Doug Vitale Tech Blog

Hardcore malware: Stuxnet, Duqu, and Flame

Stuxnet, Duqu, and Flame have gained notoriety as some of the most damaging and devious forms of malware. First appearing in 2010, 2011, and 2012 respectively, these three worms have caused fear in the information security industry and panic among the administrators of infected hosts. Before analyzing their workings and unique characteristics, here is a review of malware in general and a summary of some noteworthy examples of destructive viruses from years past.

Laptop infected by malware

Jump to:

Defining malware

The term malware is short for “malicious software”. Malware is designed to disrupt normal computer operations and/or to gather sensitive information by enabling unapproved access to unauthorized parties on private computer systems. Consequently malware is classified as unwanted, hostile and intrusive in contrast to the applications which system owners knowingly consent to have installed on their computers.

Goals of malware

Malware coders usually attempt to achieve any of the following objectives:

  • Disrupt the normal workings of infected hosts by attacking system resources such as bandwidth, memory, and CPU cycles.
  • Steal personally identifiable information (PII) such as names, dates of birth, Social Security numbers, and financial account numbers.
  • Create hosting locations for data that often takes the shape of illegal files, such as pirated software and pornography.
  • Transform computers into remotely-controlled zombies for the purposes of denial of service attacks and the distribution of email spam.
  • Monitor users’ web browsing habits and redirect search queries and browser URL requests to unintended websites which generates affiliate marketing revenues.

To accomplish these tasks, the malware life cycle usually involves these steps.

  • Insertion – the installation on victim hosts.
  • Stealth – malware attempts to remain hidden from antimalware applications and human observation.
  • Trigger – the event that initiates the execution of the malware’s payload.
  • Payload – the performing of the malware’s intended purpose (see list above).
  • Replication – like biological viruses, malware usually attempts to reproduce and spread to new victims (more in the next section).
  • Destruction – malware may attempt to remove itself and disappear after its objective is complete or a certain length of time has passed.

Malware propagation

Like all software, malware must be placed on client hosts to function. Because users will not knowingly install harmful software, malware must be distributed in discreet or covert manners. Malware typically proliferates using the following avenues:

  • Emails and instant messages containing attachments that install the malware or links to infected websites.
  • Infected websites that automatically upload hostile code via web browser exploits.
  • Shared removable media, such as external hard drives, flash drives, optical media, and floppy disks.

The utilization of email and instant message traffic for malware distribution is particularly efficient because users’ address books are often compromised and the resulting malware dissemination succeeds because the recipients see the infected emails as coming from a friend, relative, or colleague. Their level of trust increases and they open the malicious attachment. The famous malware programs Melissa, Naked Wife, and ILOVEYOU propagated in this manner.

Malware types and examples

Although all malware shares the general characteristics mentioned above, it can be further broken down into several categories based on factors such as method of proliferation, intended target, intended goal, operational nature, etc. Most malware can be categorized as one of the following types, though some malware exhibits the traits of multiple types.

Virus. The term virus is often used as a synonym for malware. Most malware programs that achieve mass infection and widespread damage are often called “viruses” when in reality they are more appropriately classified as worms, Trojan horses, or other terms.

Like most malware, viruses usually delete system files and change configurations. However, viruses exhibit certain characteristics which distinguish them from other forms of malware. A virus is a less independent program because it cannot reproduce on its own; it needs to infect some executable software and, when the executable is run it causes the virus to spread to other executables. Microsoft Office macros and PDF documents in particular have been targeted by virus writers.

While there have been thousands of viruses discovered, some more infamous ones include:

  • The Melissa virus of 1999 was a mass-mailing macro virus whose propagation caused overload and shut down email servers.
  • The Anna Kournikova virus of 2001 exploited Microsoft Outlook address books to spread a file named “AnnaKournikova.jpg.vbs” via email.

Worm. Worms are more capable than true viruses as they do not need host programs to replicate. In other words, they can copy and transport themselves without having to piggy back on any other program.

