Son of Stuxnet


The security industry is currently buzzing with talks about a threat dubbed as the precursor to the next STUXNET.

According to a Symantec analysis, portions of the code are very similar to STUXNET, and was likely written by the same cybercriminals as the well-known threat. Unlike STUXNET, however, Duqu does not have code that suggests it was developed to access SCADA systems. Instead, its final payload appears to be inclined toward information theft.

Duqu is made up of several components. The SYS file, which is detected as RTKT_DUQU.A, is responsible for activating the malware, and triggering the execution of its other routines. Based on analysis, however, the main goal of the said files is to establish a connection with its C&C server. It is said that Duqu delivered an information-stealing malware, detected as TROJ_SHADOW.AF, into the affected systems through this connection. We have also verified that DUQU has codes very similar to that of STUXNET.

Upon execution, TROJ_SHADOW.AF enumerates the processes currently running on the system. It also checks if it matches any of the following security-related processes:

avp.exe (Kaspersky)
Mcshield.exe (McAfee)
avguard.exe (Avira)
bdagent.exe (Bitdefender)
UmxCfg.exe (CA)
fsdfwd.exe (F-Secure)
rtvscan.exe and ccSvcHst.exe (Symantec)
ekrn.exe (ESET)
tmproxy.exe (Trend Micro)
RavMonD.exe (Rising)
If found, TROJ_SHADOW.AF launches the same process in a suspended state, then patches the malware code before resuming the execution. In effect, there will be two AV processes; the first being the original, and the second being the patched one.

TROJ_SHADOW.AF requires command lines in order to execute properly. Available commands include: collecting information on the affected system, terminating malware processes, and deleting itself. It can steal a wide array of information on any affected system, such as:

1. Drive information such as:

FreeSpace
Drive device name
2. Screenshots
3. Running Processes and Owner of Running Processes
4. Network Information such as

IP address
IP routing table
TCP and UDP table
DNS Cache table
Local Shares
5. Local shared folders and connected users
6. Removable drives serial number
7. Window names
8. Information on open files on local computer using NetFileEnum

Upon execution, RTKT_DUQU.A decrypts a configuration file in its body to get the registry path containing the location of TROJ_DUQU.ENC, and the process where to inject the DLL. From our analysis, the decrypted registry path in the two samples are HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3 and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432, respectively.

These registry paths contain the “FILTER” entry, which contains encrypted data which RTKT_DUQU.A will decrypt to get the path of TROJ_DUQU.ENC, as well as a process name where TROJ_DUQU.ENC will be injected.

Decrypting TROJ_DUQU.ENC results into a DLL file that is injected in the process specified in the registry. The decrypted DLL is detected as TROJ_DUQU.DEC. Once TROJ_DUQU.DEC is loaded, it accesses TROJ_DUQU.CFG to get configuration information.

Information contained in the configuration file include:

Service registry key
File path of component files
Websites it will try to connect to for DNS checking
Processes wherein TROJ_DUQU.DEC will inject itself into
TROJ_DUQU.DEC communicates with the C&C server to receive and execute commands. These commands include downloading other malicious files, which in this case, appears to be the infostealer TROJ_SHADOW.AF.

Enterprise networks are also protected from DUQU through the Trend Micro Threat Discovery Appliance, which detects the malware’s connection to the C&C server through the rule 473 TCP_MALICIOUS_IP_CONN. Also, Deep Security is able to detect the changes made inside the Drivers folder (%Window%\system32\drivers) by DUQU variants,through the rule Integrity Monitoring Rule: 1003517 – Microsoft Windows – System driver files modified.

Firewall


What is a Firewall?

A firewall is a security device that can be a software program or a dedicated network appliance. The main purpose of a firewall is to separate a secure area from a less secure area and to control communications between the two. Firewalls can perform a variety of other functions, but are chiefly responsible for controlling inbound and outbound communications on anything from a single machine to an entire network.

