Introduction to Cyber-Warfare - Proiect SEMPER FIDELIS

More documents

Recommendations

Info

OBJECT-ORIENTED MALWARE: STUXNET, DUQU, FLAME, AND GAUSS167of OOP is less common in the design of malicious software where the desire to maintain asmall footprint necessitates more traditional programming paradigms.Flame: King-Sized MalwareThere have been other pieces of malware recently discovered (in 2012) that were also createdprimarily using object-oriented code. The malware known as Flame is a large, complicatedpiece of software that was primarily identified in Iran and designed to aggressivelyharvest information from its target systems—for instance, it is known to be able to captureSkype calls as well as record audio, in addition to more conventional information theft(i.e., stealing email, password harvesting, etc.). 20 Due to the inclusion of a wide variety ofinformation-gathering tools, as well as the wide variety of distribution mechanisms (includingUSB memory sticks, printer sharing, etc. 21 ), Flame essentially is a general-purposeintelligence platform. This also results in an abnormally large footprint for malicioussoftware. When all modules are considered, Flame is 20 MB in size. 22Flame was capable of infecting other computers on local area networks. The method it usedto infect those computers has not been seen in any other malware. Traditionally, malware willattempt to copy itself to other computers on the local area network via a variety of means.Some use exploits in Windows server software to connect to remote computers, exploit them,and then infect. Others use techniques as simple as infecting executable files that are on remotecomputers and waiting for those computers to execute the infected files.Flame would use network-level tricks to impersonate Microsoft’s automatic updateservers for Windows. This kind of attack, a local man-in-the-middle attack, is always possibleand not sophisticated. The defensive countermeasure to this attack is the use of public keyinfrastructure (PKI) to verify the identity of the remote system. The authors of Flameimplemented an attack against Microsoft’s PKI infrastructure that allowed Flame to impersonateWindows Update. This attack allowed Flame to copy itself to other computers withoutusing memory corruption exploits, password guessing, or any known form of attack. 23Gauss: Malware to Monitor Financial TransactionsAnother highly advanced piece of malware that primarily uses object-oriented coding hasalso emerged in recent months (in 2012). Known as Gauss, this cyber-espionage platform isdesigned to steal as much information from the target system as possible. 24 Gauss stealssystem information—including data about the target’s local area network, the processesrunning on the target, and hardware information. It also compromises information fromthe user’s Web-browsing sessions by injecting its modules into various browsers. It is alsocapable of gathering information from social network, e-mail, and instant message accounts.Perhaps most significant, it includes routines to harvest data associated with specific Lebanesebanks—including the Bank of Beirut, Byblos Bank, and Fransabank. It is also noteworthythat the majority of Gauss infections were discovered on Lebanese systems.Like Stuxnet, Gauss also infects USB memory sticks. However, it uses the USB exploit differently.When a Gauss-infected USB drive is inserted into a computer, that system is notinfected. Rather, information is harvested off that system and stored on the memory stick.
168 8. DUQU, FLAME, GAUSS, THE NEXT GENERATION OF CYBER EXPLOITATIONAstonishingly after being used a certain number of times, a Gauss removes itself from the USBstick. Like many of the modules in Gauss, the module that infects USB drives includesencrypted portions that—at the time of this writing—perform functions unknown to commercialand academic security researchers. 25Some security researchers predicted the use of encryption by malware. Nate Lawsonauthored an analysis of Stuxnet that described it as “embarrassing, not amazing.” In this analysis,Lawson references the existence of a code protection system termed “secure triggers,” firstpublished by researchers at the University of Buenos Aires. 26 The “secure triggers” systemdefines a process by which a program can be bound to a specific computer system. 27Lawson argues that knowledge on how to construct such systems has existed in the publicdomain for many years (since 2003), and that it provides a high degree of security and protection.Lawson asserts that this system was not used in Stuxnet, but it was used in Gauss.Furthermore, he asserts that the use of this protection system in Gauss has protected it fromanalysis by Kaspersky. 