Some worms that have gained notoriety over the years include:

  • The Morris worm was the first known worm to exist and was released in 1988. According to its author, it was not intended to cause damage or financial loss but to gauge the size of the Internet. The replication traffic generated by this worm effectively brought the Internet to a temporary standstill. The worm’s author was the first person to be sentenced under the Computer Fraud and Abuse Act of 1986.
  • In 2000 the ILOVEYOU (or Love Letter) worm spread via emails bearing the attachment LOVE-LETTER-FOR-YOU.TXT.vbs. When run, the Visual Basic file copied itself in several folders on the victim’s hard drive, added new registry keys, sent copies of itself through email and Internet Relay Chat (IRC) clients, and downloaded a file called WIN-BUGSFIX.EXE. This program was a password-stealing application that emailed cached passwords to an email address belonging to the worm’s author.
  • Code Red appeared in 2001 targeting unpatched installations of Microsoft Windows Internet Information Services (IIS). It defaced websites, launched denial of service attacks, and spread itself by executing buffer overflows on other IIS web servers that resulted in the execution of privileged commands.
  • NIMDA struck in September 2001 and within minutes it had become the most prevalent worm circulating the Internet. It utilized several attack vectors, such as email, network shares, IIS directory traversal, and backdoors left behind by other worms. The sheer amount of traffic it generated brought down many web and email servers.
  • SQL Slammer (aka Sapphire) caused over $1 billion in losses in 2003. Within fifteen minutes of its release, SQL Slammer used buffer overflows to infect tens of thousands of servers running unpatched installations of Microsoft SQL Server. Internet routers had difficulty coping with the gigantic amount of replication traffic.
  • First detected in 2008, the Conficker worm wreaked havoc on hosts by disabling services, blocking user access to directories, and preventing visits to security-related websites. It took over hosts by performing dictionary password attacks on the administrator password and then joining infected hosts to a botnet.

Trojan horse. A Trojan horse is a malware program that is disguised as another seemingly harmless program. At first glance a Trojan appears to perform a desirable function, but its true purpose is to execute code without the user’s consent or knowledge. For example, a program may be advertised as a simple screen saver displaying images of cute kittens or sexy people, but its true purpose is to actually install a key logger to capture your passwords and transmit them to a remote server. Alternatively, Trojans will often allow intruders remote access into the infected system. By disguising malware as popular software (or by bundling malware with popular software) malware distributors hope that duped users looking for free software or pornography will download and execute their harmful software and become infected.

One particularly infamous Trojan horse is Zeus. Zeus steals banking information through keystroke logging and form grabbing. Zeus targets the financial industry and is spread mainly through drive-by downloads and phishing schemes. In June 2009, estimates were that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and Business Week. Zeus phishing messages spread rampantly throughout Facebook as well. In 2012 variants of Zeus were discovered on Blackberry and Android smart phones.

Logic bomb. A logic bomb is a program that executes a command (such as unauthorized data deletion) when a certain event occurs or a particular date and time arrive. Until such an event happens, the logic bomb sits dormant. Some legal cases involving logic bombs written by disgruntled employees have garnered media attention.

Botnet. Bot malware is designed to clandestinely transform hosts into remotely controlled zombies that are joined together to form networks of bots, or botnets. These botnets are controlled by an operator (bot master) who can use the army of zombies at his disposal for many nefarious purposes, such as launching distributed denial of service attacks or relaying spam email. Typically the IRC protocol is used to send commands from the Command and Control server to the botnet zombies.

Rootkits and backdoors. Rootkits try to hide the existence of certain processes or programs from normal methods of detection and enable privileged access to a computer via backdoors. Backdoor malware is installed on victim hosts to allow access to hackers at a later time. Quite often backdoors are also bundled with Trojans. Once installed, a backdoor listens for network traffic on a specific port. When rootkits and backdoors are properly installed, users and even security software will not detect abnormal system operations because this type of malware works at the operating system’s kernel level. Rootkits will often remove suspicious entries in system logs. The recommended remediation for rootkit infections is a complete hard drive wipe followed by OS reinstallation.

