Duqu:毒区攻击行动评估
                - By nEINEI

Time：2011-09-01

				
1) 利用word文档嵌入畸形字体，导致内核漏洞执行shellcode，安装duqu的各部分组件。

2) 同stuxnet基于同一个组织的不同开发平台，主要以信息的刺探，盗取信息为主要目的，尤其针对高科技公司私密信息，或者数字签名信息。

3) 基于对stuxnet的研究使得我们考虑，stuxnet实际上是2部分，传播机制和负责PLC攻击的弹头部分，但duqu是具有同stuxnet类似的传播机制与框架架构，但
没有武装攻击性的弹头，但任何时候，只要它想安装攻击弹头都可以做到这样的目的。 

Symptoms
	When the Trojan is executed, it creates one or more of the following files:
	%System%\drivers\jminet7.sys
	%System%\drivers\cmi4432.sys
	%System%\drivers\nfred95.sys
	%System%\drivers\nred961.sys
	%Windir%\inf\cmi4432.pnf
	%Windir%\inf\cmi4464.PNF
	%Windir%\inf\netp191.PNF

	t then creates one or more of the following registry subkeys:
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432


	The Trojan then opens a back door allowing an attacker to gather the following information from the compromised computer:
	A list of running processes, account details, and domain information
	Drive names and other information, including those of shared drives
	Screenshots
	Network information (interfaces, routing tables, shares list, etc)
	Keystrokes
	Open window names
	Enumerated shares
	File exploration on all drives, including removable drives
	Enumeration of computers in the domain through NetServerEnum


	The Trojan then sends the information gathered to a predetermined command and control (C&C) server. 
	It also downloads further malicious files from the C&C server.
	

相关样本信息：
	//母体的word文件是缺失的,因为这很敏感，crysys，kaspersky，symantec，eset或许都可以从之前的文档记录中发现这份文档。 
	CMI4432.SYS：052E62513505A25CCFADF900A052709C 
	CMI4432.pnf:192f3f7c40fa3aaa4978ebd312d96447e881a473  
	f8f116901ede1ef59c05517381a3e55496b66485 cmi4464.PNF
	d17c6a9ed7299a8a55cd962bdb8a5a974d0cb660 jminet7.sys
	723c71bd7a6c1a02fa6df337c926410d0219103a keylogger.ex
	3ef572cd2b3886e92d1883e53d7c8f7c1c89a4b4 netp191.PNF
	c4e51498693cebf6d0cf22105f30bc104370b583 netp192.PNF 
	
最小闭合的攻击样本：
最初包含漏洞的文档无法获得；
CMI4432.SYS：052E62513505A25CCFADF900A052709C,SIZE = 29568;
CMI4432.pnf:192f3f7c40fa3aaa4978ebd312d96447e881a473 , SIZE = 192512;
 
				
攻击能力计算： 
	K = 3 (超出安全认知范围,从word文档嵌入TureTye font字体文件触发内核漏洞执行安装方式恶意代码方式是完全超出当时防御能力的)
	a = 3 (无交互)
	s = 1 (钓鱼邮件为主)
	m = 6 (代码注入+rootkit+未知编程语言的使用+特定目标感染+范围极广的间谍功能+高难度&复杂技术实现)
	p = 1 (攻击1种平台)
	x = 5+4 (0day 漏洞，CVE-2011-3402，C-Media电子公司的数字签名盗用)

	攻击能力 = (a+s+m+p)^(k) * (1+x)^ 2 + c  
	
    AT = (3 + 1 + 6 + 1) ^ 3 * (1 + 5 + 4) ^ 2 +　(29568+192512)/1024
	   = 11^3 * (10^2) + 217
	   = 133100+ 217
	   = 133317

	==> 133317 * 1000/1279625(1T攻击力单位) = 104.184T
				
参考引用：
1.https://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
2.https://arstechnica.com/information-technology/2011/10/spotted-in-iran-trojan-duqu-may-not-be-son-of-stuxnet-after-all/
3.http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf
4.https://www.syscan.org/slides/2012_EN_UnderstandingWindowsKernelFontScalerEngineVulnerability_WangYu.pdf
5.《论高级威胁的本质及攻击能力的量化研究》- www.vxjump.net/files/aptr/aptr.txt