IDEAS home Printed from https://ideas.repec.org/a/gam/jftint/v4y2012i4p971-1003d21217.html
   My bibliography  Save this article

The Cousins of Stuxnet: Duqu, Flame, and Gauss

Author

Listed:
  • Boldizsár Bencsáth

    (Laboratory of Cryptography and System Security (CrySyS Lab), Department of Telecommunications, Budapest University of Technology and Economics, Magyar tuósok krt 2, 1521 Budapest, Hungary)

  • Gábor Pék

    (Laboratory of Cryptography and System Security (CrySyS Lab), Department of Telecommunications, Budapest University of Technology and Economics, Magyar tuósok krt 2, 1521 Budapest, Hungary)

  • Levente Buttyán

    (Laboratory of Cryptography and System Security (CrySyS Lab), Department of Telecommunications, Budapest University of Technology and Economics, Magyar tuósok krt 2, 1521 Budapest, Hungary
    Information Systems Research Group, Budapest University of Technology andEconomics, Magyar tudósok krt 2, 1117 Budapest, Hungary)

  • Márk Félegyházi

    (Laboratory of Cryptography and System Security (CrySyS Lab), Department of Telecommunications, Budapest University of Technology and Economics, Magyar tuósok krt 2, 1521 Budapest, Hungary)

Abstract

Stuxnet was the first targeted malware that received worldwide attention forcausing physical damage in an industrial infrastructure seemingly isolated from the onlineworld. Stuxnet was a powerful targeted cyber-attack, and soon other malware samples were discovered that belong to this family. In this paper, we will first present our analysis of Duqu, an information-collecting malware sharing striking similarities with Stuxnet. Wedescribe our contributions in the investigation ranging from the original detection of Duquvia finding the dropper file to the design of a Duqu detector toolkit. We then continue with the analysis of the Flame advanced information-gathering malware. Flame is unique in thesense that it used advanced cryptographic techniques to masquerade as a legitimate proxyfor the Windows Update service. We also present the newest member of the family, called Gauss, whose unique feature is that one of its modules is encrypted such that it can onlybe decrypted on its target system; hence, the research community has not yet been able to analyze this module. For this particular malware, we designed a Gauss detector serviceand we are currently collecting intelligence information to be able to break its very specialencryption mechanism. Besides explaining the operation of these pieces of malware, wealso examine if and how they could have been detected by vigilant system administrators manually or in a semi-automated manner using available tools. Finally, we discuss lessonsthat the community can learn from these incidents. We focus on technical issues, and avoidspeculations on the origin of these threats and other geopolitical questions.

Suggested Citation

  • Boldizsár Bencsáth & Gábor Pék & Levente Buttyán & Márk Félegyházi, 2012. "The Cousins of Stuxnet: Duqu, Flame, and Gauss," Future Internet, MDPI, vol. 4(4), pages 1-33, November.
    • Handle: RePEc:gam:jftint:v:4:y:2012:i:4:p:971-1003:d:21217
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/1999-5903/4/4/971/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/1999-5903/4/4/971/
    Download Restriction: no
    ---><---

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Mohd Nor Akmal Khalid & Amjed Ahmed Al-Kadhimi & Manmeet Mahinderjit Singh, 2023. "Recent Developments in Game-Theory Approaches for the Detection and Defense against Advanced Persistent Threats (APTs): A Systematic Review," Mathematics, MDPI, vol. 11(6), pages 1-34, March.
    2. Kumar, Rajesh & Kela, Rohan & Singh, Siddhant & Trujillo-Rasua, Rolando, 2022. "APT attacks on industrial control systems: A tale of three incidents," International Journal of Critical Infrastructure Protection, Elsevier, vol. 37(C).
    3. Rudra P. Baksi & Shambhu J. Upadhyaya, 2021. "Decepticon: a Theoretical Framework to Counter Advanced Persistent Threats," Information Systems Frontiers, Springer, vol. 23(4), pages 897-913, August.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jftint:v:4:y:2012:i:4:p:971-1003:d:21217. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no bibliographic references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.