SlideShare una empresa de Scribd logo

Stuxnet redux. malware attribution & lessons learned

Yury Chemerkin
Yury Chemerkin
Tecnología
1 de 73
Descargar para leer sin conexión
Stuxnet Redux: Malware Attribution & Lessons Learned Blackhat DC 2011 Taking the guesswork out of cyber attribution Tom Parker tom.at.rooted.dot.net
Media & “Cyber War” Love Affair  WSJ “Wide Cyber Attack Is Linked to China”  60 Minutes “Sabotaging the System”  Google/Adobe “Aurora Incident”  Most Recently Targeted SCADA Malware
Cyber Conflict Lexicon  Cyber War  Adversary / Actor  Attribution  APT?  Stuxnet an APT?
P A T
Attribution – Why do we care?  LE/Actor Deterrents  Actor Intelligence  Profiling Adversarial Technical Capabilities  Insight into State Sponsored Programs  Creating Linkage Between Actor Groups  Tracking the Supply Chain  Differentiating Between Actors  State Sponsored or Crimeware?
Attribution: What are we looking for?  The obvious – An individual or group of individuals name(s), street address, social networking page etc..  However..  We often don’t care about this..  Doesn’t generally help develop countermeasures  Attributing to the actor/group level is often enough for profiling efforts
Attribution Continued..  Attribution at actor group level  Differentiation between groups  Identification of group geography  Indications of sponsorship  Nation State (China, Russia or Korea?)  Organized Crime (RBN et al?)  Activist Group  Where worlds collide  Code sharing between groups
Conventional Analysis Data Sources  Static and Runtime Binary Analysis  Memory Forensics  Vulnerability Exploitation & Payload Analysis  Command & Control  Post-Exploitation Forensics
Automated Analysis Today  Anti Virus:  Known Signature  Virus-Like Characteristics  Sandbox / Runtime Analysis  What does the code do?
Analysis Today Continued..  What Happened?  How did they get in?  What did they exploit to get in?  What was done once on the system?  Are they still there?  How can this be prevented in the future?
Analysis Today Continued..  Lots of R&D Associated with Modern AV/Analysis Technologies.  Typically Designed to Provide End User with a one or a zero, and no exposure to any shades of grey.  LOTS of useful metadata processed under the hood that we can make better use of.
Existing Attribution Research  2000 RAND Conference  Numerous CARC working group meetings  2004 Syngress Publication  Focus on:  Theoretical attack profiling  Who do we have to care about?  Post event/forensic approach  Forensic actor profile
Adversary attack fingerprints  Key Attack Meta Data  Attack sources  Other Relevant Packet Data  Attack tools and their origins  Attack methodology  Planning  Execution  Follow through
Attack tool meta data: Origins  All attack tools have their origins..  These can be put into two broad categories:  Public  Often simply prove a concept  Often not ‘robust’  Many contain backdoors  Private  Frequently more robust than public counterparts  Generally better written  May be based on private attack API’s
Attack tool meta data: Use  How easy is it to use a given attack tool  Prior technical knowledge required to use tool  Prior target knowledge required to use tool  Was it an appropriate tool to use for a given task?
Example Attack Scoring Matrix Web Application Flaws Public Private  Proprietary Application Penetration:  SQL Injection 3 5  Open Source Application Penetration:  SQL Injection 3 5  Proprietary Application Penetration:  Arbitrary Code Injection 2 4  Open Source Application Penetration:  Arbitrary Code Injection 2 4  Proprietary Application Penetration:  OS command execution using MSSQL Injection 3 5  Proprietary Application Penetration:  OS command execution using SyBase SQL Injection 3 5  Proprietary Application Penetration:  SQL Injection only (MS SQL) 4 6  Proprietary Application Penetration:  SQL Injection only (IBM DB2) 6 8  Proprietary Application Penetration:  SQL Injection only (Oracle) 6 8
Furthering the Toolset  Large Bodies of RE/Analysis Research  Almost all geared around traditional IR  In most cases; not appropriate for attribution  Clear Need for Reduction in Guesswork  Less art, more science  Use of Common Attribution Models
Adversary Profiling Today  Lots of science behind criminal profiling  Linguistics & Behavioral Analysis  Warm Touch
Application of Current Tool Set To Attribution Doctrine  Can be possible through..  Exploit /Payload Analysis  Known Tooling/Markings  Normally Requires Manual Effort to Identify  Binary Image Meta Data  Email Addresses  User Names  Etc..
Exploit Analysis  Exploits often re-worked for malware  Improved Reliability  Specific host type/OS level targeting  Possible to automate coloration with knowledge base of public exploits  ANI Exploit – Re-worked in malware to avoid IPS signatures for previous exploit
Exploit Reliability & Performance  Crashes & Loose Lips Sink Ships  Improved Performance  Advanced / Improved Shellcode  Re-patching Memory  Repairing Corrupted Heaps  Less Overhead  No Large Heap Sprays  Or Excessive CPU Overhead  Continued Target Process Execution
