The four amigos: Stuxnet, Flame, Gauss and DuQu

The four amigos: Stuxnet, Flame, Gauss and DuQu

Henry Dalziel | General Hacking Posts, Latest InfoSec News | February 11, 2013

Cyber War, Cyber Crime, Cyber Armageddon – it’s all we hear every single day. Not a day passes that there is not a security scandal, intrusion, hack etc.

Undoubtedly there are several different layers and types of attackers involved with executing persistent security threats – but for this post let’s keep it real simple and outline the two “major” areas that we at Concise identify – those are: Cyber Warfare committed by sovereign nations, and those committed by individuals or groups posing either as organized criminals or hacktivists.

Within the first group of Cyber Warfare, we want to outline four major security attacks that have existed in the wild for several years now, those are: Gauss, Flame, Duqu and the notorious Stuxnet, and as we shall see, they are all closely related.

A brief outline of Gauss
Bonus prize to the person that can guess who is in our image of Gauss. Answers in the comments below please. OK, Gauss was discovered only recently (end of 2012) and the Gauss Toolkit is sure scary. Gauss has been described by security researchers as being a “nation-state sponsored cyber-espionage toolkit” (quote from the mighty Kapersky himself) which was designed to steal data from individuals in the Middle East – particularly Lebanon. Now that is the interesting thing, or at least one of the interesting things! – the fact that Gauss, as malware, was developed for a geographical region, or perhaps better said, a geopolitical location – just like Stuxnet was. Point being that state sponsored cyber espionage tends to share that theme of attacking specific industries and/ or geopolitical areas.

So what does Gauss do? Well, essentially it steals passwords – specifically banking credentials, and browser cookies from browsers. Gauss is similar to Flame in that it is coded in a similar fashion and shares the same module structures and means of communication with the command and control servers. The fact that Gauss is so similar to Flame has made many security researchers conclude that Gauss was written by the same hands that created Flame and Stuxnet. From our research Gauss is more lethal than Stuxnet or Flame.

A brief outline of Flame
As stated above – it is believed that the same guys that made Gauss and Stuxnet are also behind Flame (also referred to in the press as Flamer and sKyWIper.

OK so what does Flame do? Well, Flame attacks computers running Windows operating system – mostly Windows7 and XP from what we understand. Very similar to Gauss, the malicious program was being used for targeted cyber espionage in Middle Eastern countries. Described as being the most sophisticated of our list of the four worst cyber espionage threats, Flame can replicate itself to other computer systems and networks over a local network (LAN) or via USB. (Slight tangent but do we really need USB’s? They are a huge headache for system admins and security professionals).

Flame is a clever program. It can sing, dance, levitate and do a whole lot more! Seriously, check this, Flame can record audio using your drivers, take screenshots (say cheese!), monitor keyboard activity and network traffic. Flame was also especially written to look out for Skype conversations and has the ability to turn infected machines into Bluetooth beacons which then in turn download contact information from nearby Bluetooth-enabled devices! On that subject, if bluetooth is your thing – check out our Passive Bluetooth Monitoring in Scapy Hacker Hotshot event, February 28th, with Ryan Holeman who is a senior server software developer with Ziften Technologies. Ryan will show what you can do with bluetooth addresses that your Ubertooth dongle picked up.

Flame has infected over 1,200 machines and has been sending back data to its command and control servers for a couple of years now. Like a pack of lemmings (or whatever you call a group of lemmings) Flame has a “kill” command that basically wipes itself from infected machines and dies a quiet and silent death.

A brief outline of DuQu
Kinda like the goth teenager with platform shoes and a sulky face painted in black makeup, DuQu stands-out the most. In fact, it was such a different virus that security researchers had to crowd surface to understand in what language it was written in! We have seen crowd surfing within a security context a lot these days but it is really interesting to see the power and ability of the public in being able to solve a security riddle. The “weird” language that DuQu used to communicate with its’ command and control servers was in fact a particular type of C code compiled with the Microsoft Visual Studio Compiler 2008. We interviewed DuQu who told us, quote, “Meh, so what.”

OK, now that we have covered that, what did DuQu do? Well, DuQu, like the rest, was an espionage tool. Duqu looks for information that could be useful in attacking industrial control systems and reported the sensitive data back to the mother ships.

Our research is that Gauss was sniffing about rather than causing mayhem, almost it was a classic embedded spy. Think of DuQu as a child of Stuxnet since its’ executables seem to have been developed after Stuxnet because they use the same Stuxnet source code. Central to DuQu was its’ ability to capture keystrokes and computer system and network information.

A brief outline of Stuxnet.
Our old friend. With a jab in the ribs and eyes rolled up, everyone knows Stuxnet which was first reported in 2010. Whereas Gauss was the latest malicious attack tool specifically developed by governments, Stuxnet was the first to be discovered and has become the better known since it was “first to market”. Stuxnet was designed to compromise physical hardware in Iranian nuclear facilities. Something common to all the four nasties in this post is that fact that they all target the Middle East, for the most part.

What are the basic things about Stuxnet? Well, unlike the majority of malware out there, Stuxnet was designed to do very little damage to computers systems and networks that it considered friendly. It was a like a flying espionage-type drone attack – it sought specific systems and networks. It was seeking Siemens software, amongst other things, to infect with a worm. For its designated targets, Stuxnet contained code for a man-in-the-middle attacks that would attack and penetrate the all types of Windows operating systems, Siemens PCS 7, WinCC and STEP7 industrial software applications. Basically it was designed to attack Iran since their nuclear research facilities run these systems.

Last word
All these nasties are inter-related and very likely written by the same people or at least people with similar thinking. They all tend to target the same geographical area (the Middle East) and essentially cause the same sort of damage, apart from our friend DuQu who seems to be happy just to sit in the shadows and lurk about. Let us know your thoughts. Have we missed a vital bit of information about the four bad boys of malware/ cyber espionage? Perhaps we have missed one? Let us know!

Also, before I forget, if you are interested in Cyber War etc then check out our Hacker Hotshot interviews with amazing veterans G Mark Hardy: Cyber War and Dr Thomas Holt: Identifying Cyber Criminals.

Leave a comment or reply below...thanks!