Duqu Threat Research and Analysis

McAfee Labs
Peter Szor Sr. Director of Research

Agenda

Stuxnet Overvieew Duqu Review-Current Intelligence, comparisons with Stuxnet, Best Practice recommendations Q&A

High Level Overview

The executables share injection code with the Stuxnet worm and they were compiled after the last Stuxnet sample was recovered. The structure of Duqu is very similar to Stuxnet (uses of PE resources) There is no ICS specific attack code in Duqu. The primary infection vector for Duqu deployment has not yet been discovered/recovered (Duqu does not self-replicate or spread on its own) The infected organizations appear to be limited No known targeting of energy sector companies. The malware employed a valid digital certificate (revoked as of 14 OCT 2011) The malware is designed to self-delete after 36 days The known Command and Control server was hosted in India.
3

The First Industrial Control System Attack

A brief history of Control System Attacks

DOS/Boot viruses change BIOS password settings, battery needs to be removed CIH virus overwrites flash-ROM, motherboard needs replacement Worms got faster than update and patch deployment, targeting vulnerabilities, often zero-Days Worms caused major DoS attacks ( Nuclear Power plants safety monitoring system was disabled by Slammer) Blaster worm is a contributor to a major blackout Stuxnet combines 4 zero-day vulnerabilities with ICS knowledge to target an industrial process US Predator Drone Center gets infected with malware Duqu (by Stuxnet team) is used for targeted attacks in (UK, IRAN, US)

Stuxnet worm developed from November 2007

Exploits Zero Days vulnerabilities - MS10-046 (LNK Vulnerability Used by Zlob in 2008) - MS08-067 (Server Service) - MS10-061 (Print Spooler Hackin9 magazine 2009) - MS10-073 (Kbd Privilege Escalation) - WinCC DBMS Password (hardcoded) + Stolen certificates (Realtek, JMicron) + ROP techniques in Exploits
Infection - USB, Local Network, Siemens Step7/MC7 - Network Infection - C&C operation (Weak! Mypremierfutbol.com, todaysfutbol.com) - Anti Behavioral Blocking, avoids anti-virus detection - Rootkit: - User mode hooks to hide files from Explorer Total\Windows Commander(!) - User mode DLL replacement for Step7 (PLC Rootkit) - s7otbxdl.dll forwards to s7otbxsx.dll (except for 16 functions related to block Read/Write) 6 - Filter driver to hide USB content

USB User Mode Rootkit: Hooks APIs, than Sends F5 (Refresh) also Deactivates/Reactivates Total Commander (and Windows Commander)

USB User Mode Rootkit: Hooks APIs, than Sends F5 (Refresh) also Deactivates/Reactivates Total Commander (and Windows Commander)

The Target: - PLC CPUs 6ES7-417, 6ES7-315-2 At least 33 Frequency Converters, Operating between 807Hz and 1,210Hz.

Cascaded Centrifuges
PLC

Vacon + Local Iranian

September, October 2011: Duqu

Targeted attacks have been observed in Iran, England and US Other reports: Austria, Hungary, Indonesia C&C Server in India

10

Duqu and Stuxnet

Several similarities have been observed at the code level which led us to believe Duqu was based on the same source code as Stuxnet
Feature
Composed of multiple modules

Duqu
Yes

Stuxnet
Yes

Rootkit to hide its activities

System driver is digitally signed

Yes
Yes (C-Media)

Yes
Yes (Realtek, JMicron)

System driver decrypts secondary modules in PNF files

Decrypted DLLs are directly injected into system processes instead of dropped to disk Date sensitive: functionality is controlled via complex, encrypted configuration file

Yes
Yes Yes (36 days)

Yes
Yes Yes

Use XOR based encryption for strings Referencing 05.09.1979 in configuration file (http://en.wikipedia.org/wiki/Habib_Elghanian) New update modules via C&C
11

Yes (key: 0xAE1979DD) Yes (0xAE790509) Yes (keylogger) No

Yes (key: 0xAE1979DD) Yes (0xAE790509) Yes Yes

Known Module to control PLC/SCADA systems

Duqu and Stuxnet (Code Graph Comparison)

DLL Injection code

Duqu and Stuxnet: Code Comparison

DLL Injection code

Duqu module relationship

Unknown vector of exploitation, Installer C&C Server

CMI4432.SYS
Decrypt

JMINET7.SYS
Decrypt

Keylogger.exe
Decrypt

CMI4432.PNF
Inject into Services.exe

NETP191.PNF
Inject into Services.exe

Resource 302

CMI4432.DLL
Decrypt Resource 302

NETP191.DLL
Decrypt Resource 302 Decrypt .zdata section

Resource 302
Decrypt .zdata section

Resource 302
Decrypt .zdata section

SortXXXX.NLS

SortXXXX.NLS

SortXXXX.NLS

Inject main modules into System Processes 14

Winlogon, Services, Explorer, Iexplore

Duqu Main Module

The two variants of .SYS files are responsible for restarting the malware .SYS filenames mimic Jmicron and C-Media driver file names Jmicron mimic file is not signed, and it is the earlier variant Drivers are loaded at time of Network group load They decrypt the PNF files and inject the resulting DLL into Services.exe, etc Anti-firewall feature, Anti-BB feature This DLL is responsible for decrypting the payload module from its resource section. The resource Id is the same for all modules: 302 The payload module is directly injected into running processes using the same method as Stuxnet The DLL implement rootkit methods to hide this payload from users view

15

Duqu Keylogger
The Keylogger component is a standalone module. It was delivered via C&C Server to target after the initial infection. It uses the same decryption routines as the other modules. It is capable of collecting different types of information from the target machine: Keystroke data Machine information (OS version, patches, machine name, users, etc) Process list Network information List shared folders List machines on the same network Screen shots

The Keylogger accepts command line parameter commands, and only works if the parameter xxx is the first parameter passed
16

Duqu Keylogger: Example of captured sensitive data

17

Duqu Network Activities

Once the DLL module is started, the known variants will try to contact the command and control server at the address below on tcp ports 80 and 443 (http/https)
206.183.111.97 (India) The request may look like the one below:
GET / HTTP/1.1 Cookie: PHPSESSID=o5ukre1ul0q6i2il1ij3ghi0j1 Cache-Control: no-cache Pragma: no-cache User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729) Host: x.x.x.x

The PHPSESSID is an encrypted message sent to the command and control server.
The User-Agent is hardcoded and may be used to identify machines 18 infected with this malware.

Jmicron Certificate valid from 06/2009- Used to sign Stuxnet driver

19

C-Medias Certificate valid from 08/03/2009- (used to sign one of the known variants of Duqu)

20

NGC 6745 JPG picture referenced in Duqu

21

Best Practices Against Duqu

AV Signatures Application Whitelisting DeepSafe- McAfee/Intel techology targeting rootkits

22

Acknowledgments Further Reading

McAfee Labs Blogs Personal communication: Rob Meyers, Liam O Murchu, Guilherme Venere and Stuart McClure McAfee Threats Report Symantec Stuxnet File / Symantec Internet Security Threat Report Ralph Langner on Stuxnet Krebs on Security Blog The Art of Computer Virus Research and Defense

23