Stuxnet II – Dubbed “Duqu” found in the Wild

On October 14th, Symantec was sent a sample of a Stuxnet variant from an organization in Europe.

The malware was very similar to Stuxnet, but the payload and purpose makes this a totally new creation.

Parts of the malware is basically stuxnet, it is so close that a report from f-secure says that their backend systems even thought that it was Stuxnet.

But as researchers dug into it, they found an interesting twist. This version was not created to destroy PLC equipment. This one is an electronic spy.

According to a 42 page analysis of Duqu released today, Symantec claims that the code was written by the same authors who wrote stuxnet, or at least a group that had access to the source code. But the twist is, this one isn’t made to take out nuclear power plants, this version collects information, possibly for a follow up attack at a later time:

“Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.”

The design also makes it difficult to ascertain the malware’s source nation. It uses a valid digital certificate from a company in Taipai, Taiwan (which has since been revoked). Communicates via HTTP and HTTPS communications to a Command and Control server in India. Encrypts data before transmission, communicates to the C&C server via dummy .jpg picture files and automatically removes itself in 36 days.

As this version seems to be an espionage tool, one has to wonder what is next. The author apparently wants to gather information on a target for what would seem to be future attacks. What could the future attack be?

Well, we may not need to wait long to find out, as of today Symantec received additional variants of Stuxnet from another European organization. These samples have a compilation date of October 17th. Symantec has not had time to analyze these new samples yet, but this is very interesting indeed.

For more information, check out Symantec’s detailed report.

~ by D. Dieterle on October 18, 2011.

3 Responses to “Stuxnet II – Dubbed “Duqu” found in the Wild”

  1. […] Source:  https://cyberarms.wordpress.com/2011/10/18/stuxnet-ii-dubbed-duqu-found-in-the-wild/ […]

  2. Does it attack linux?

    • Very interesting point. Stuxnet was programmed to attack Windows based systems and Siemens software. I don’t believe that it attacked Linux systems, but maybe it could pass through them. Stuxnet had to get from an unsecured network, to a secured one that was air gapped. This just means that there is no connections between the two.

      The target systems were Windows based, so that is what it looked for and was programmed to attack.

      Another interesting point is that the Windows software used by Iran was most likely pirated. Iran is well known for pirating software. Oh, and then their is the fact that most Windows software can not be legally exported to Iran:

      In general, Microsoft products may not be exported to Cuba, Iran, North Korea, Sudan, or Syria.”

      Thanks for the comment Brad, I hope my answer helps.

      Dan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: