December 1, 2012 at 19:11Cyber Warfare - Stuxnet, Duqu, Flame, Gauss and all, all, all ...
Analyzing “symbolic” threats, it can be noted that since 2010 the following malicious programs with the label “cyber weapons” have been detected:
In addition to them, several smaller caliber samples:
Brief characteristics
Dell SecureWorks experts believe that the similarity of some elements of malware Stuxnet and Duqu is a fluke. Similar methods are used in other samples of malware. The topic of comparing Stuxnet and Duqu is here . A curious case is generally associated with the connection of Gauss and Flame.. Kaspesky Lab employees organized a sinkhole router. Simplified, we are talking about creating fake control centers that malware starts to perceive as their own. Thus, it becomes possible to assess the extent of infections and their geographical distribution by analyzing the IP addresses of incoming connections. In some cases, this even allows you to take control and give a command for self-destruction, which, however, is rare. At the sinkhole, the router brought traffic to it from Gauss and Flame. And FireEye specialists, finding that Gauss and Flame are accessing the same server, concluded that the same people are behind the development of malware. A little later, FireEye apologized publicly for its mistake and misrepresentation.
Thus, all attempts to link Stuxnet, Duqu, Flame and Gauss together are not very impressive. In addition, it would be too costly to develop a new malware model for different operations, it would be enough to change the existing one to eliminate the possibility of detection by antivirus tools and increase the functionality of the modules. It is likely that we are observing only the tip of the iceberg of events taking place in the Middle East, and these malware are developed by different countries or organizations that are not connected. The following key players can be distinguished in the arena of cyber war: USA, China, Russia, Israel, South Korea. In addition, it is clear that local players have joined in here - some samples of malware are written in Deplhi (Madi, Shamoon, Narilam), which is an indicator of insufficient professional work,
Summary:
But in any case, despite all the juggling of antivirus companies, we will follow with interest the process of development of cyber weapons.
- July 2010 - Stuxnet , VirusBlokAda detected;
- October 2011 - Duqu , discovered by Kaspersky Lab;
- March 2012 - Wiper, Kaspersky Lab discovered traces;
- April 2012 - Flame detected by Kaspersky Lab;
- August 2012 - Gauss, discovered by Kaspersky Lab;
- October 2012 - MiniFlame detected by Kaspersky Lab.
In addition to them, several smaller caliber samples:
- July 2012 - Madi, discovered by Kaspersky Lab;
- August 2012 - Shamoon , discovered by Kaspersky Lab;
- November 2012 - Narilam, discovered by Symantec.
Brief characteristics
| Malware | Stuxnet | Duqu | Flame | Gauss |
| Discovery date | July 2010 | September 2011 | May 2012 | august 2012 |
| The number of infections (according to KSN) | about 180 thousand | about 20 | about 700 | about 2500 |
| Where were the most infections? | India, Indonesia, Iran | Iran, India, Sudan, Vietnam, France, Netherlands, Switzerland, Ukraine, Austria, Hungary, Indonesia, United Kingdom (according to Symantec) | Iran, Israel | Lebanon, Israel, Palestine |
| Initial infection vector | unknown (possibly USB Flash); | via a Microsoft Word document addressed by email to interested people | unknown, there is a distribution method through a fake Windows update mechanism, a Microsoft signature allows you to install without warning | unknown |
| Startup method at computer startup | loading the signed driver as a service with the subsequent loading of the main module from the encrypted file, decryption and launch is performed only in memory | loading the signed driver as a service with the subsequent loading of the main module from the encrypted file, decryption and launch is performed only in memory | main module registers as LSA Authentication Package | changes the registry entry responsible for loading the wbem subsystem to itself and then calls the original wbem library |
| Development Environment (language) | Visual Studio (main module) | Visual Studio, the main module is written using an object add-in over the C language | C ++, part of the code is written in the interpreted language Lua | C ++ |
| Using a digital signature | Realtek | C-Media (possibly JMicron) | Microsoft (certificate created by collision selection MD5) | not |
| Distinctive features | the main module contains several components in the form of resources | container structure - nesting doll | large size - about 20 Mb, using a large amount of third-party code | use of the “payload”, which is decrypted only if the computer has a given path (path) |
| Functional | file search and transfer, implementation in the SCADA Siemens WinCC system | search and transfer files, tracking keystrokes, collecting data on network infrastructure | searching and transferring files, recording voice information, using bluetooth interception of information from other devices | searching and transferring files, intercepting passwords of remote banking services in the Middle East, intercepting passwords in social networks, mail services and instant messaging systems |
| goal | malfunction of the SCADA Siemens WinCC system | espionage and preparation of data for subsequent implementation in network infrastructure | espionage | social impact |
| Similarity to other malware | the launch method is similar to the one in Duqu, the use in the 2009 version of a USB infection module similar to Flame | the startup method is similar to that in Stuxnet | using a USB infection module similar to the Stuxnet version of 2009, many modules with the OCX extension like Gauss | many modules with the OCX extension like Flame |
| Estimated Year of Development | 2009 | 2008 | 2006 | 2011 |
Dell SecureWorks experts believe that the similarity of some elements of malware Stuxnet and Duqu is a fluke. Similar methods are used in other samples of malware. The topic of comparing Stuxnet and Duqu is here . A curious case is generally associated with the connection of Gauss and Flame.. Kaspesky Lab employees organized a sinkhole router. Simplified, we are talking about creating fake control centers that malware starts to perceive as their own. Thus, it becomes possible to assess the extent of infections and their geographical distribution by analyzing the IP addresses of incoming connections. In some cases, this even allows you to take control and give a command for self-destruction, which, however, is rare. At the sinkhole, the router brought traffic to it from Gauss and Flame. And FireEye specialists, finding that Gauss and Flame are accessing the same server, concluded that the same people are behind the development of malware. A little later, FireEye apologized publicly for its mistake and misrepresentation.
Thus, all attempts to link Stuxnet, Duqu, Flame and Gauss together are not very impressive. In addition, it would be too costly to develop a new malware model for different operations, it would be enough to change the existing one to eliminate the possibility of detection by antivirus tools and increase the functionality of the modules. It is likely that we are observing only the tip of the iceberg of events taking place in the Middle East, and these malware are developed by different countries or organizations that are not connected. The following key players can be distinguished in the arena of cyber war: USA, China, Russia, Israel, South Korea. In addition, it is clear that local players have joined in here - some samples of malware are written in Deplhi (Madi, Shamoon, Narilam), which is an indicator of insufficient professional work,
Summary:
- antivirus companies unnecessarily “fan” the topic of cyber warfare by manipulating facts. They do this to expand sales markets. It would be better to tell how wonderful all of their heuristic methods, proactive defenses and sandboxes work, if HPE has been doing its “dirty” work for years;
- do not trust news sites, there are also many decorations. Ideally, it’s nice to read the articles in the original, but not all are good at English, and the search for primary sources also requires a certain amount of patience.
But in any case, despite all the juggling of antivirus companies, we will follow with interest the process of development of cyber weapons.