Exploit Failure  Where possible – failure may be silent  Exploit Self Clean-Up:  Java hs_err log files  System / Application Log files  *NIX Core files
Exploit Applicability  Reconnaissance Performed  Execution based on SW (browser) version?  Operating System  Less likely to function on ASLR / DEP
Exploit Selection  Lots of Attention Toward 0day  1+Day != Low End Adversary?  Old Attacks Often Re-Worked  Bypass IDS/IPS Signatures  Improved Payloads Demonstrate Capability
Code Isomorphism  Lots of Investment from Anti-Code Theft World  Small Prime Product  Create Large Prime # Per Function  Unique Prime # / Each Opcode  Resistant to Reordering  API Call Structure Analysis Prog1.Func Prog2.Func  Function Checksums  Variables / Constant Tracking RegSetValueEx RegSetValueEx MessageBox RegCreateKeyEx RegCreateKeyEx
Code Isomorphism Cont..  Seokwoo Choi, Heewan Park et al  A Static Birthmark of Binary Executables Based on API Call Structure  Halvar Flake  BinDiff & VxClass  Others..
Function Level Code Isomorphism Based Attribution  Reuse of Code Functions  Useful for closed-source projects  Good for tracking malware ‘genomes’  However..  Most malware based off of ‘kits’  In most cases - doesn't tell us much (or anything) about authors
Code Quality  Nested Statements  Compiler Optimization May Interfere  Unclosed File Handles  Memory Leaks  Unused Variables  Function Redundancy  Debug Strings Present
Nested Conditionals
Debug Symbols  Can indicate developer knowledge  Aware of tool markings assoc with compiler  PDB Locations may provide details of:  User Names  Operating System (Users VS Docume~1)
Stuxnet PDB References  Likely Forged  However…
Stuxnet PDB Contiued  b:myrtussrcobjfre_w2k_x86i386guava.pdb  Myrtaceae Family:  Myrtle  Clove  Guava  Stuxnet / mrxnet.sys  Feijoa  Allspice  Eucalyptus
Future Automation  Automation Vital for Scale  Too much badness, not enough analysts  Analyst time better spent on edge cases  LOTS of repetition in most current efforts; ex:  Isomorphic analysis  Cataloguing and identification of tool markings
BlackAxon  Designed as Proof of Concept  Utilizes int3 debugger breakpoints  Yes – you’re malware can detect me  User Sets the Rules  No preconceived notion of ‘badness’  XML Model Defines Functions of Interest  Identification of API call context  Defines weighting of API calls
Stuxnet (Dropper) Example
Nest Analysis 8000 7000 6000 5000 4000 3000 2000 1000 0 calc.exe nest test netcat stuxnet firefox Nuwar.R Nimda conficker dropper
API Call Hit/Context Tracing: Persistence CreateToolhelp32Snapshot Process32First OpenProcess CreateProcess VirtualAllocEx WriteProcessMemory (CREATE_SUSPENDED)
API Call Hit/Context Tracing: Persistence URLDownloadToFile Read & Xor CreateProcess UrlDownloadToFile CreateProcess
Further Development..  DETOURS Hooks  Kernel Hooks
Digital Evidence Forgery  Always a Possibility  Requires Knowledge of ‘What’ to Forge  Cost of Forgery May Outweigh ROI
When code analysis #fails  Code Analysis Can be Inconclusive  Out of Band Data Useful to Support Hypothesis  C&C Channel Hosts Correlation  Check-In Server Identification  Post-Incident Artifacts  AuxiliaryTools / Code Utilized  Data Exfiltrated  Secondary Targets Attacked
When code analysis #fails  Some automation available  Meta Data Link Analysis:  Maltego  Palantir  Analysts Desktop  Alternate data sources include..  Social Networking / Chat  Whois databases  Website Archives (archive.org)  DNS record archives (dnshistory.org)
Say Nay? “Budgets will get cut when politicians find out that most of those ‘APT’ attacks are not actually state sponsored” “Technical analysis useless because of code sharing/reuse” “Attack analysis tools should only be used by people with a high degree of technical skills” “Short code segments – there’s only a few ways to achieve certain functionality”
Stuxnet, stuxnet, stuxnet  Lots of speculation of origins .. and possible targeting  Some great analysis performed..  Symantec Stuxnet Dossier  Langer Communications blog  DHS ICS-CERT  ISIS Report
Stuxnet Public Disclosures  June 17th – VirusBlokAda Discovery  June 24th – VirusBlokAda White Paper  July 7th – Microsoft Malware Sigs Released  July 15th – Let the media circus commence!  July 16th – Microsoft Issue Advisory 2286198  August 2nd ‘Lnk’ Vulnerability Patched
What the Stux? Myrtus Stuxnet mrxnet.sys
Stuxnet Infection MS10-046 MS10-061 & MS08-067 MC7
Stuxnet Infection Profibus (Pro Field Bus) Comms
Stuxnet Attribution & Targeting  Several Popular Targeting Theories:  Israel targeting Bushehr Nuclear Plant  Israel targeting Natanz Enrichment Facility  And Attribution  Disgruntled Siemens Employee(s)  Nation State  Organized Crime  Lone actor
Developing Stuxnet..  PLC Programming (MC7 & STL)  Plant Process Specific Knowledge  Insider, Target-Specific Knowledge  Step7 & WinCC Program Suite Internals  S7P/TMP/MCP Files  Internal Step7 API’s  Windows Kernel/Rootkit Development  Exploit/shellcode development  Anti-Virus/Security Product Subversion R&D  Dropper, C&C & Persistence Components