Software Firewalls

Software firewalls, also sometimes called personal firewalls, are designed to run on a single computer. These are most commonly used on home or small office computers that have broadband access, which tend to be left on all the time. A software firewall prevents unwanted access to the computer over a network connection by identifying and preventing communication over risky ports. Computers communicate over many different recognized ports, and the firewall will tend to permit these without prompting or alerting the user. For example, computers access Web pages over port 80 and use port 443 for secure Web communications. A home computer would expect to receive data over these ports. However, a software firewall would probably block any access from the Internet over port 421, over which it does not expect to receive data. Additionally, port 421 has been used by certain Trojans (a type of malware) in the past. Software firewalls can also detect “suspicious” activity from the outside. They can block access to a home computer from an outside address when activity matches certain patterns, like port scanning.

A software firewall also allows certain programs on the user’s computer to access the Internet, often by express permission of the user. Windows Update, antivirus software, and Microsoft Word are a few programs that a user might legitimately expect to access the Internet. However, a program called gator.exe that is attempting to access the Internet when it shouldn’t be running might be reason for concern, so the user could decline access for this program. This is a useful feature when spyware, adware or some type of malware is suspected.

Some software firewalls also allow configuration of trusted zones. These permit unlimited communication over a wide variety of ports. This type of access may be necessary when a user starts a VPN client to reach a corporate intranet.

One drawback to software firewalls is that they are software running on a personal computer operating system. If the underlying operating system is compromised, then the firewall can be compromised as well. Since many other programs also run on a home computer, malicious software could potentially enter the computer through some other application and compromise the firewall. Software firewalls also rely heavily upon the user making the right decisions. If someone using a software firewall mistakenly gives a keylogger or a Trojan permission to access the Internet, security on that machine is compromised even though there is nothing wrong with the firewall itself.

There are many different brands of software firewalls, each with their own features. Some examples include ZoneAlarm, BlackICE, and Kerio.

Hardware Firewalls

Hardware firewalls are more complex. They also have software components, but run either on a specially engineered network appliance or on an optimized server dedicated to the task of running the firewall. The operating system underlying a hardware firewall is as basic as possible and very difficult to attack. Since no other software runs on these machines, and configuration takes a little more thought than clicking on an “allow” prompt, they are difficult to compromise and tend to be extremely secure.

A hardware firewall is placed between a network, such as a corporation, and a less secure area, such as the Internet. Firewalls also can separate more secure networks from less secure networks, such as one corporate location within a larger corporate structure. Versions of hardware firewalls are available to home users who want stronger protection from potential Internet attacks. There are many different default configurations for these devices – some allow no communications from the outside and must be configured, using rules, others (like those available for the home market) are already configured to block access over risky ports. Rules can be as simple as allowing port 80 traffic to flow through the firewall in both directions, or as complex as only allowing 1433 (SQL server) traffic from a specific IP address outside of the network through the firewall to a single IP address inside the network.

Firewalls are also used for Network Address Translation (NAT). This allows a network to use private IP addresses that are not routed over the Internet. Private IP address schemes allow organizations (or even household networks) to limit the number of publicly routed IP addresses they use, reserving public addresses for Web servers and other externally accessed network equipment. NAT allows administrators to use one public IP address for all of their users to access the Internet – the firewall is “smart” enough to send the requests back to the requesting workstation’s internal IP. NAT also allows users inside a network to contact a server using a private IP while users outside the network must contact the same server using an external IP.

In addition to port and IP address rules, firewalls can have a wide variety of functionality. They can also act as caching servers, VPNs, routers, and more. Some examples of hardware firewalls are CheckPoint, Cisco PIX, SonicWall, Contivity from Nortel, and Linksys (for the home market).

Firewalls are vital to network management. Without this control over computer and network access, large networks could not store sensitive data intended for selective retrieval. Firewalls are also very important for home broadband users – without a home version of one of these products, your personal data is at risk.