NationStateSponsoredMalware:Nation State Sponsored Malware ... ·...

People First,Performance Now

Ministry of Science,Technology and Innovation

Nation State Sponsored Malware:Nation State Sponsored Malware: StuxnetGoh Su GimSecurity Advisor APAC, F-Secure Labs

07 November 2012

About meAbout me

Technology Evangelist

Protecting the irreplaceable | f-secure.com

Evangelist

• 16 November, 2012

F-Secure - Summary

1988 Founded

Today

1999 IPO (Helsinki Stock Exchange)

• “P t ti th i l bl ”• “Protecting the irreplaceable”

• Enabling the safe use of computers and smartphones

• Strong solution portfolio covering both consumers and business

h l d f ( ) f l b ll• The leading Software as a Service (SaaS) partner for operators globally

• Over 200 operator partnerships in more than 40 countries

• Strong market presence in Europe, North America and Asia

2007• Distributors/resellers in more than 100 countries

• 20 offices globally and over 800 professionals worldwide

Where it all started..

© F-Secure / PublicNovember 16, 20126

http://campaigns.f-secure.com/brain/index.html

© F-Secure / PublicNovember 16, 20128


Ministry of Science,Technology and InnovationStuxnetStuxnet



STUXNETWindows Uses 5Windows

WormUses 5Vulnerabilities*

Spreads via

USBUSB sticks

* 4 zero-days



5 Vulnerabilities, 4 Zero Day

• LNK (MS10-046)• Print Spooler (MS10 061)• Print Spooler (MS10-061)• Server Service (MS08-067)• Privilege escalation via Keyboard layout

file• Privilege escalation via Task Scheduler



LNK (MS10-046)• 1st surprise• Spreads first via removable and networkSpreads first via removable and network

storage



Server Service (MS08-067)• Conficker anyone?• Vulnerability in Server Service Could AllowVulnerability in Server Service Could Allow

Remote Code Execution (958644)



Server Service (MS08-067)• Here comes the best part• this vulnerability makes it possible forthis vulnerability makes it possible for

malicious code to be passed to, and then executed on a remote machineexecuted on, a remote machine

• Print Spooler Service Impersonation VulnerabilityVulnerability



Signed component the stolenSigned component – the stolen certificate



Stuxnet is bigStuxnet1 5 MB1,5 MB

AAverageMalware50-100 KB


Ministry of Science,Technology and InnovationSiemens Simatic Step7 WinCC p

PLC



6es7-417



Bushehr / Natanz

The 20th day of the first month of the Iranian calendar year (Farvardin)The 20th day of the first month of the Iranian calendar year (Farvardin) which falls on April 8 this year, was announced as National Nuclear Technology Day by President Ahmadinejad last year.

The day marks the victory of the Iranian scientists in producing uranium enriched to 3 5 percent in Natanz facility two years agoenriched to 3.5 percent in Natanz facility two years ago.

The achievement made Iran self-sufficient in production of nuclear fuel and the country along with Brazil was recorded as the 8th country possessing nuclear fuel cycle in the world, thanks to the efforts of its young talented expertsexperts.



Case Flame• Flame is huge • It sends the stolen• Flame is huge• It has a keylogger and

a screengrabber

• It sends the stolen info out even from organizations with no network connectivity• Has SSH, SSL and

LUA libraries• It collects excerpts

network connectivity• It’s connected to

StuxnetIt collects excerpts from documents

• It collects coordinates from image files

• It spreads via Microsoft Update, is signed by Microsoft from image files

• Checks paired Bluetooth devices

g yand the Certificate has been brute-forced by a supercomputerby a supe co pute



So what about Nation States sponsored malware?

Protecting the irreplaceable | f-secure.com


Ministry of Science,Technology and InnovationWho fights the attackers?Who fights the attackers?

POLICE POLICE



Nuclear physics lost it's innocence in 1945



Computer science lost it's

6es7-315-2 / 6es7-417

innocence in 2009

NationStateSponsoredMalware:Nation State Sponsored Malware ... ·...

Documents

Transcript of NationStateSponsoredMalware:Nation State Sponsored Malware ... ·...