Resources Required  Access to hardware & software  including frequency converters  and probably centrifuges  Propagation Method  Stolen Certificates
Stuxnet 0days? MS10-046 (LNK Vulnerability) Almost two years old MS08-067 (Server Service) Patched for two years MS10-061 (Print Spooler) Disclosed over one year ago MOF ‘Feature’ Not a vulnerability? WinCC DBMS Password Original work Step7 Project Files Original work MS10-073 (Kbd Privilege Escalation) Original work
However…  Vulnerabilities chosen were  Unlikely to fail  If they did – failure should not result in a GPF  With exception of MS08-067..  Comparatively silent in exploitation  Creative exploitation (i.e. MOF)
The Dichotomy of Stuxnet  Costly due to:  Maintenance for at least eighteen months and as long as four years  R&D invested into R&D PLC Payload, Step7 Subversion & Delivery Framework  However..  Trivial C&C Channel  Lots of prior art re-use  We’re talking about it right now..
C&C #FAIL?  Trivial C&C Mechanism  More indicative of crime-ware  Two points of failure for control  (Updates a required feature)  Vulnerable to C&C Hijacking  No use of server-side cert validation
Story so far: who was the target?  Still difficult to say – however:  Unlikely to be Power Generation  Power Transmission / Distribution Unlikely  Oil Cracking & Refining Unlikely  Likely targets:  Manufacturing (incl Chemical Manufacturing)  Nuclear Enrichment
Who it was not..  Disgruntled employee / lone actor  Skill requirements preclude work of an individual acting alone  Western State advanced IO capabilities  Too much technical inconsistency  Large amount (and risk) of collateral damage  Greenpeace?
We now know that..  Stuxnet Targeted Specific Components  Almost exclusively utilized in enrichment  Frequencies referenced indicative of enrichment  Specifically 807Hz – 1210 Hz  Iran was beyond reasonable doubt the target  Supported by previous theories  and.. IAEA Safeguards & ISIS Report  Iran has admitted an impact on operations
Stuxnet Timeline  September 24th 2007 – Timestamp from MC7  June 17th 2010 – VirusBlokAda Discovery  June 24th 2010 – VirusBlokAda White Paper  July 7th 2010 – Microsoft Malware Sigs Released  July 15th 2010 – Let the media circus commence!  July 16th 2010 – Microsoft Issue Advisory 2286198  July 16th 2010 – Realtek Cert Revoked  July 17th 2010 – Variant Discovered with J-Micron Cert  July 22nd 2010 – J-Micron Cert Revoked  August 2nd 2010 ‘Lnk’ Vulnerability Patched  September 14th 2010 – Microsoft Patch MS10-061  October 12th 2010 – Microsoft Patch MS10-073  November 15th (approx.) – Iran halts Natanz enrichment  November 23rd 2010 – Statement by Ali Akbar Salehi  November 29th 2010 – Iran officially admits stuxnet impact
Actor Profile..  Small(er), technically astute nation state  Basic IO Capabilities  Full time staff of operators  Presently reliant on external assistance  Good connections to acquire it..  Compartmented approach to operations  Good HUMINT Capabilities  Access to restricted centrifuge technology
Fail #1 Chinese Theory  Various theories linking stuxnet to China  J-Micron & Realtek Taiwan locations  RealTek subsidiary in China  Vacon also located in China
Fail #2: Espionage VS Siemens  Goal: To disrupt deal with Rosatom  Suspect: Areva
Fail #3: Greenpeace Theory  Goal: Disrupt NPP / Enrichment Activities  Suspect: Greenpeace
Scenario #1 – Broken Arrow*  PLC Components likely to be older than primary assembly (pre-2008)  Digitally signed rootkit & load point components recyclable  Technical skills of component developers in excess of operators  However – highly targeted nature makes this less likely
Scenario #2 – A Joint Effort  Payload Components Developed Under Contract (Private or Public Partnership)  PLC work most likely of western origin  End-User Developed C&C + Entry Vector  Repackaged by End-User  Digital code signature could be either party  End-User localized access to target site
Stuxnet Countermeasures  PCN / Corp Network System Co-Mingling  System Baselines  LPD Bug Required Guest Account  Unrequired Services on PLC Dev Systems  Host Based Firewalls & HIPS  Default Passwords/Accounts  Siemens WinCC SQL DB  In the US – a likely violation of NERC CIP
Could Stuxnet have been worse?  Absolutely..  Vastly Improved C&C  Greater Propagation Discipline  Possible Supply Chain Influence  Improved Frequency Converter Targeting  PLC OS Rootkit?
Lessons Learned  Stuxnet should not have been a game changer  If it was… you already lost  Simple countermeasures would have reduced impact  Even those mandated in the US by NERC CIP-002 – 009  Control Systems world is far behind many others  Security Assurance  Compliance
Closing thoughts..  Lots still unconfirmed (un-confirmable?)  Extent of success unknown  Likely a set back for end-user/actor  Just the tip of the iceberg  Control systems are vulnerable  Investments are being made to attack them  Stuxnet could have been much worse
Questions?