Scareware. This type of malware attempts to create panic among users by displaying alarming (and false) messages about the state of their systems with the intent of persuading them to pay a fee to resolve the supposed problem. In other words, scareware is a scam that is intended to trick users into needlessly spending money to address a non-existent situation. A tactic frequently used by cyber criminals involves notifying users that a virus has infected their computer, then suggesting that they download (and pay for) phony antivirus software to remove it. However, the “virus” is entirely fictional and the software which the anxious user purchases is either non-functional or malware itself. One particular form of scareware, ransomware, prevents user access to certain files and folders, sometimes via encryption, and then demands that payment be made before they can be accessible again.

Spyware. Spyware focuses on capturing keystrokes and personal details of users without their consent or knowledge. Spyware often takes the form of a Trojan horse that tries to deceive users by bundling itself with desirable software.

Adware. Adware refers to malware that collects data regarding a user’s computing habits that can be used to facilitate targeted marketing. Adware is known to display pop up advertisements and redirect URL requests. For example, viewing a product for sale on Amazon.com might prompt a pop up ad to appear with a link to buy a similar product on another site, or an attempt to visit google.com may result in a browser redirection to an ad-laden website with a name such as “supercoolsearch.com” instead of Google. The creator of the adware may get paid if you click links or buy products on the rogue sites.

Keyloggers. Keyloggers simply monitor and record the keys users type during computing sessions, and often report these keystrokes back to servers or email addresses belonging to hackers and cyber criminals. The keystroke reports obviously contain sensitive data such as usernames and passwords.

Stuxnet

Stuxnet made headlines in June 2010 after it went to work disabling programmable logic controllers and Siemens supervisory control and data acquisition (SCADA) systems in Iranian nuclear power plants. It ranks as perhaps the most intricate and ingenious example of malware ever discovered. Not long after Stuxnet was detected and analyzed by software security specialists, it became apparent that it was the product of a well-funded, highly efficient entity. Unsurprisingly it is now conventional wisdom that Stuxnet was created by American and Israeli software developers as part of an information warfare campaign against the Islamic Republic of Iran.

Stuxnet was very effective because it exploited four zero-day Windows vulnerabilities. It was reportedly introduced to the target environment via USB flash drives planted either by an undercover agent or by unwitting power plant employees. Once it had access to a network, Stuxnet could identify and infect the hosts that managed SCADA systems controlled Siemens software. Microsoft and Siemens subsequently released patches to counteract Stuxnet, but not before considerable damage had been done, particularly within Iran.

More detailed analyses of Stuxnet’s operation are provided in the further reference section below.

Image source: Trend Micro

Duqu

The Duqu worm was first detected in 2011. Malware analysts quickly noticed that it shared a lot of the same code with Stuxnet, but Duqu was designed for data surveillance and other intelligence efforts rather than the disabling of industrial systems. Like Stuxnet it seemed to target Iranian computers but Duqu did not focus on industrial or critical infrastructures. Like Stuxnet, Duqu is a complicated program as it seeks to exploit zero day Windows kernel vulnerabilities. Additionally it uses stolen digital certificates, installs a backdoor, and captures keystrokes. When Duqu installs itself, it uses a Microsoft Word file that exploits the TrueType font parsing engine that allows code execution.

More detailed analyses of Duqu’s operation are provided in the further reference section below.

Duqu diagram

Image source: Trend Micro

Flame

Flame was discovered in May 2012 by Kaspersky Labs. Most of the infections were in Iran, therefore it is not surprising that Flame shares characteristics with Stuxnet and Duqu (it also surfaced in Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt). Like Duqu, Flame seems designed for espionage rather than host disabling or data destruction. Flame uses a fraudulent digital certificate and spreads via USB stick, local network, or shared printer spool vulnerability and leaves a backdoor on computers. It can sniff network traffic and record audio, screenshots, Skype conversations, and keystrokes, as well as download information from other devices via Bluetooth. Flame determines which antivirus application is installed and then customizes its behaviour to minimize the probability of detection (for example, by changing the file name extensions it uses). Interestingly, Flame operators have the ability to send a “kill” command which searches for every trace of Flame on the infected host, including screenshots and data stolen by the malware, and eliminates them.

