Cyber Warlock - Stuxnet, Duqu, Flame, Gauss and everything, everything, everything ...
Analyzing the “symbolic” threats, it can be noted that since 2010, the following malicious programs with the label “cyber-weapon” were detected:
In addition to them, several smaller samples of caliber:
Brief characteristics
Dell SecureWorks experts believe that the similarity of some elements of the Stuxnet and Duqu malware is an accident. Similar methods are used in other samples of malware. The topic of comparison between Stuxnet and Duqu is disclosed here . With a connection Gauss and Flame generally related funny case . Employees of Kaspesky Lab organized a sinkhole router. Simply put, we are talking about creating fake control centers, which are beginning to be perceived by malicious programs as their own. Thus, it becomes possible to estimate the extent of infections and their geographical distribution by analyzing the IP addresses of incoming connections. In some cases, it even allows you to take control and give a command to self-destruct, which, however, is rare. At the sinkhole, the router brought traffic to it from Gauss and Flame. And the specialists of FireEye, finding that Gauss and Flame are accessing the same server, concluded that the same people were behind the development of these malware. A little later, FireEye made a public apology for her mistake and misrepresentation.
Thus, all attempts to link Stuxnet, Duqu, Flame and Gauss to each other are not very impressive. In addition, it would be too costly to develop a new sample of malware for different operations, it would be enough to change the existing one to eliminate the possibility of detection by anti-virus tools and increase the functionality of the modules. It is quite probable that we observe only the tip of the iceberg of events occurring in the Middle East, and the data of VPO are developed by different countries or organizations that are not related to each other. The following key players can be distinguished in the arena of cyberwar: the USA, China, Russia, Israel, South Korea. In addition, it is clear that local players have also connected here - some samples of HVT are written in Deplhi (Madi, Shamoon, Narilam), which is an indicator of insufficient professional work, but they successfully perform their tasks of collecting and deleting information.
Summary:
But in any case, despite all the distortions of antivirus companies, we will follow with interest the development of cyber weapons.
- July 2010 - Stuxnet , VirusBlockAda detected;
- October 2011 - Duqu , detected by Kaspersky Lab;
- March 2012 - Wiper, Kaspersky Lab found traces;
- April 2012 - Flame, detected by Kaspersky Lab;
- August 2012 - Gauss, detected by Kaspersky Lab;
- October 2012 - MiniFlame, detected by Kaspersky Lab.
In addition to them, several smaller samples of caliber:
- July 2012 - Madi, detected by Kaspersky Lab;
- August 2012 - Shamoon , detected by Kaspersky Lab;
- November 2012 - Narilam, discovered by Symantec.
Brief characteristics
| VPO | Stuxnet | Duqu | Flame | Gauss |
| Date of discovery | July 2010 | September 2011 | May 2012 | August 2012 |
| The number of infections (according to KSN) | about 180 thousand | about 20 | about 700 | about 2500 |
| Where were the most infections | India, Indonesia, Iran | Iran, India, Sudan, Vietnam, France, the Netherlands, Switzerland, Ukraine, Austria, Hungary, Indonesia, United Kingdom (according to Symantec) | Iran, Israel | Lebanon, Israel, Palestine |
| Initial infection vector | unknown (possibly USB flash); | via a Microsoft Word document, sent by email to interested people | unknown, there is a distribution method through a fake Windows update mechanism, Microsoft's signature allows installation without warning | unknown |
| Startup method at startup | Downloading a signed driver as a service and then loading the main module from an encrypted file; decryption and launch is performed only in memory | Downloading a signed driver as a service and then loading the main module from an encrypted file; decryption and launch is performed only in memory | the main module is registered as the LSA Authentication Package | modifies the registry entry responsible for loading the wbem subsystem on itself and then calls the original wbem library |
| Development Environment (language) | Visual Studio (core module) | Visual Studio, the main module written using the object superstructure above the C language | C ++, part of the code is written in the interpreted language Lua | C ++ |
| Using digital signatures | Realtek | C-Media (possibly JMicron) | Microsoft (certificate created by matching the collision MD5) | not |
| Distinctive features | the main module contains several components as resources | container structure - matryoshka | large size - about 20 Mb, using a large number of third-party code | use of "payload", decoded only if the computer has a specified path (path) |
| Functional | search and file transfer, implementation into the SCADA system Siemens WinCC | search and transfer of files, tracking keystrokes, collecting data on network infrastructure | search and transfer files, record voice information, use bluetooth to intercept information from other devices | search and transfer of files, interception of passwords of remote banking services of the Middle East, interception of passwords in social networks, mail services and instant messaging systems |
| purpose | disruption of the SCADA system Siemens WinCC | espionage and data preparation for subsequent implementation in the network infrastructure | espionage | social impact |
| Similarity with other VPO | the launch method is similar to that used in Duqu, using the USB infection module of the similar version Flame in version 2009 | startup method is similar to that in Stuxnet | using a USB infection module similar to Stuxnet version 2009, a lot of modules with OCX extension like Gauss | many modules with OCX extension like Flame |
| Estimated year of development | 2009 | 2008 | 2006 | 2011 |
Dell SecureWorks experts believe that the similarity of some elements of the Stuxnet and Duqu malware is an accident. Similar methods are used in other samples of malware. The topic of comparison between Stuxnet and Duqu is disclosed here . With a connection Gauss and Flame generally related funny case . Employees of Kaspesky Lab organized a sinkhole router. Simply put, we are talking about creating fake control centers, which are beginning to be perceived by malicious programs as their own. Thus, it becomes possible to estimate the extent of infections and their geographical distribution by analyzing the IP addresses of incoming connections. In some cases, it even allows you to take control and give a command to self-destruct, which, however, is rare. At the sinkhole, the router brought traffic to it from Gauss and Flame. And the specialists of FireEye, finding that Gauss and Flame are accessing the same server, concluded that the same people were behind the development of these malware. A little later, FireEye made a public apology for her mistake and misrepresentation.
Thus, all attempts to link Stuxnet, Duqu, Flame and Gauss to each other are not very impressive. In addition, it would be too costly to develop a new sample of malware for different operations, it would be enough to change the existing one to eliminate the possibility of detection by anti-virus tools and increase the functionality of the modules. It is quite probable that we observe only the tip of the iceberg of events occurring in the Middle East, and the data of VPO are developed by different countries or organizations that are not related to each other. The following key players can be distinguished in the arena of cyberwar: the USA, China, Russia, Israel, South Korea. In addition, it is clear that local players have also connected here - some samples of HVT are written in Deplhi (Madi, Shamoon, Narilam), which is an indicator of insufficient professional work, but they successfully perform their tasks of collecting and deleting information.
Summary:
- Antivirus companies unnecessarily "inflate" the topic of cyberwar, manipulating facts. They do this to expand markets. It would be better to tell you how well all their heuristic methods, proactive defenses and sandboxes work if VPO has been doing its “dark” work for years;
- Do not trust the news sites, there are too many decorations. Ideally, it is not bad to read the articles in the original, but they do not speak English well, and the search for primary sources also requires a certain amount of patience.
But in any case, despite all the distortions of antivirus companies, we will follow with interest the development of cyber weapons.
')
Source: https://habr.com/ru/post/160973/
All Articles