The cousins of Stuxnet: Duqu, Flame, and Gauss

Boldizsár Bencsáth, Gábor Pék, Levente Buttyán, Márk Félegyházi

Research output: Contribution to journalArticle

96 Citations (Scopus)

Abstract

Stuxnet was the first targeted malware that received worldwide attention for causing physical damage in an industrial infrastructure seemingly isolated from the online world. Stuxnet was a powerful targeted cyber-attack, and soon other malware samples were discovered that belong to this family. In this paper, we will first present our analysis of Duqu, an information-collecting malware sharing striking similarities with Stuxnet. We describe our contributions in the investigation ranging from the original detection of Duqu via finding the dropper file to the design of a Duqu detector toolkit. We then continue with the analysis of the Flame advanced information-gathering malware. Flame is unique in the sense that it used advanced cryptographic techniques to masquerade as a legitimate proxy for the Windows Update service. We also present the newest member of the family, called Gauss, whose unique feature is that one of its modules is encrypted such that it can only be decrypted on its target system; hence, the research community has not yet been able to analyze this module. For this particular malware, we designed a Gauss detector service and we are currently collecting intelligence information to be able to break its very special encryption mechanism. Besides explaining the operation of these pieces of malware, we also examine if and how they could have been detected by vigilant system administrators manually or in a semi-automated manner using available tools. Finally, we discuss lessons that the community can learn from these incidents. We focus on technical issues, and avoid speculations on the origin of these threats and other geopolitical questions.

Original languageEnglish
Pages (from-to)971-1003
Number of pages33
JournalFuture Internet
Volume4
Issue number4
DOIs
Publication statusPublished - 2012

Keywords

  • Advanced persistent threat (APT)
  • Cyber espionage
  • Cyber weapons
  • Targeted attacks

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'The cousins of Stuxnet: Duqu, Flame, and Gauss'. Together they form a unique fingerprint.

  • Cite this

    Bencsáth, B., Pék, G., Buttyán, L., & Félegyházi, M. (2012). The cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet, 4(4), 971-1003. https://doi.org/10.3390/fi4040971