Limitations of Anti-Virus Software: Stuxnet, Duqu, Flame and Red October

This post will be a short technical comparison of the biggest advanced persistent threats over the last 10 years; Stuxnet, Duqu, Flame and Red October.

Stuxnet

Stuxnet was spotted as early as June 2009 and this was one of the first major APT’s due to the impressive change in the complexity in comparison to traditional viruses and malware.

Stuxnet was designed specifically to attack certain types of hardware which were commonly found in the Iranian Nuclear Program to perform some specific damage. This APT was designed to slightly change the way the centrifuge spins whilst at the same time modifying the monitors to provide the illusion of everything performing correctly. Since these machines at the Iranian Nuclear Program were airgapped from the Internet, they were not directly reachable. This therefore lead the developers of Stuxnet to ensure it could propagate via USB flash drives to make each “patient zero” an unwitting carrier who can help to spread and transport the APT until it eventually reaches the target and activates.

Stuxnet utilised command and control servers to send back basic information about the infected systems. It also allowed a rootkit functionality allowing C&C to perform actions on infected devices just as the users on these devices could.

Duqu

Duqu was detected in September 2011 however some sources mention that it could have been active from as early as February 2010. Duqu was very similar to Stuxnet however instead of sabotage, Duqu was designed for espionage to collect data. It is therefore believed that this APT was
designed by the same developers who worked on Stuxnet.

Duqu remained active for 30 days before deleting itself unless commanded otherwise by the command and control server. The initial infection was via a Microsoft Word true type font parsing vulnerability (zero day). Duqu did not self-replicate unlike Stuxnet which used USB drives. Command and control servers were found and it was discovered that a custom encryption protocol involving steganography was used by attaching data to JPEG files before transferring so that this data looked harmless.

Duqu targeted specific security products by scanning for known security products then changing the payload accordingly. Duqu was primarily used as a keylogger to steal information from compromised devices. XOR encryption was used to encrypt the data.

Flame

Flame was detected in May 2010 however it is believed to have been active five to eight years before this date. Flame was very impressive due to the size – Flame was only 20 MB in size which included all components of the APT. There has been no strong connection between this and Stuxnet or Duqu. Flame was a targeted information stealing malware similar to Duqu however it was significantly more widespread. It is believed that Flame infected thousands of Windows systems mainly in the middle east. Flame not only sent back key strokes but it also sent back screenshots, intercepted email messages and used the internal microphone in devices to record conversations.

The initial injection and propagation methods are unknown however it is believed to use the same two zero-day vulnerabilities used by Stuxnet. Impressively Flame impersonated a Windows Update Server – since all updates are digitally signed, the attackers had to perform a complex cryptanalytic attack (chosen collision attack MD5) against Microsoft’s Terminal Services licencing certificate authority. This allowed the generation of arbitrary digital certificates.

The estimated cost of an APT like this is between 200,000 USD to 2 Million USD which suggests it could have been state funded. Command and control was used on more than 80 different domains which primarily utilised Ubuntu servers. Communication was performed over HTTP, HTTPS or SSH. Flame also allowed the command and control server to control the computer using a rootkit functionality.

Flame is one of the most impressive APT due to the plethora of strategies pre-programmed to beat existing security products; Flame dynamically changed the way it behaved depending on which one out of 100 security products were used. Additionally, it used the “OCX” extension which is generally not scanned in real time by antivirus engines. Flame and Duqu are similar in that XOR encryption was used to encrypt data however Flame also used the RC4 algorithm to encrypt the configuration.

Red October

The fourth APT mentioned in this paper is called Red October and unsurprisingly it was discovered in October of 2010 however it is believed to have been active since May of 2007 targeting diplomatic, governmental and scientific institutions.

Red October used a minimalistic architecture with compartmentalised modules which allowed attackers to dynamically install modules. It is believed that over 1000 modules were designed and these could be chosen by the attacker and installed on any infected device. It is because of the small size this APT went unnoticed for many years. Red October is similar to Flame and Duqu in that it was designed mainly to steal information.

This APT managed to steal information from phones and also performed a brute force attack on the SNMP protocol to gain access to network devices. New commands were parsed via Microsoft Office applications as well as PDF files which generally contained instructions from the attackers.

Red October had more than 60 command and control domains and only three of these were hardcoded into the APT. Surprisingly Red October did not offer rootkit functionality however it is possible this was an unused module. This APT used XOR encryption to encrypt the main executable file and for encoding exfiltrated data.

Summary

Anti-Virus software is currently limited due to ever-increasing methods of writing malware and obfuscation via encryption. AntiVirus software can only detect known viruses which means if a specific type of malware has been slightly changed or written in a different way (virus signature), it is likely that Anti-Virus programs will not be able to detect this as malware/virus.

I believe Anti-Virus software still has a role in protecting devices today however the main point to keep in mind is that no matter how good your security is, if what you are protecting is valuable there will always be someone who will try to attack. This therefore means your security must increase depending on what you are trying to protect.

AntiVirus software currently protect everyday users from everyday threats. Since these viruses and malware can be developed by anyone with a computer this means anyone can write a virus, including children. Commonly when these viruses are being developed the same strategies are being used which means if the AntiVirus software has a database of these different types of attacks, it would require much more ingenuity to create something that can bypass this. In 2017 Kaperspy reported a total of 1,188,728,338 attacks being repelled and 199,455,606 unique URL’s which were recognised as malicious by the AntiVirus engine.

Due to the ever-increasing threat landscape, it is likely that AntiVirus software will have to adapt to an AI approach which analyses user behavior to detect anomalous behavior rather than scanning all files in real-time.

Note: This article was written in 2019 but recently improved and published.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.