Recomendados

The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
Satria Ady Pradana
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
Satria Ady Pradana
 
(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software
Satria Ady Pradana
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
Tyler Shields
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 

Recomendados

The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
Bypass Security Checking with Frida
Bypass Security Checking with FridaBypass Security Checking with Frida
Bypass Security Checking with Frida
Satria Ady Pradana
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive Defense
Stephan Chenette
 
From Reversing to Exploitation
From Reversing to ExploitationFrom Reversing to Exploitation
From Reversing to Exploitation
Satria Ady Pradana
 
(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software(Workshop) Reverse Engineering - Protecting and Breaking the Software
(Workshop) Reverse Engineering - Protecting and Breaking the Software
Satria Ady Pradana
 
Static Detection of Application Backdoors
Static Detection of Application BackdoorsStatic Detection of Application Backdoors
Static Detection of Application Backdoors
Tyler Shields
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Malachi Jones
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
ijtsrd
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Priyanka Aash
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
Jason Ross
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
Priyanka Aash
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
Imaginea
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
Yandex
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware Analysis
JongWon Kim
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
Denis Zakharov
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
Joshua Saxe
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
chadtindel
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
Rich Helton
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
Mandeep Jadon
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
Digit Oktavianto
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
EndgameInc
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
Malachi Jones
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
Rahul Mohandas
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
lior mazor
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
n|u - The Open Security Community
 

Más contenido relacionado

La actualidad más candente

Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
ijtsrd
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Priyanka Aash
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
Priyanka Aash
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
Imaginea
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
Yandex
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware Analysis
JongWon Kim
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
Joshua Saxe
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
Rich Helton
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 

La actualidad más candente (20)

Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
 
Android Malware Analysis
Android Malware AnalysisAndroid Malware Analysis
Android Malware Analysis
 
Student Spring 2021
Student Spring 2021Student Spring 2021
Student Spring 2021
 
csmalware_malware
csmalware_malwarecsmalware_malware
csmalware_malware
 
20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP20160225 OWASP Atlanta Prevoty RASP
20160225 OWASP Atlanta Prevoty RASP
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Server Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep JadonServer Side Template Injection by Mandeep Jadon
Server Side Template Injection by Mandeep Jadon
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
 
Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_Filar seymour oreilly_bot_story_
Filar seymour oreilly_bot_story_
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 

Similar a Stuxnet redux. malware attribution & lessons learned

01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
Harish Chaudhary
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
bestip
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 

Similar a Stuxnet redux. malware attribution & lessons learned (20)

The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Effectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application BackdoorsEffectiveness of AV in Detecting Web Application Backdoors
Effectiveness of AV in Detecting Web Application Backdoors
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security01_Metasploit - The Elixir of Network Security
01_Metasploit - The Elixir of Network Security
 
What's new in​ CEHv11?
What's new in​ CEHv11?What's new in​ CEHv11?
What's new in​ CEHv11?
 
Ceh certified ethical hacker
Ceh certified ethical hackerCeh certified ethical hacker
Ceh certified ethical hacker
 
HackMiami-Final
HackMiami-FinalHackMiami-Final
HackMiami-Final
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Reverse Engineering 101
Reverse Engineering 101Reverse Engineering 101
Reverse Engineering 101
 
DEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WPDEFCON 21: EDS: Exploitation Detection System WP
DEFCON 21: EDS: Exploitation Detection System WP
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber TeamKeeping Up with the Adversary: Creating a Threat-Based Cyber Team
Keeping Up with the Adversary: Creating a Threat-Based Cyber Team
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
This is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept XThis is Next-Gen IT Security - Introducing Intercept X
This is Next-Gen IT Security - Introducing Intercept X
 

Más de Yury Chemerkin

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Yury Chemerkin
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
Yury Chemerkin
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
Yury Chemerkin
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
Yury Chemerkin
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
Yury Chemerkin
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
Yury Chemerkin
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
Yury Chemerkin
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
Yury Chemerkin
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
Yury Chemerkin
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
Yury Chemerkin
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
Yury Chemerkin
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
Yury Chemerkin
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
Yury Chemerkin
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
Yury Chemerkin
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
Yury Chemerkin
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
Yury Chemerkin
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
Yury Chemerkin
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
Yury Chemerkin
 

Más de Yury Chemerkin (20)

Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
Security Vulnerability Notice SE-2012-01-PUBLIC [Security vulnerabilities in ...
 