More detailed analyses of Flame’s operation are provided in the further reference section below.

Flame diagram

Image source: Thomson Reuters

Further reference

General malware

Doug Vitale Tech Blog, How to block malware with the hosts file
Esecurityplanet.com, Inside a scareware scam
Fortinet.com, Ransomware: All your drives are belong to us
Intology.com, Ransomware virus that uses 1024-bit encryption key
Knowbe4.com, Malware called Eurograbber steals 36 million Euros
Microsoft.com, Microsoft and Symantec take down Bamital botnet
Microsoft.com, Microsoft Security Intelligence Report
Microsoft.com, Microsoft Malware Protection Center Threat Report: Rootkits
Microsoft.com, Hunting down and killing ransomware
Networkworld.com, Botnet masters hide command and control server inside the Tor network
Networkworld.com, Reversible denial-of-resource cryptoviral extortion attack
TechRepublic.com, Droidpak attacks Android via compromised PCs
TechRepublic.com, Traditional antivirus software is useless against military malware
WashingtonPost.com, Agent.btz launches Operation Buckshot Yankee at U.S. CentCom
Wired.com, Slammed! An inside view of SQL Slammer

Stuxnet

Arstechnica.com, Confirmed: US and Israel created Stuxnet, lost control over it
Arstechnica.com, Stuxnet v0.5 Beta examined
Computerworld.com, Is Stuxnet the “best” malware ever?
Eset.com, In-depth analysis of Flame, Duqu, and Stuxnet mssecmgr.ocx
ForeignPolicy.com, Stuxnet’s Secret Twin
InfoSecInstitute.com, Installation, Injection, and Mitigation of the Stuxnet worm
Mediafire.com, Stuxnet source code
Networkworld.com, Siemens industrial software still full of holes
Net-Sec.org, Stuxnet was planted via infected memory stick
SCmagazine.com, Stuxnet infected Russian nuclear plant
Spectrum.ieee.org, The real story of Stuxnet
Symantec.com, W32.Stuxnet dossier (.pdf)
Wired.com, Iran: Malware sabotaged uranium centrifuges

Duqu

Arstechnica.com, Microsoft pushes out emergency fix to block Duqu zero-day exploit
Darkreading.com, Same toolkit spawned Stuxnet, Duqu, and other campaigns
Securelist.com, The mystery of Duqu framework solved
Symantec.com, Duqu: status updates including installer with zero-day exploit found
Techworld.com, Duqu Trojan written in mystery programming language

Flame

Arstechnica.com, Why antivirus companies like mine failed to catch Flame and Stuxnet
BBC.com, Flame malware makers send ‘suicide’ note
Networkworld.com, Kaspersky researcher cracks Flame malware password
Securelist.com, Back to Stuxnet: the missing link to Flame
UVA.nl, Reconstructing the Cryptanalytic Attack behind the Flame Malware (PDF; 832 KB)
Wired.com, Meet Flame, the massive spy malware infiltrating Iranian computers
ZDnet.com, Flame cyber-espionage dates back to 2006

Recommended reading

If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book or two using the links below. Thanks!

Practical Malware Analysis on Amazon Practical Malware Analysis Malware Analyst's Cookbook on Amazon Malware Analyst’s Cookbook

Rootkit Arsenal on Amazon Rootkit Arsenal: Escape and Evasion Malware Forensics Field Guide for Windows on Amazon Malware Forensics

Malware Forensics: Investigating and Analyzing Malicious Code on Amazon Malware Forensics Malware: Fighting Malicious Code on Amazon Malware: Fighting Malicious Code

Malware, Rootkits and Botnets Beginner's Guide on Amazon Malware, Rootkits & Botnets

About these ads

Written by Doug Vitale

November 8, 2012 at 6:17 PM

Posted in Commentary

Tagged with , , , , , ,

%d bloggers like this: