Read Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Online
Authors: Kim Zetter
Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon (40 page)
The dropper that installed Duqu in this case had been compiled in August 2007, which further confirmed that Duqu had been around for years before its discovery in Hungary. This wasn’t the only evidence supporting that early timeline, however. The researchers also found evidence that Duqu’s infostealer file had existed years earlier as well. They only stumbled upon this clue because of a mistake the attackers had made.
When Duqu’s self-destruct mechanism kicked in after thirty-six days, it was supposed to erase all traces of itself from infected machines so a victim would never know he had been hit. But the Kaspersky team discovered that when Duqu removed itself, it forgot to delete some of the temporary
files it created on machines to store the data it stole. One of these files, left behind on a machine in Iran, had been created on the machine on November 28, 2008.
Kaspersky and Symantec had always suspected that prior to Stuxnet’s assault on the centrifuges in Iran, the attackers had used an espionage tool to collect intelligence about the configuration of the Siemens PLCs. The information could have come from a mole, but now it seemed more likely that a digital spy like Duqu had been used.
It seemed plausible that the Stuxnet attackers might also have used Duqu to steal the digital signing keys and certificates from RealTek and JMicron, since this was the tool they had used against the certificate authority in Hungary.
If Duqu had indeed been in the wild infecting systems undetected since 2007, or longer, its sudden discovery in Hungary in 2011 seemed strange. Why now? Raiu wondered. He concluded that it must have been a case of hubris and a bad choice of target. After remaining stealthy for so long, the attackers grew confident that they’d never get caught. They likely considered Stuxnet’s discovery the previous year an anomaly that occurred only because the digital weapon had spread too far. But Duqu was carefully controlled and its targets handpicked, which made its discovery less likely. Except, in Hungary, the attackers finally picked the wrong target. The Hungarian certificate authority was much more security conscious than the trading companies and manufacturers Duqu had previously hit. And this was Team Duqu’s failing.
30
Though Stuxnet and Duqu shared some of the same code and
techniques, Raiu and his team ultimately concluded that they had been built by separate teams from the same base platform, a platform they dubbed “Tilde-d”—because both Stuxnet and Duqu used files with names that began with ~D.
31
In fact, Kaspersky discovered evidence that an arsenal of tools might have been built from the same platform, not just Stuxnet and Duqu. They found at least six drivers that shared characteristics and appeared to have been built on the Tilde-d platform. Two of them had been used in the known Stuxnet attacks, and a third one was the driver that had been used with Duqu.
32
But they also found three “phantom drivers” that were discovered by themselves, without any Stuxnet or Duqu files with them, making it difficult to determine if they had been used with either of these attacks or with different attacks altogether. All three of the drivers used algorithms and keys that were the same as or similar to those that the Stuxnet and Duqu drivers used, making it clear they were connected to the Tilde-d team.
The first of these was the driver that had been found in July 2010 by the Slovakian antivirus firm ESET and was signed with the JMicron certificate.
33
Because the driver was found days after the news of Stuxnet broke, everyone assumed it was related to Stuxnet, though it was not found on any system infected with Stuxnet. The driver was a hybrid of the Stuxnet and Duqu drivers, using code that was nearly identical to the Stuxnet driver and some of the same functions and techniques that the Duqu driver used. But it also used a seven-round cipher for its encryption
routine instead of the four-round cipher that Stuxnet’s driver used, making it more complex. This made Raiu and Gostev suspect it was designed for a different variant of Stuxnet or different malware altogether.
The second phantom driver was discovered when someone submitted it to VirusTotal.
34
It was compiled on January 20, 2008. It also had a seven-round cipher, suggesting that it and the JMicron driver might have been created for use with the same attack—perhaps with a different version of Stuxnet or something else altogether.
The third mystery driver was also submitted to VirusTotal, from an IP address in China on May 17, 2011, months before Duqu infected the Hungarian machines in August.
35
This driver used a four-round cipher like the Stuxnet drivers and an identical encryption key; it was also compiled the same day the Stuxnet drivers were compiled and was signed with the RealTek certificate that had been used to sign Stuxnet’s drivers, though it was signed March 18, 2010, instead of January 25, 2010, the date the Stuxnet drivers were signed. March 18 was just weeks before the attackers unleashed their April 2010 variant of Stuxnet, but for some reason they didn’t use this driver with that assault. Instead, they reused the driver from the June 2009 attack. This suggested that the third phantom driver might have been prepared for a different attack.
The burning questions for Gostev and Raiu, of course, were what attacks were the phantom drivers created for and who were their victims? Were they evidence that other undetected Stuxnet attacks had occurred prior to June 2009 or after April 2010?
It seemed the story of Stuxnet was still incomplete.
1
Jóska Bartos is a pseudonym. The company asked Bencsáth not to disclose its identity or the identities of people working for it. The description of these events comes from an interview with Bencsáth except where otherwise noted.
2
They uploaded the keylogger to VirusTotal, a free online virus tool that researchers use to detect malicious files, to see if it was known malware. VirusTotal aggregates nearly four dozen antivirus engines from multiple companies to detect malicious files. Two scanners flagged the file as suspicious, but it was unclear if it was a known keylogger or something new. It was flagged by BitDefender and AVIRA scanners. Technically it was also detected by F-Secure and G-DATA, but only because both of these scanners use BitDefender’s engine. VirusTotal is sometimes used by attackers to test their malware before unleashing it to make sure virus engines won’t detect it. But the fact that this keylogger was flagged by two of the engines suggests the attackers either hadn’t bothered to test it against these two scanners before unleashing it or they weren’t expecting their victims to be using the two engines.
3
Confirmation of the nature of the company’s business did not come from Bencsáth or his lab but was gleaned from other sources who were familiar with the breach and the victim.
4
The inoculation value that Stuxnet had used—0x19790509 (which Symantec had interpreted to be a date—May 9, 1979)—also showed up in this new attack code. In Stuxnet it had been used to prevent the worm from infecting machines that had this value in their registry, but here it was part of the encryption.
5
The Microsoft researcher, Tareq Saade, was on the list because the government CERT had already sent Microsoft a copy of the keylogger file after it was discovered, so Bencsáth thought Microsoft should see the CrySyS Lab report as well.
6
The “en/us” letters in the URL merely indicated that the man had visited a site that was localized for English-speaking readers in the United States.
7
Researchers eventually uncovered multiple versions of Duqu, with varying removal times. In some cases it removed itself after 30 days, in other versions it was 36 days. In at least one case, the researchers found a version that lasted 120 days before deletion.
8
Dugald McConnel, “Iranian Official: New Computer Worm Discovered,” CNN, April 27, 2011. Available at
cnn.com/2011/TECH/web/04/26/iran_computer_worm
.
9
After news of Duqu broke, someone on Twitter who identified himself as an Iranian malware researcher in Virginia published a tweet saying that according to investigations by Iran’s CERT, “#Duqu is upgraded version of #Stars malware.” He deleted the tweet very quickly after posting it, however, and not long afterward also deleted his entire Twitter account. It’s unclear if there was any significance to the image of the galaxies in Duqu or if the attackers had just chosen a random picture, but Bencsáth thought it might have been used as a secret signal to identify Duqu as “friendly fire.” Sometimes various intelligence branches of the same government will target the same computers. If the United States or Israel was behind Duqu, the image might have been a signal to “friendlies” who came across the keylogger on an infected machine—in the course of trying to hack it themselves—that the machine was already infected by a compatriot.
10
Some criticized Symantec’s decision to go public so quickly. A more strategic approach would have been to remain quiet while gathering more intelligence about the attack—for example, asking companies hosting the command-and-control servers for a mirror image of the servers to see what the attackers were doing on them—before signaling to the attackers that they had been caught. It was an ongoing tension that existed between investigative and forensic needs and the needs of customers, who would want to know quickly if they had been infected so they could shore up their network against other attacks and determine if the intruders had stolen anything. But the CrySyS Lab had already sent its report to someone at McAfee, a competing antivirus firm, who might go public with the news or inadvertently tip off the attackers that they’d been caught. There were other drawbacks to waiting to go public. Without widening the net of people who knew about the malware, it would be difficult to obtain other samples of Duqu that could tell them more about the attack. The malware was very targeted, infecting only a small number of victims, and every file related to Duqu that they could collect from victims gave them a little more information about the attack.
11
Symantec’s Duqu report is available at
symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
.
12
I was able to confirm the identity of the victim as NetLock from several sources not associated with the CrySyS Lab.
13
It wasn’t just security companies that responded differently this time. The government did as well. For some reason, during the many months the Symantec researchers had been analyzing Stuxnet and publishing pleas for help from PLC experts, ICS-CERT had remained distant, even though its analysts possessed the exact PLC expertise Symantec sought. A DHS official later acknowledged in an author interview that the department made a mistake in not reaching out to Symantec. This time around, ICS-CERT handled it differently and contacted Symantec to compare notes about its own findings about Duqu.
14
Microsoft’s Security Essentials program is based on Raiu’s RAV antivirus engine.
15
The attackers used a custom object-oriented C dialect known as OO-C.
16
While this component displayed masterful skills, there were other parts that were less masterful. The implementation of encryption, for example, was weak. Duqu was built like an elegant Chinese box with multiple layers of encryption to obfuscate its components and thwart detection. But the way the attackers implemented it was poorly done. One part had an encrypted configuration block that held a key to decrypt a registry; inside the registry was another key to decrypt Duqu’s main .DLL file. The design was supposed to make it hard for anyone who got hold of the .DLL to decrypt it without first obtaining the other two keys. But the programmers had undermined their security by making the keys for the registry and the .DLL identical and making the key for the configuration block 0. Once someone unlocked the configuration block, he already had the key to decrypt the main .DLL, bypassing the need for a separate registry key. Stuxnet, by contrast, had used different keys for each stage of encryption. The encryption algorithm used in Stuxnet was also a four-round cipher, while Duqu used a weaker one-round cipher. Clearly different but related teams had designed Duqu and Stuxnet, but even though both teams had strong and advanced methods of encryption at their disposal, the Duqu team hadn’t bothered to use them.
17
To accomplish this, they had to first seize control of the administrative account on an infected machine, then set up a task instructing the malware to spread via network shares.
18
Team Duqu also stored some of the scripts for controlling the operation at other locations, rather than on the command servers, so that anyone who seized control of these front-end servers couldn’t seize and examine the scripts to determine what Duqu was doing.
19
There may have been more victims over the years, but these were the only ones uncovered after Duqu was discovered. Symantec found victims in eight countries—one each in France, India, the Netherlands, Switzerland, Sudan, Vietnam, and Ukraine, and at least two in Iran. Kaspersky found eleven more infections in Iran, three in Europe, and four in Sudan. Other antivirus vendors found victims in Austria, Indonesia, and the UK.
20
Kelly Jackson Higgins, “Same Toolkit Spawned Stuxnet, Duqu, and Other Campaigns,” Dark Reading, January 3, 2012, available at
darkreading.com/advanced-threats/167901091/security/attacks-breaches/232301225/same-toolkit-spawned-stuxnet-duqu-and-other-campaigns.html
.
21
If Israel was behind Duqu, the delay might have had something to do with the fact that October 18, the date Symantec published its report, fell during the Sukkot holiday in Israel, which ran from October 13 to 19 that year. Sukkot commemorates the forty years the Israelites spent in the Sinai desert after escaping slavery in Egypt. In Israel, the first day of the festival was a work holiday. Although the remaining six days were not mandatory holidays, many Israelis took them off anyway since schools were closed. Sukkot would have concluded on the nineteenth, with workers back to work on the twentieth—including, presumably, Duqu’s server team.
22
They left behind other traces as well. The night before stories about Duqu broke, the attackers had changed Duqu’s encryption keys and recompiled their Duqu files with the new keys before pushing out the new files to infected machines. The attackers likely intended for the new version of Duqu to replace older versions on infected systems, but they didn’t count on a quirk in the Windows operating system that caused traces of the older version to remain, which researchers later found when their antivirus products scanned the systems. The attackers may have changed the encryption keys because they sensed the malware had been discovered and were trying to outrun detection. But if they suspected they had been caught, they didn’t seem to comprehend the degree to which their mission was about to be exposed, because they also released an update to extend the malware’s life-span beyond thirty-six days, as if they fully expected to continue their operation for a while undisturbed. Once the news broke and they understood that their entire operation was toast, however, they had initiated the cleanup operation to wipe all the data from their servers.
23
The dropper didn’t immediately install its malicious cargo. Instead it waited until the computer was idle at least ten minutes before springing into action. The date on the computer also had to be within an eight-day window in August or Duqu wouldn’t install its files, further evidence of the amount of caution and control the attackers maintained over their code.
24
A blogger for the Finnish antivirus firm F-Secure called it “one badass exploit.” November 2, 2011, “Duqu Attack’s Installer Discovered,” available at
f-secure.com/weblog/archives/00002263.html
.
25
Researchers saw signs of cybercriminals trying, but failing, to replicate the Duqu exploit in June 2012, eight months after Symantec published information about the vulnerability. They finally succeeded in October 2012, after which Kaspersky saw a spike in attacks using copycat versions of the exploit in December 2012. Microsoft had patched the vulnerability in December 2011, however, so attackers could use the exploit only against unpatched machines.
26
The Kaspersky researchers found something else they thought might be an Easter egg in the code. A decryption key in one version of the Duqu driver had a value—0xAE240682—that also appeared to be a date: June 24, 1982. When Raiu looked it up it turned out to be the day a famous event in aviation history occurred—the date British Airways Flight 09 hit a volcanic ash cloud en route from London to New Zealand. The plane had just taken off after a stopover in Malaysia when gritty ash spewing from Mount Galunggung choked all four of the 747’s engines, leaving it dead in the air. The pilots attempted to glide it to a landing, and as the plane descended from 37,000 to 12,000 feet, oxygen masks dropped from the ceiling. That’s when the British captain, Eric Moody, made one of the most famous understatements in the history of aviation. “Ladies and gentlemen,” he told the passengers, “this is your captain speaking. We have a small problem. All four of the engines have stopped. We are doing our damnedest to get them going again. I trust you are not in too much distress.” (See “When Volcanic Ash Stopped a Jumbo at 37,000ft,” BBC, April 15, 2010. Available at
news.bbc.co.uk/2/hi/uk_news/magazine/8622099.stm
.) The pilots managed to restart the engines after about fifteen minutes and land in Jakarta. Was it a coincidence that this seemed to be the second aviation reference after the DEADF007 reference in Stuxnet? Or were the attackers just playing with researchers now and dropping little Easter eggs in the code to keep them guessing? Or was the value in the code simply a random number with no significance?
27
Kaspersky’s Costin Raiu bought all past episodes of the Dexter show to see if there was some reason the attackers referenced it in Duqu. Only one episode seemed remotely relevant. In it, Dexter’s sister, Debra, received a marriage proposal from Det. Joey Quinn. During a discussion about the proposal with her brother, he mused that if she were to marry Quinn, her initials would be DQ.
Raiu did see one other episode that reminded him of Duqu. To confuse investigators who were hot on the serial killer’s trail, Dexter crafted a thirty-page manifesto littered with biblical references to distract them. While the investigators wasted time sifting through the meaningless document for clues, Dexter continued his killing spree. The parallels weren’t lost on Raiu, who pondered the hours he’d wasted watching the TV show for clues about Duqu.
28
The dropper file, a driver, tried to pass itself off as a graphics driver from Intel, and was responsible for loading the Duqu back door onto a victim’s machine.
29
There were two attempts to infect the victim, first on April 17, 2011, which got blocked by the victim’s Outlook spam filter, and then on April 21, which succeeded.
30
At the time it was hacked, the Hungarian company would have been doubly alert for a breach because of two other—seemingly unrelated—assaults on certificate authorities that had occurred in the previous months. In March of that year, someone breached the account of a partner company that worked with Comodo Group, a certificate authority based out of New Jersey and the UK. The hacker, who used an IP address in Iran, parlayed the access to issue himself eight fraudulent certificates for mail.google.com, login.yahoo.com, and six other domains that would allow him to impersonate these sites in a man-in-the-middle attack. Four months later, a Dutch certificate authority named DigiNotar was also hacked. The intruders in this case generated more than 200 fraudulent digital certificates for top domains owned by Google, Yahoo, and Mozilla, as well as for the websites of the Mossad, MI6, and the CIA. These intrusions put other certificate authorities on guard, and the company in Hungary had likely stepped up inspection of its network as a result.