Red october. detailed malware description
Red october. detailed malware descriptionRed october. detailed malware description
Red october. detailed malware description
 
Comment crew indicators of compromise
Comment crew indicators of compromiseComment crew indicators of compromise
Comment crew indicators of compromise
 
Appendix g iocs readme
Appendix g iocs readmeAppendix g iocs readme
Appendix g iocs readme
 
Appendix f (digital) ssl certificates
Appendix f (digital) ssl certificatesAppendix f (digital) ssl certificates
Appendix f (digital) ssl certificates
 
Appendix e (digital) md5s
Appendix e (digital) md5sAppendix e (digital) md5s
Appendix e (digital) md5s
 
Appendix d (digital) fqd ns
Appendix d (digital) fqd nsAppendix d (digital) fqd ns
Appendix d (digital) fqd ns
 
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f6016071f3f4 40e6-4c7b-8868-3b0b21a9f601
6071f3f4 40e6-4c7b-8868-3b0b21a9f601
 
Jp3 13
Jp3 13Jp3 13
Jp3 13
 
Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...Zane lackey. security at scale. web application security in a continuous depl...
Zane lackey. security at scale. web application security in a continuous depl...
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
 
The stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capabilityThe stuxnet computer worm. harbinger of an emerging warfare capability
The stuxnet computer worm. harbinger of an emerging warfare capability
 
Stuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realitiesStuxnet. analysis, myths, realities
Stuxnet. analysis, myths, realities
 
Sophos ransom ware fake antivirus
Sophos ransom ware fake antivirusSophos ransom ware fake antivirus
Sophos ransom ware fake antivirus
 
Six months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sitesSix months later – a report card on google’s demotion of pirate sites
Six months later – a report card on google’s demotion of pirate sites
 
Security in the cloud planning guide
Security in the cloud planning guideSecurity in the cloud planning guide
Security in the cloud planning guide
 
Security configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devicesSecurity configuration recommendations for apple i os 5 devices
Security configuration recommendations for apple i os 5 devices
 
Render man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of thisRender man. hacker + airplanes = no good can come of this
Render man. hacker + airplanes = no good can come of this
 
Msft oracle brief
Msft oracle briefMsft oracle brief
Msft oracle brief
 
Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...Mario heiderich. got your nose! how to steal your precious data without using...
Mario heiderich. got your nose! how to steal your precious data without using...
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

