A Flame, Duqu Test-Drive

Experiment shows how the infamous cyberespionage families can be repurposed -- with exceptions -- in other attacks

KASPERSKY SECURITY ANALYST SUMMIT 2013 -- San Juan, Puerto Rico -- The big question haunting security researchers and enterprises in the wake of the revelation of Stuxnet and cyberespionage tools Flame and Duqu is whether the malware families can be repurposed and turned against other targets. A security researcher here today shared how thats indeed possible -- but with a few limitations.
Boldizsar Bencsath, a member of the CrySys Lab that was instrumental in studying Duqu, demonstrated how he was able to inject his own proof-of-concept malware into the Duqu dropper exploit, reuse Duqus keylogger, run Flames Windows Update dropper to install his own malware, and reconfigure mini-Flame to create his own command-and-control servers.
My idea was that nobody has taken a look at modifying and reconfiguring Stuxnet, Duqu, Flame, and SPE and turn these things against us, Bencsath said. So he decided to go for it, with the exception of Stuxnet, which he didnt end up testing due to time constraints.
One big takeaway from his experiment was that the Flame authors may have purposely limited the scope of their malware to avoid them being abused by other attackers, according to Bencsath. He created a man-in-the middle proof-of-concept with the Flame Windows Updater using a Linux server, but found that the attack only works in a local subnet, not across the Internet.
Maybe this was intentional, and they didnt want anybody to use their tools to make even more powerful counterattacks, Bencsath said. Thats really good news.
The apparently deliberate limitations had to do with signed Windows cabinet files for each Windows installer in Flame. There is no way to cheat those files because they are signed, and theres no way to crack them, he said, which effectively ensures that the exploit remains with a subnet.
Bencsath also found that the so-called Mini-Flame family may have been more of a backup piece of malware in case Flame were to be discovered.
He decided to deploy Mini-Flame a.k.a. SPE as the remote control for the infected machines in his test. But modifying Mini-Flame and establishing the C&C server required more effort than writing a similar tool from scratch would have, he said. The code was relatively limited, he says, possibly on purpose.
Its main capability is to execute command and to download files. Its probably mainly for installing a new version ... it has limited capabilities, so maybe its not the best tool for espionage, he said. He believes Mini-Flame may be a backup for Flame if that C&C were taken down.
Mini-Flame uses different C&C servers, so this makes sense, he said.
Meanwhile, Bencsath concluded that Duqus keylogger is basically just another keylogger: There are a large number of other solutions available on the Internet, so you dont need to use Duqus. There is no real use to abuse the Duqu keylogger.
So what do his findings say about the potential for these malware families to be repurposed in other attacks? I dont know what the story is or the conclusion. This [reconfiguring the malware] can be done, for sure. But how much good [it is] for the attacker would be hard to judge, he said.
On the one hand, I successfully abused the Duqu kernel exploit and Windows Update, and, with minor modifications, I could run SPE and design a command-and-control server, he said. And with minimal work, I could use the keylogger.
Overall, Bencsath saidhe spent about 100 to 150 hours on the project. That is not too much time ... so its easy to abuse the malware, he says.
He said another challenge in repurposing these attacks is that there are still some unknowns about the malware. The public information misses some detail that is not published or analyzed, he said.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ Crime Scene Investigation: Atlanta? No, its Phone Fingerprinting. ◂ Discovered: 26/12/2024 Category: security	▸ Why do we take so long to detect data breaches? ◂ Discovered: 26/12/2024 Category: security	▸ Microsoft introduces reward programs for Windows 8.1, IE11 preview security flaws. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
A Flame, Duqu Test-Drive