60 likes | 202 Vues
Célzott informatikai támadások napjainkban . Boldizs ár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics www.crysys.hu this is joint work with Gábor Pék, Levente Buttyán, Márk Félegyházi, others. Targeted Attacks.
E N D
Célzott informatikai támadások napjainkban Boldizsár Bencsáth PhD Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics www.crysys.hu this is joint work with Gábor Pék, Levente Buttyán, Márk Félegyházi, others
Targeted Attacks • Although many expected, nobody knew how the era of targeted attack, cyber warfare will start. • Hype began with Stuxnet, but maybe not the first case (Hydraq, DoS attacks, etc.) • Lot of new cases: Stuxnet, Duqu, RSA, Chemical plants, Mitsubishi Heavy Industries, water systems (Additionally: Anonymous, Lulzsec, etc..) • APT: Advanced Persistent Threat -> this definition emphasizes power of the attacker over of our inability to have control on our system • New approach is needed against APT, Targeted Attacks
What we have done in Duqu case? • Yes, we are the Lab who discovered Duqu. • We will share with you what we can but more information on the ongoing case is under NDA. Technical details are already public. • In early September, during the investigation of an incident CrySyS Lab found a suspicious executable, the reference info stealer / keylogger component of Duqu. • Later during forensics activities we identified components used for the incident. We made an initial analysis and shared our results with competent organizations.The cut-down version of our analysis was embedded into Symantec’s report as an appendix (18/Oct/2011) • We continued the analysis of Duqu and as a result we identified the dropper/installer component. After proving that it contains a 0-day vulnerability, we initiated the collaborated handling of the threat. On 01/Nov/2011 we announced the identification of the dropper file.
Duqudetector toolkit – a new way of thinking about threats like Stuxnet • The Crysys DuquDetector Toolkit was publicly released on 09/Nov/2011. • We have to go forward and get rid of signature-only approaches • Our tool tries to identify anything suspicious, even if that generates lots of false positive. • Currently the toolkit is “configured” for Duqu, but the aim is a bit more general
What’s new • Entropy based detection of strange PNF files (most important, makes it possible to detect Stuxnet and Duqu) • Suspicious files with missing counterparts (PNF without INF) • Search for data files left by keylogger/infostealer/data siphoning tools of the malware by it’s signatures (file name, magic strings) • Our tool might be able to find traces on infections even after the malware was already deleted by self-destructing logics. • This OSS/ keep it simple, stupid/ do not care about false positives mechanism might work in CI environment • We continue to work on this