Stuxnet redux. malware attribution & lessons learned

  • 1. Stuxnet Redux: Malware Attribution & Lessons Learned Blackhat DC 2011 Taking the guesswork out of cyber attribution Tom Parker tom.at.rooted.dot.net
  • 2. Media & “Cyber War” Love Affair  WSJ “Wide Cyber Attack Is Linked to China”  60 Minutes “Sabotaging the System”  Google/Adobe “Aurora Incident”  Most Recently Targeted SCADA Malware
  • 3. Cyber Conflict Lexicon  Cyber War  Adversary / Actor  Attribution  APT?  Stuxnet an APT?
  • 4. P A T
  • 5.
  • 6.
  • 7. Attribution – Why do we care?  LE/Actor Deterrents  Actor Intelligence  Profiling Adversarial Technical Capabilities  Insight into State Sponsored Programs  Creating Linkage Between Actor Groups  Tracking the Supply Chain  Differentiating Between Actors  State Sponsored or Crimeware?
  • 8. Attribution: What are we looking for?  The obvious – An individual or group of individuals name(s), street address, social networking page etc..  However..  We often don’t care about this..  Doesn’t generally help develop countermeasures  Attributing to the actor/group level is often enough for profiling efforts
  • 9. Attribution Continued..  Attribution at actor group level  Differentiation between groups  Identification of group geography  Indications of sponsorship  Nation State (China, Russia or Korea?)  Organized Crime (RBN et al?)  Activist Group  Where worlds collide  Code sharing between groups
  • 10. Conventional Analysis Data Sources  Static and Runtime Binary Analysis  Memory Forensics  Vulnerability Exploitation & Payload Analysis  Command & Control  Post-Exploitation Forensics
  • 11. Automated Analysis Today  Anti Virus:  Known Signature  Virus-Like Characteristics  Sandbox / Runtime Analysis  What does the code do?
  • 12. Analysis Today Continued..  What Happened?  How did they get in?  What did they exploit to get in?  What was done once on the system?  Are they still there?  How can this be prevented in the future?
  • 13. Analysis Today Continued..  Lots of R&D Associated with Modern AV/Analysis Technologies.  Typically Designed to Provide End User with a one or a zero, and no exposure to any shades of grey.  LOTS of useful metadata processed under the hood that we can make better use of.
  • 14. Existing Attribution Research  2000 RAND Conference  Numerous CARC working group meetings  2004 Syngress Publication  Focus on:  Theoretical attack profiling  Who do we have to care about?  Post event/forensic approach  Forensic actor profile
  • 15. Adversary attack fingerprints  Key Attack Meta Data  Attack sources  Other Relevant Packet Data  Attack tools and their origins  Attack methodology  Planning  Execution  Follow through
  • 16. Attack tool meta data: Origins  All attack tools have their origins..  These can be put into two broad categories:  Public  Often simply prove a concept  Often not ‘robust’  Many contain backdoors  Private  Frequently more robust than public counterparts  Generally better written  May be based on private attack API’s
  • 17. Attack tool meta data: Use  How easy is it to use a given attack tool  Prior technical knowledge required to use tool  Prior target knowledge required to use tool  Was it an appropriate tool to use for a given task?
  • 18. Example Attack Scoring Matrix Web Application Flaws Public Private  Proprietary Application Penetration:  SQL Injection 3 5  Open Source Application Penetration:  SQL Injection 3 5  Proprietary Application Penetration:  Arbitrary Code Injection 2 4  Open Source Application Penetration:  Arbitrary Code Injection 2 4  Proprietary Application Penetration:  OS command execution using MSSQL Injection 3 5  Proprietary Application Penetration:  OS command execution using SyBase SQL Injection 3 5  Proprietary Application Penetration:  SQL Injection only (MS SQL) 4 6  Proprietary Application Penetration:  SQL Injection only (IBM DB2) 6 8  Proprietary Application Penetration:  SQL Injection only (Oracle) 6 8
  • 19. Furthering the Toolset  Large Bodies of RE/Analysis Research  Almost all geared around traditional IR  In most cases; not appropriate for attribution  Clear Need for Reduction in Guesswork  Less art, more science  Use of Common Attribution Models
  • 20. Adversary Profiling Today  Lots of science behind criminal profiling  Linguistics & Behavioral Analysis  Warm Touch
  • 21. Application of Current Tool Set To Attribution Doctrine  Can be possible through..  Exploit /Payload Analysis  Known Tooling/Markings  Normally Requires Manual Effort to Identify  Binary Image Meta Data  Email Addresses  User Names  Etc..
  • 22. Exploit Analysis  Exploits often re-worked for malware  Improved Reliability  Specific host type/OS level targeting  Possible to automate coloration with knowledge base of public exploits  ANI Exploit – Re-worked in malware to avoid IPS signatures for previous exploit
  • 23. Exploit Reliability & Performance  Crashes & Loose Lips Sink Ships  Improved Performance  Advanced / Improved Shellcode  Re-patching Memory  Repairing Corrupted Heaps  Less Overhead  No Large Heap Sprays  Or Excessive CPU Overhead  Continued Target Process Execution
