Stuxnet Sibling Duqu Slinks Into Industrial Systems

Malware that appears to be similar to the highly toxic Stuxnet worm was made public Tuesday by security firm Symantec.

Duqu, named for the “~DQ” file names it creates, appears to work as a remote access data-collecting program that uses some of the same infecting techniques as Stuxnet, the malware discovered about a year ago infiltrating global computer systems, particularly in Iran.

The extent of Stuxnet’s damage isn’t entirely known, but some researchers argue it was the most malicious and advanced bit of malware to date. Affecting tens of thousands of systems across 155 countries, it was able to damage technical infrastructure and perhaps gather valuable intelligence information about Iran’s nuclear program.

Perhaps most alarmingly, Stuxnet was found to be a program designed to destroy Siemens Corporation computers used in uranium enrichment at Iran’s Natanz nuclear facility. It is suspected that a team of Americans and Israelis, backed by their respective governments, designed the malware.

In the research paper detailing Duqu, Symantec said “research lab with strong international connections” had pointed the malware out to the company on Oct. 14. Symantec didn’t provide any more specifics.

Duqu Wants Info

Symantec warned that Duqu and Stuxnet are nearly identical threats. Duqu appears to be written by the same authors, or at least someone with access to the Stuxnet source code. Duqu’s aim, though, is different.

Stuxnet is a worm built to destroy. Duqu is more of an information gatherer. The virus is attempting to steal data from manufacturers of industrial control systems. It collects information from systems such as power plants, water treatment facilities and chemical plants. Duqu looks especially for design documents using keystroke loggers and network enumerators, making it more of a precursor to Stuxnet rather than the next Stuxnet.

“If you look at what Duqu is actually doing, it’s just a simple command and control. It gives an attacker remote access to whichever machine … There is nothing in there specifically targeting industrial controls. Instead, you could get on a machine and it would allow the attacker to do different functions such as log keystrokes and download files,” Chris Lytle, security researcer at Veracode, told TechNewsWorld.

Presumably, the information would then be used to design a highly targeted and controlled cyberattack against that infrastructure.

“These design documents could provide information needed for targeting other industrial control or SCADA components similar to the original Stuxnet attack,” Mike Geide, security researcher for ThreatLabZ, the research arm of Zscaler, told TechNewsWorld.

Duqu attempts to hide under a veil of authenticity much like Stuxnet — by using a stolen digital certificate. Duqu took its from a Taipei, Taiwan-based company that Symantec declined to name. Since Symantec owns the VeriSign authentication service that controlled that certificate, it was able to revoke its security privileges.

“This provides additional presumed legitimacy of the malicious binary. Allegedly the private key used for signing Duqu was stolen — meaning that prior attacks were conducted to carry out this malware release,” said Geide.

Based on the dates of the binary files, the malware appears to have been in place for at least a year. Symantec said the attacks look to have been launched starting in December 2010, about a year and a half after Stuxnet is thought to have first infiltrated Iranian computers.

Threat Level

There is little information about Duqu’s influence so far. It’s supposedly been used to infiltrate European manufacturers, and it has been rebuffed at least once.

“The Duqu samples detailed by researchers provide remote access to infected systems. This remote access is leveraged to install additional gathering payloads — with the target of these attacks allegedly being design documents from one or more industrial control system manufacturers within Europe,” said Geide.

It’s unclear how best to combat Duqu and how real the threat is to manufacturers of industrial control systems.

“Based solely on this attack and report, it’s hard to say how big the threat is. We don’t know a lot of key points such as transmission vectors or how it was installed. That being said, any time you have an industrial control system, even one that’s unconnected to the Internet, infection and manipulation are a very large concern that should not be taken lightly,” said Lytle.

One issue baffling researchers is that Duqu cannot replicate on its own. Instead, it is configured to run for 36 days, then removes itself from the infected system. But it’s unknown whether the installer that keeps the virus going after that is self-replicating, or how the malware was originally delivered to systems. Stuxnet used a zero-day vulnerability to be able to spread via an infected USB stick, but the Duqu installer is still unknown.

Researchers warned this level of uncertainty is an indication the malware is extremely complex and advanced.

“The important thing is we have industrial controllers being targeted by someone. The threat is there and the intent is there. We don’t know what they intend to do but wherever someone is gaining control there is very much a concern,” said Lytle.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels