Stuxnet was possibly the most complex attack of this decade, and we expected that further similar attacks would be developed in the near future. One thing for sure is that the Stuxnet team is still active as recent evidence has revealed. McAfee Labs received a kit from an independent team of researchers. This kit is closely related to the original Stuxnet worm, but with a different goal; to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs).
How do we know it was the Stuxnet team? To start with, the attacks are targeting CAs in regions occupied by “Canis Aureus”, the Golden Jackal, to execute professional targeted attacks, against sites, such as CAs. The Stuxnet worm utilized two “stolen” digital certificates belonging to two companies from Taiwan, which operated in the same business district. Yet, the Stuxnet related code, named Duqu, which McAfee Labs got access to as part of an on going investigation, was signed with yet another key belonging to the company Cmedia, in Taipei. It is highly likely that this key, just like the previous two, known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack.
The threat that we call “Duqu”, is based on Stuxnet and it is very similar. Only a few sites so far are known to be attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code which is delivered via exploitation, installs drivers, and encrypted DLLs that function very similar to the original Stuxnet code. In fact, the driver’s code used for the injection attack, is very similar to Stuxnet, as well as several encryption keys, and techniques that were used in Stuxnet.
Duqu is very highly time sensitive, and is controlled by an extended, encrypted configuration file. It communicates with a command sever in India. This IP address has since been blacklisted at the ISP, and no longer functions. Yet, it was specially crafted to execute sophisticated attacks against key targets and has remote control functionality to install new code on the target, such as keyloggers which can be used to further monitor all actions on systems including running processes, window messages, and so on. Furthermore, the keylogger component also contains functionallity to hide files with a user mode rootkit.
The file names of the SYS drivers can be cmi4432.sys and jminet7.sys. They relate to two groups of files that have similar functionality. There is a third file which implements the keylogging functions.
McAfee detects the packages (two different packages have been discovered so far) as PWS-Duqu, PWS-Duqu.dr and PWS-Duqu!rootkit.
Both SYS files have almost the exact same code, with a few differences. The main difference is the fact that one of them is digitally signed with a certificate belonging to C-Media Corporation, while the other is not.
Here is an example of the certificate which seemingly belongs to Cmedia Corporation:
Since the discovery of this malware, the certificate above has been revoked by VeriSign as we can see in the image below:
The purpose of the SYS file seems to be only to decrypt and execute the primary payload DLL. Each SYS file works with a different set of files which in turn generate different DLLs. The graph below shows the relation found between the samples so far:
As we can see above, the method used by both SYS files are very similar. The PNF file is an encrypted DLL which is decrypted and injected into arbitrary system processes. This DLL in turn decrypts another DLL which contain the malicious code used to hide the presence of the malware in memory.
Both groups above also contain another module called sortXXXX.nls (where XXXX can be any hexadecimal character), shown in red above, which seems to be responsible for the malicious activities of this malware, like command and control communications.
The keylogger module works a little different from the SYS files, but it also uses a module with the same name as the other components. This file is hidden using the same method as the other modules. Although the files are different, both rootkits work more or less in the same way.
Another relationship found between the keylogger and the other two modules is that both use the same decryption key for the strings stored in its data section. The strings indicate these modules have the capability to disable security tools, targeting some specific Antivirus products.
McAfee Labs would like to advise Certificate Authorities to carefully verify if their systems might have been affected by this threat or variations. At the time of the blog, McAfee Labs also identified a likely variation of this attack at yet another site.
McAfee Labs would like to thank the independent team working on the investigation of this case, and their contributions to our research.
Leave a reply