# Duqu Threat Research and Analysis

#### McAfee Labs

##### Peter Szor Sr. Director of Research


-----

### • Stuxnet Overvieew
 • Duqu Review-Current Intelligence, comparisons with Stuxnet, 
 • Best Practice recommendations
 • Q&A


-----

## High Level Overview

### • The executables share injection code with the Stuxnet worm and they
 were compiled after the last Stuxnet sample was recovered. 
 • The structure of Duqu is very similar to Stuxnet (uses of PE resources)
 • There is no ICS specific attack code in Duqu.
 • The primary infection vector for Duqu deployment has not yet been
 discovered/recovered (Duqu does not self-replicate or spread on its own) 
 • The infected organizations appear to be limited 
 • No known targeting of energy sector companies.
 • The malware employed a valid digital certificate (revoked as of 14
 OCT 2011) 
 • The malware is designed to self-delete after 36 days 
 • The known Command and Control server was hosted in India.


-----

-----

## Attacks

### • DOS/Boot viruses change BIOS password
 settings, battery needs to be removed
 • CIH virus overwrites flash-ROM, motherboard
 needs replacement
 • Worms got faster than update and patch
 deployment, targeting vulnerabilities, often zero-Days
 • Worms caused major DoS attacks   (… Nuclear Power plants’ safety monitoring
 system was disabled by Slammer)
 • Blaster worm is a contributor to a major
 blackout
 • Stuxnet combines 4 zero-day vulnerabilities
 with ICS knowledge to target an industrial process
 • US Predator Drone Center gets infected with
 malware


-----

#### Exploits “Zero Days” vulnerabilities - MS10-046 (LNK Vulnerability – Used by Zlob in 2008) - MS08-067 (Server Service) - MS10-061 (Print Spooler – Hackin9 magazine 2009) - MS10-073 (Kbd Privilege Escalation) - WinCC DBMS Password (hardcoded) + Stolen certificates (Realtek, JMicron) + ROP techniques in Exploits
 Infection - USB, Local Network, Siemens Step7/MC7 - Network Infection - C&C operation (Weak! Mypremierfutbol.com, todaysfutbol.com) - Anti Behavioral Blocking, avoids anti-virus detection - Rootkit: 
 - User mode hooks to hide files from Explorer – Total\Windows Commander(!) - User mode DLL replacement for Step7 (PLC Rootkit)
 - s7otbxdl.dll forwards to s7otbxsx.dll (except for 16 functions related to


-----

#### Deactivates/Reactivates Total Commander (and “Windows Commander”)


-----

#### Deactivates/Reactivates Total Commander (and “Windows Commander”)


-----

#### 1,210Hz.

 Cascaded Centrifuges

  PLC


-----

#### • Targeted attacks have been observed in Iran, England and US
 • Other reports: Austria, Hungary, Indonesia
 • C&C Server in India


-----

|Feature|Duqu|Stuxnet|
|---|---|---|
|Composed of multiple modules|Yes|Yes|
|Rootkit to hide its activities|Yes|Yes|
|System driver is digitally signed|Yes (C-Media)|Yes (Realtek, JMicron)|
|System driver decrypts secondary modules in PNF files|Yes|Yes|
|Decrypted DLLs are directly injected into system processes instead of dropped to disk|Yes|Yes|
|Date sensitive: functionality is controlled via complex, encrypted configuration file|Yes (36 days)|Yes|
|Use XOR based encryption for strings|Yes (key: 0xAE1979DD)|Yes (key: 0xAE1979DD)|
|Referencing 05.09.1979 in configuration file (http://en.wikipedia.org/wiki/Habib_Elghanian)|Yes (0xAE790509)|Yes (0xAE790509)|


## Duqu and Stuxnet

### • Several similarities have been observed at the code level which led us
 to believe Duqu was based on the same source code as Stuxnet

