Description: Analysis Team, Kaspersky Lab, and Vitaly Kamluk, Chief Malware Expert, Global Research & Analysis Team, Kaspersky Lab
When the Stuxnet worm was initially discovered in June 2010, it looked like yet another piece of computer malware aimed at causing damage to infected computers. However, as security companies took Stuxnet apart, there was a startling discovery that this was a one-of-a-kind cyber-weapon. In particular, Stuxnet contained a number of sub-routines designed to compromise a very specific industrial system which, according to an ISIS report (*1), was "the IR-1 centrifuges at the Fuel Enrichment Plant (FEP) at Natanz" in Iran.
By September 2011, when the Duqu Trojan was discovered by the Hungarian research lab CrySyS, it became obvious that this new malware was related to Stuxnet and might actually be the work of the same attackers. The similarities were striking and ongoing analysis shows that Stuxnet and Duqu were all aimed at the same target -- Iran's nuclear power program. Millions of dollars have been invested in the development of Stuxnet and it did its job successfully -- destroying a large batch of IR-1 centrifuges. The purpose of Duqu, which for sure had a comparable financing to Stuxnet, is more hazy.
From the forensics analysis we have done at Kaspersky, we can say the targets for Duqu can be split into three categories:
Certificate authorities / cryptographic providers
Industrial equipment providers and shipping networks
Research institutes and power-related organizations
Stuxnet and Duqu represent the high-end of cyber weapons and the first public confirmation of an emerging cyber war. Although the identity of the attackers remains unknown, several researchers have pointed out to U.S. and Israel as the most likely parents.
To steal information, Duqu relied on a solid C&C infrastructure based on hacked CentOS Linux servers. We got the chance to analyze not one, but multiple Duqu command and control servers. In this presentation we will show:
How the attackers used the command and control servers
Which servers were used – India, Belgium, Netherlands, Vietnam, etc…
How the servers were hacked (the OpenSSH 4.3 0-day exploit?)
Mistakes done by the Duqu hackers
Unsolved mysteries related to Duqu
Costin joined Kaspersky Lab in 2000 as a leading Antivirus Researcher. Prior to becoming Director of the Global Research & Analysis Team in 2010, Costin was Head of the Romanian R&D group, overseeing research efforts in the EEMEA region. Costin specializes in malicious websites, browser security and exploits, e-banking malware, enterprise-level security and Web 2.0 threats. Costin also has a particular interest in encryption and advanced mathematics. Costin is based in Romania.
Costin has extensive experience in antivirus technologies and security research. He is a member of the Virus Bulletin Technical Advisory Board and a reporter for the Wildlist Organization International. Prior to joining Kaspersky Lab, Costin worked for GeCad as one of their Chief Researchers and as a Data Security Expert with the RAV antivirus developers group.
Vitaly joined Kaspersky Lab in 2005 as an Infrastructure Services Developer for the Antivirus lab. In 2008, he was appointed to the position of Senior Antivirus Expert before becoming Director of the EEMEA Research Center in 2009. Vitaly spent a year working in Japan as a Chief Malware Expert, leading a group of local researchers. He specializes in threats focusing on global network infrastructures, malware reverse engineering and cybercrime investigations.
Prior to joining Kaspersky Lab, Vitaly worked as a software developer and system administrator.
Vitaly is a graduate of the Belarussian State University.
Tags: securitytube , hacking , hackers , information security , convention , computer security , SOURCE-boston-2012 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.