The cousins of Stuxnet: Duqu, Flame, and Gauss

Future Internet

Volumn 4, Issue 4, 2012, Pages 971-1003

  Bencsáth, Boldizsár ^a   Pék, Gábor ^a   Buttyán, Levente ^a   Félegyházi, Márk ^a  

^a BUDAPEST UNIVERSITY OF TECHNOLOGY AND ECONOMICS   (Hungary)

Author keywords

Advanced persistent threat (APT); Cyber espionage; Cyber weapons; Targeted attacks

Indexed keywords

COMPUTER CRIME; CRYPTOGRAPHY; GAUSSIAN DISTRIBUTION;

ADVANCED INFORMATIONS; ADVANCED PERSISTENT THREAT (APT); CRYPTOGRAPHIC TECHNIQUES; CYBER ESPIONAGE; INDUSTRIAL INFRASTRUCTURE; INFORMATION COLLECTING; SYSTEM ADMINISTRATORS; TARGETED ATTACKS;

MALWARE;

EID: 84894191142     PISSN: None     EISSN: 19995903     Source Type: Journal    
DOI: 10.3390/fi4040971     Document Type: Article

References (32)

1. Falliere, N., Murchu, L.O., Chien, E. W32.Stuxnet Dossier; Symantec Security Response; Symantec: Mountain View, CA, USA, 2011.
2. Building a Cyber Secure Plant. Available online: http://www.totallyintegratedautomation.com/ 2010/09/building-a-cyber-secure-plant/ (accessed on 1 November 2012).
3. Symantec Security Response. W32.Flamer: Leveraging Microsoft Digital Certificates; Symantec: Mountain View, CA, USA, 2012. Available online: http://www.symantec.com/connect/blogs/ w32flamer-leveraging-microsoft-digital-certificates (accessed on 1 November 2012).
4. Kaspersky Lab. Gauss: Abnormal Distribution; Technical Report; Kapsersky Lab: Moscow, Russia, 2012.
5. Bencsáth, B., Pék, G., Buttyán, L., Félegyházi, M. Duqu: Analysis, Detection, and Lessons Learned. In Proceedings of the ACM European Workshop on System Security (EuroSec), Bern, Switzerland, 10 April 2012.
6. Symantec Security Response. W32.Duqu: The Precursor to the Next Stuxnet; Technical Report Version 1.0; Symantec: Mountain View, CA, USA, 2011.
7. Symantec Security Response. Duqu Status Update #1; Symantec: Mountain View, CA, USA, 2011. Available online: http://www.symantec.com/connect/blogs/duqu-status-update-1 (accessed on 1 November 2012).
8. Microsoft Security TechCenter. Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417); Microsoft Security Bulletin MS11-087; Microsoft: Redmond, WA, USA, 2011. Available online: http://technet.microsoft.com/en-us/security/bulletin/ms11-087 (accessed on 1 November 2012).
9. Duqu Detector, version 1.24; CrySyS Lab: Budapest, Hungary, 2012.
10. Bencsáth, B., Pék, G., Buttyán, L., Félegyházi, M. Duqu: A Stuxnet-Like Malware Found in the Wild; Technical Report Version 0.93; CrySyS Lab: Budapest, Hungary, 2011.
11. Symantec Security Response. W32.Duqu: The Precursor to the Next Stuxnet; Technical Report Version 1.4; Symantec: Mountain View, CA, USA, 2011.
12. Gostev, A., Soumenkov, I. Stuxnet/Duqu: The Evolution of Drivers; Technical Report, Kaspersky Lab: Moscow, Russia, 2011.
13. sKyWIper Analysis Team. sKyWIper: A Complex Malware for Targeted Attacks; Technical Report Version 1.0; CrySyS Lab: Budapest, Hungary, 2012.
14. Gostev, A. Flame: Bunny, Frog, Munch and BeetleJuice. Available online: http:// www.securelist.com/en/blog/208193538/Flame Bunny Frog Munch and BeetleJuice (accessed on 1 November 2012).
15. Sotirov, A. Analyzing the MD5 Collision in Flame. Available online: https://speakerdeck.com/ asotirov/analyzing-the-md5-collision-in-flame (accessed on 1 November 2012).