28However, we should also note that some shortcoming of Stuxnet (such as its susceptibilityto reverse-engineering) may be the result of the simple fact that this malware likely is theproduct of a large organization. It is likely that the different teams working on Stuxnethad varying levels of knowledge, skill, and ability. In such a scenario, we would expectthe quality of different components of the malware to vary. The challenge for the managementteam designated to lead such a project would be to assign those with the better skill-setsto the more critical components of the project.Relationships Among Object-Oriented MalwareAs described earlier in this chapter, some security researchers, in particular those fromKaspersky Labs, believe that Stuxnet and Duqu were created by the same team of hackers.Due to the use of filenames starting with a “d” in both Stuxnet and Duqu, Kaspersky labeledthe source of these pieces of malware the “Tilded platform.” 29 Though there is some similarityin structure and function of Duqu and Flame, most security researchers regard them asdifferent platforms. Hence, Duqu is generally regarded as being less similar to Flame thanit is to Stuxnet. For instance, Kaspersky’s analysis of the Flame command and controlserver—performed using DNS sinkholing (see Chapter 7)—highlights significant differencesbetween the command and control elements of Duqu and Flame. 30 While there is some evidenceof collaboration between the creators of Flame and Stuxnet/Duqu, it appears thatthe current accepted hypothesis is that Stuxnet/Duqu constitutes one framework and Flameanother.At the time of this writing, the association of Gauss with Stuxnet, Duqu, or Flame is an issueof debate. Based on the modular design of Flame and Gauss, as well as the method in whichthey communicate to command and control servers, Kaspersky Labs has labeled Gauss as beingbased on the Flame platform. 31 However, the security firm ESET conducted a comparisonof code in Gauss to Stuxnet and to Flame. b The researchers here found that Gauss was actuallya This has been observed to be 30 times in the current Gauss samples.b The comparison was performed with the BinDiff plugin for the IDA Pro disassembler.
Page 2 and 3:
INTRODUCTION TOCYBER-WARFARE
Page 4 and 5:
INTRODUCTIONTO CYBER-WARFAREA Multi
Page 6 and 7:
ContentsPreface ixForeword xiIntrod
Page 8 and 9:
CONTENTSviiHow Real-World Dependenc
Page 10 and 11:
PrefaceSince Stuxnet emerged in 201
Page 12 and 13:
ForewordThe concept of cyber warfar
Page 14 and 15:
IntroductionIt is 2006. An American
Page 16 and 17:
INTRODUCTIONxvinfamous hacking grou
Page 18 and 19:
BiographyPaulo Shakarian, Ph.D. is
Page 20 and 21:
C H A P T E R1Cyber Warfare: Here a
Page 22 and 23:
IS CYBER WAR A CREDIBLE THREAT?3sec
Page 24 and 25:
ATTRIBUTION, DECEPTION, AND INTELLI
Page 26 and 27:
INFORMATION ASSURANCE74. Time: Temp
Page 28 and 29:
P A R T ICYBER ATTACKInformation ha
Page 30 and 31:
C H A P T E R2Political Cyber Attac
Page 32 and 33:
RUDIMENTARY BUT EFFECTIVE: DENIAL O
Page 34 and 35:
THE DIFFICULTY OF ASSIGNING BLAME:
Page 36 and 37:
ESTONIA IS HIT BY CYBER ATTACKS17FI
Page 38:
ESTONIA IS HIT BY CYBER ATTACKS19Th
Page 41 and 42:
22 2. POLITICAL CYBER ATTACK COMES
Page 43 and 44:
24 3. HOW CYBER ATTACKS AUGMENTED R
Page 45 and 46:
Page 47 and 48:
Page 49 and 50:
Page 51 and 52:
Page 53 and 54:
34 4. CYBER AND INFORMATION OPERATI
Page 55 and 56:
Page 57 and 58:
Page 59 and 60:
Page 61 and 62:
Page 63 and 64:
44 5. CYBER ATTACK AGAINST INTERNAL
Page 65 and 66:
Page 67 and 68:
Page 69 and 70:
Page 71 and 72:
Page 73 and 74:
Page 75 and 76:
Page 77 and 78:
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
68 6. CYBER ATTACKS BY NONSTATE HAC
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
100 6. CYBER ATTACKS BY NONSTATE HA
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Intentionally left as blank
Page 133 and 134:
114 7. WHY CYBER ESPIONAGE IS A KEY
Page 135 and 136: 116 7. WHY CYBER ESPIONAGE IS A KEY
Page 177 and 178: Intentionally left as blank
Page 179 and 180: 160 8. DUQU, FLAME, GAUSS, THE NEXT
Page 185: 166 8. DUQU, FLAME, GAUSS, THE NEXT
Page 191 and 192: 172 9. LOSING TRUST IN YOUR FRIENDS
Page 205 and 206: 186 10. INFORMATION THEFT ON THE TA
Page 219 and 220: 200 11. CYBER WARFARE AGAINST INDUS
Page 229 and 230: 210 12. CYBER ATTACKS AGAINST POWER
Page 237 and 238:
218 12. CYBER ATTACKS AGAINST POWER
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
224 13. ATTACKING IRANIAN NUCLEAR F
Page 245 and 246:
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
Page 261 and 262:
242 CONCLUSION AND THE FUTURE OF CY
Page 263 and 264:
Page 265 and 266:
246 APPENDIX I. CHAPTER 6: LULZSEC
Page 267 and 268:
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
258 APPENDIX II. CHAPTER 6: ANONYMO
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317 and 318:
Page 319 and 320:
Page 321 and 322:
Page 323 and 324:
Page 325 and 326:
Page 327 and 328:
308 GLOSSARYDDoS distributed denial
Page 329 and 330:
310 GLOSSARYNIST National Institute
Page 331 and 332:
Page 333 and 334:
314 INDEXCyber exploitation (Contin
Page 335 and 336:
316 INDEXNATO (Continued)high-level
Page 337:
318 INDEXTechnical intelligence (TE
show all

Introduction to Cyber-Warfare - Proiect SEMPER FIDELIS

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?