  • 24. Exploit Failure  Where possible – failure may be silent  Exploit Self Clean-Up:  Java hs_err log files  System / Application Log files  *NIX Core files
  • 25. Exploit Applicability  Reconnaissance Performed  Execution based on SW (browser) version?  Operating System  Less likely to function on ASLR / DEP
  • 26. Exploit Selection  Lots of Attention Toward 0day  1+Day != Low End Adversary?  Old Attacks Often Re-Worked  Bypass IDS/IPS Signatures  Improved Payloads Demonstrate Capability
  • 27.
  • 28. Code Isomorphism  Lots of Investment from Anti-Code Theft World  Small Prime Product  Create Large Prime # Per Function  Unique Prime # / Each Opcode  Resistant to Reordering  API Call Structure Analysis Prog1.Func Prog2.Func  Function Checksums  Variables / Constant Tracking RegSetValueEx RegSetValueEx MessageBox RegCreateKeyEx RegCreateKeyEx
  • 29. Code Isomorphism Cont..  Seokwoo Choi, Heewan Park et al  A Static Birthmark of Binary Executables Based on API Call Structure  Halvar Flake  BinDiff & VxClass  Others..
  • 30. Function Level Code Isomorphism Based Attribution  Reuse of Code Functions  Useful for closed-source projects  Good for tracking malware ‘genomes’  However..  Most malware based off of ‘kits’  In most cases - doesn't tell us much (or anything) about authors
  • 31. Code Quality  Nested Statements  Compiler Optimization May Interfere  Unclosed File Handles  Memory Leaks  Unused Variables  Function Redundancy  Debug Strings Present
  • 33. Debug Symbols  Can indicate developer knowledge  Aware of tool markings assoc with compiler  PDB Locations may provide details of:  User Names  Operating System (Users VS Docume~1)
  • 34. Stuxnet PDB References  Likely Forged  However…
  • 35. Stuxnet PDB Contiued  b:myrtussrcobjfre_w2k_x86i386guava.pdb  Myrtaceae Family:  Myrtle  Clove  Guava  Stuxnet / mrxnet.sys  Feijoa  Allspice  Eucalyptus
  • 36. Future Automation  Automation Vital for Scale  Too much badness, not enough analysts  Analyst time better spent on edge cases  LOTS of repetition in most current efforts; ex:  Isomorphic analysis  Cataloguing and identification of tool markings
  • 37. BlackAxon  Designed as Proof of Concept  Utilizes int3 debugger breakpoints  Yes – you’re malware can detect me  User Sets the Rules  No preconceived notion of ‘badness’  XML Model Defines Functions of Interest  Identification of API call context  Defines weighting of API calls
  • 39. Nest Analysis 8000 7000 6000 5000 4000 3000 2000 1000 0 calc.exe nest test netcat stuxnet firefox Nuwar.R Nimda conficker dropper
  • 40. API Call Hit/Context Tracing: Persistence CreateToolhelp32Snapshot Process32First OpenProcess CreateProcess VirtualAllocEx WriteProcessMemory (CREATE_SUSPENDED)
  • 41. API Call Hit/Context Tracing: Persistence URLDownloadToFile Read & Xor CreateProcess UrlDownloadToFile CreateProcess
  • 42. Further Development..  DETOURS Hooks  Kernel Hooks
  • 43. Digital Evidence Forgery  Always a Possibility  Requires Knowledge of ‘What’ to Forge  Cost of Forgery May Outweigh ROI
  • 44. When code analysis #fails  Code Analysis Can be Inconclusive  Out of Band Data Useful to Support Hypothesis  C&C Channel Hosts Correlation  Check-In Server Identification  Post-Incident Artifacts  AuxiliaryTools / Code Utilized  Data Exfiltrated  Secondary Targets Attacked
  • 45. When code analysis #fails  Some automation available  Meta Data Link Analysis:  Maltego  Palantir  Analysts Desktop  Alternate data sources include..  Social Networking / Chat  Whois databases  Website Archives (archive.org)  DNS record archives (dnshistory.org)
  • 46. Say Nay? “Budgets will get cut when politicians find out that most of those ‘APT’ attacks are not actually state sponsored” “Technical analysis useless because of code sharing/reuse” “Attack analysis tools should only be used by people with a high degree of technical skills” “Short code segments – there’s only a few ways to achieve certain functionality”
  • 47. Stuxnet, stuxnet, stuxnet  Lots of speculation of origins .. and possible targeting  Some great analysis performed..  Symantec Stuxnet Dossier  Langer Communications blog  DHS ICS-CERT  ISIS Report
  • 48. Stuxnet Public Disclosures  June 17th – VirusBlokAda Discovery  June 24th – VirusBlokAda White Paper  July 7th – Microsoft Malware Sigs Released  July 15th – Let the media circus commence!  July 16th – Microsoft Issue Advisory 2286198  August 2nd ‘Lnk’ Vulnerability Patched
  • 49. What the Stux? Myrtus Stuxnet mrxnet.sys
  • 50. Stuxnet Infection MS10-046 MS10-061 & MS08-067 MC7
  • 51. Stuxnet Infection Profibus (Pro Field Bus) Comms
  • 52. Stuxnet Attribution & Targeting  Several Popular Targeting Theories:  Israel targeting Bushehr Nuclear Plant  Israel targeting Natanz Enrichment Facility  And Attribution  Disgruntled Siemens Employee(s)  Nation State  Organized Crime  Lone actor
  • 53. Developing Stuxnet..  PLC Programming (MC7 & STL)  Plant Process Specific Knowledge  Insider, Target-Specific Knowledge  Step7 & WinCC Program Suite Internals  S7P/TMP/MCP Files  Internal Step7 API’s  Windows Kernel/Rootkit Development  Exploit/shellcode development  Anti-Virus/Security Product Subversion R&D  Dropper, C&C & Persistence Components