#### Feature Duqu Stuxnet

###### Composed of multiple modules Yes Yes

 Rootkit to hide its activities Yes Yes

 System driver is digitally signed Yes (C-Media) Yes (Realtek,
 JMicron)

 System driver decrypts secondary modules in PNF files Yes Yes

 Decrypted DLLs are directly injected into system Yes Yes processes instead of dropped to disk

 Date sensitive: functionality is controlled via complex, Yes Yes encrypted configuration file (36 days)

 Use XOR based encryption for strings Yes (key: Yes (key: 0xAE1979DD) 0xAE1979DD)

 Referencing 05.09.1979 in configuration file Yes Yes (http://en.wikipedia.org/wiki/Habib_Elghanian) (0xAE790509) (0xAE790509)

 New update modules via C&C Yes (keylogger) Yes


-----

## Duqu and Stuxnet (Code Graph Comparison)

### • DLL Injection code


-----

## Duqu and Stuxnet: Code Comparison

### • DLL Injection code


-----

#### Unknown vector of exploitation, Installer  C&C Server

###### CMI4432.SYS JMINET7.SYS Keylogger.exe

Decrypt Decrypt Decrypt

###### CMI4432.PNF NETP191.PNF Resource 302

Inject into     Services.exe Inject into     Services.exe

###### CMI4432.DLL NETP191.DLL

Decrypt      Resource 302 Decrypt      Resource 302 Decrypt       .zdata section

###### Resource 302 Resource 302

Decrypt       .zdata section Decrypt       .zdata section

###### SortXXXX.NLS SortXXXX.NLS SortXXXX.NLS

Inject main modules into System Processes


-----

#### • The two variants of .SYS files are responsible for restarting the malware
 • .SYS filenames mimic Jmicron and C-Media driver file names
 • Jmicron mimic file is not signed, and it is the earlier variant
 • Drivers are loaded at time of “Network group load”
 • They decrypt the PNF files and inject the resulting DLL into Services.exe, etc

 • Anti-firewall feature, Anti-BB feature
 • This DLL is responsible for decrypting the payload module from its resource section. The resource Id is the same for all modules: 302
 • The payload module is directly injected into running processes using the same method as Stuxnet
 • The DLL implement rootkit methods to hide this payload from user’s view


-----

#### The Keylogger component is a standalone module. It was delivered via C&C Server to target after the initial infection. 
 It uses the same decryption routines as the other modules. It is capable of collecting different types of information from the target machine:
 • Keystroke data
 • Machine information (OS version, patches, machine name, users, etc)
 • Process list
 • Network information
 • List shared folders
 • List machines on the same network
 • Screen shots
 The Keylogger accepts command line parameter commands, and only works if the parameter “xxx” is the first parameter passed


-----

## data


-----

#### Once the DLL module is started, the known variants will try to contact the command and control server at the address below on tcp ports 80 and 443 (http/https)
 • 206.183.111.97 (India)
 The request may look like the one below:
```
    GET / HTTP/1.1
    Cookie: PHPSESSID=o5ukre1ul0q6i2il1ij3ghi0j1
    Cache-Control: no-cache
    Pragma: no-cache
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
    rv:1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)
    Host: x.x.x.x
 The PHPSESSID is an encrypted message sent to the command and control server. 
 The User-Agent is hardcoded and may be used to identify machines

```

-----

#### driver


-----

#### sign one of the known variants of Duqu)


-----

-----

## Best Practices Against Duqu

### • AV Signatures
 • Application Whitelisting
 • DeepSafe- McAfee/Intel techology targeting rootkits


-----

#### • McAfee Labs Blogs
 • Personal communication: Rob Meyers, Liam O Murchu, Guilherme Venere and Stuart McClure
 • McAfee Threats Report
 • Symantec Stuxnet File / Symantec Internet Security Threat Report
 • Ralph Langner on Stuxnet
 • Krebs on Security Blog
 • “The Art of Computer Virus Research and Defense”


-----