16. Santamarta, R. Inside Flame: You Say Shell32, I Say MSSECMGR. Available online: http://blog.ioactive.com/2012/06/inside-flame-you-say-shell32-i-say.html (accessed on 1 November 2012).
17. Ligh, M.H. QuickPost: Flame & Volatility. Available online: http://mnin.blogspot.hu/2012/06/ quickpost-flame-volatility.html (accessed on 1 November 2012).
18. Sotirov, A., Stevens, M., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B. MD5 considered harmful today-Creating a rogue CA certificate. Presented at 25th Chaos Communications Congress, Berlin, Germany, 30 December 2008. Available online: http://www. win.tue.nl/hashclash/rogue-ca/(accessed on 1 November 2012).
19. Stevens, M. Technical Background on the Flame Collision Attack. CWI (Centrum Wiskunde & Informatica) News, 7 June 2012. Available online: http://www.cwi.nl/news/2012/ cwi-cryptanalist-discovers-new-cryptographic-attack-variant-in-flame-spy-malware (accessed on 1 November 2012).
20. Kaspersky Lab. The Mystery of the Encrypted Gauss Payload. Available online: http://www. securelist.com/en/blog/208193781/The Mystery of the Encrypted Gauss Payload (accessed on 1 November 2012).
21. Gauss Info Collector, version 1; CrySyS Lab: Budapest, Hungary, 2012.
22. Freiling, F.C., Schwittay, B. Towards reliable rootkit detection in live response. In Proceedings of the International Conference on IT-Incidents Management and IT-Forensics (IMF), Stuttgart, Germany, 11-12 September 2007.
23. Russinowich, M., Cogswell, B. Process Monitor. Available online: http://technet.microsoft.com/ en-us/sysinternals/bb896645.aspx (accessed on 1 November 2012).
24. Russinowich, M. Process Explorer. Available online: http://technet.microsoft.com/en-us/ sysinternals/bb896653.aspx (accessed on 1 November 2012).
25. Russinowich, M., Cogswell, B. VMMap v3.11. Available online: http://technet.microsoft.com/ en-us/sysinternals/dd535533.aspx (accessed on 1 November 2012).
26. Batler, J. Virus:W32/Alman.B. Available online: http://www.f-secure.com/v-descs/fu.shtml (accessed on 1 November 2012).
27. XueTr Download Page. Available online: http://www.xuetr.com/download (accessed on 1 November 2012).
28. Provos, N., Holz, T. Virtual Honeypots: From Botnet Tracking to Intrusion Detection; Addison-Wesley Professional: Boston, MA, USA, 2007.
29. Holz, T., Raynal, F. Detecting honeypots and other suspicious environments. In Proceedings of the Sixth Annual IEEE SMC Information Assurance Workshop, West Point, NY, USA, 15-17 June 2005.
30. Microsoft Security TechCenter. Combined Security Update for Microsoft Office, Windows, .NET Framework, and Silverlight (2681578); Microsoft Security Bulletin MS12-034; Microsoft: Redmond, WA, USA, 2011. Available online: http://technet.microsoft.com/en-us/ security/bulletin/ms12-034 (accessed on 1 November 2012).
31. Riordan, J., Schneier, B. Environmental key generation towards clueless agents. In Mobile Agents and Security; Vigna, G., Ed., Springer: Heidelberg, Germany, 1999; pp. 15-24.
32. Filiol, E. Strong cryptography armoured computer viruses forbidding code analysis: The Bradley virus. In Proceedings of the 14th European Institute for Computer Antivirus Research (EICAR) Conference, Valletta, Malta, 30 April-3 May, 2005.