  • 54. Resources Required  Access to hardware & software  including frequency converters  and probably centrifuges  Propagation Method  Stolen Certificates
  • 55. Stuxnet 0days? MS10-046 (LNK Vulnerability) Almost two years old MS08-067 (Server Service) Patched for two years MS10-061 (Print Spooler) Disclosed over one year ago MOF ‘Feature’ Not a vulnerability? WinCC DBMS Password Original work Step7 Project Files Original work MS10-073 (Kbd Privilege Escalation) Original work
  • 56. However…  Vulnerabilities chosen were  Unlikely to fail  If they did – failure should not result in a GPF  With exception of MS08-067..  Comparatively silent in exploitation  Creative exploitation (i.e. MOF)
  • 57. The Dichotomy of Stuxnet  Costly due to:  Maintenance for at least eighteen months and as long as four years  R&D invested into R&D PLC Payload, Step7 Subversion & Delivery Framework  However..  Trivial C&C Channel  Lots of prior art re-use  We’re talking about it right now..
  • 58. C&C #FAIL?  Trivial C&C Mechanism  More indicative of crime-ware  Two points of failure for control  (Updates a required feature)  Vulnerable to C&C Hijacking  No use of server-side cert validation
  • 59. Story so far: who was the target?  Still difficult to say – however:  Unlikely to be Power Generation  Power Transmission / Distribution Unlikely  Oil Cracking & Refining Unlikely  Likely targets:  Manufacturing (incl Chemical Manufacturing)  Nuclear Enrichment
  • 60. Who it was not..  Disgruntled employee / lone actor  Skill requirements preclude work of an individual acting alone  Western State advanced IO capabilities  Too much technical inconsistency  Large amount (and risk) of collateral damage  Greenpeace?
  • 61. We now know that..  Stuxnet Targeted Specific Components  Almost exclusively utilized in enrichment  Frequencies referenced indicative of enrichment  Specifically 807Hz – 1210 Hz  Iran was beyond reasonable doubt the target  Supported by previous theories  and.. IAEA Safeguards & ISIS Report  Iran has admitted an impact on operations
  • 62. Stuxnet Timeline  September 24th 2007 – Timestamp from MC7  June 17th 2010 – VirusBlokAda Discovery  June 24th 2010 – VirusBlokAda White Paper  July 7th 2010 – Microsoft Malware Sigs Released  July 15th 2010 – Let the media circus commence!  July 16th 2010 – Microsoft Issue Advisory 2286198  July 16th 2010 – Realtek Cert Revoked  July 17th 2010 – Variant Discovered with J-Micron Cert  July 22nd 2010 – J-Micron Cert Revoked  August 2nd 2010 ‘Lnk’ Vulnerability Patched  September 14th 2010 – Microsoft Patch MS10-061  October 12th 2010 – Microsoft Patch MS10-073  November 15th (approx.) – Iran halts Natanz enrichment  November 23rd 2010 – Statement by Ali Akbar Salehi  November 29th 2010 – Iran officially admits stuxnet impact
  • 63. Actor Profile..  Small(er), technically astute nation state  Basic IO Capabilities  Full time staff of operators  Presently reliant on external assistance  Good connections to acquire it..  Compartmented approach to operations  Good HUMINT Capabilities  Access to restricted centrifuge technology
  • 64. Fail #1 Chinese Theory  Various theories linking stuxnet to China  J-Micron & Realtek Taiwan locations  RealTek subsidiary in China  Vacon also located in China
  • 65. Fail #2: Espionage VS Siemens  Goal: To disrupt deal with Rosatom  Suspect: Areva
  • 66. Fail #3: Greenpeace Theory  Goal: Disrupt NPP / Enrichment Activities  Suspect: Greenpeace
  • 67. Scenario #1 – Broken Arrow*  PLC Components likely to be older than primary assembly (pre-2008)  Digitally signed rootkit & load point components recyclable  Technical skills of component developers in excess of operators  However – highly targeted nature makes this less likely
  • 68. Scenario #2 – A Joint Effort  Payload Components Developed Under Contract (Private or Public Partnership)  PLC work most likely of western origin  End-User Developed C&C + Entry Vector  Repackaged by End-User  Digital code signature could be either party  End-User localized access to target site
  • 69. Stuxnet Countermeasures  PCN / Corp Network System Co-Mingling  System Baselines  LPD Bug Required Guest Account  Unrequired Services on PLC Dev Systems  Host Based Firewalls & HIPS  Default Passwords/Accounts  Siemens WinCC SQL DB  In the US – a likely violation of NERC CIP
  • 70. Could Stuxnet have been worse?  Absolutely..  Vastly Improved C&C  Greater Propagation Discipline  Possible Supply Chain Influence  Improved Frequency Converter Targeting  PLC OS Rootkit?
  • 71. Lessons Learned  Stuxnet should not have been a game changer  If it was… you already lost  Simple countermeasures would have reduced impact  Even those mandated in the US by NERC CIP-002 – 009  Control Systems world is far behind many others  Security Assurance  Compliance
  • 72. Closing thoughts..  Lots still unconfirmed (un-confirmable?)  Extent of success unknown  Likely a set back for end-user/actor  Just the tip of the iceberg  Control systems are vulnerable  Investments are being made to attack them  Stuxnet could have been much worse