size of 351,768 bytes with the name
“atmpsvcn.ocx”. This particular file, as it is now
revealed by Kaspersky Lab’s investigation, has a
lot in common with the code used in Flame.
• The list of striking resemblances includes the
names of mutually exclusive objects, the
algorithm used to decrypt strings, and the similar
approaches to file naming.
• More than that, most sections of code appear to
be identical or similar in the respective Stuxnet
and Flame modules, which leads to the
16.
17. • Kaspersky Lab discovered that a module from the
early 2009-version of Stuxnet, known as
“Resource 207,” was actually a Flame plugin.
• This means that when the Stuxnet worm was
created in the beginning of 2009, the Flame
platform already existed, and that in 2009, the
source code of at least one module of Flame was
used in Stuxnet.
• This module was used to spread the infection via
USB drives. The code of the USB drive infection
mechanism is identical in Flame and Stuxnet.
18. • The Flame module in Stuxnet also exploited a
vulnerability which was unknown at the time
and which enabled escalation of privileges,
presumably MS09-025. Subsequently, the
Flame plugin module was removed from
Stuxnet in 2010 and replaced by several
different modules that utilized new
vulnerabilities.
25. Daily Mail…..15 Jun 2012
• Both Flame and Stuxnet are believed to have
been used by the U.S. government to wage
online warfare against hostile regimes.
26. Washington Post ..17 Jun 2012
• The recent disclosure that Stuxnet was approved by both Presidents
George W. Bush and Obama as a covert operation aimed at Iran sheds new
light on a nascent U.S. offensive cyberweapons program that has largely
existed in the shadows. Instead of forcing cyberweapons into deeper
secrecy, the disclosure should prompt a more open and thorough policy
debate about 21st-century threats and how they will be countered with
American power.
• The virus, codenamed Olympic Games, was passed from President Bush to
President Obama. Obama knew about each attack made against the
Iranian nuclear program, deciding this was a good alternative to a physical
war