Symantec Corp. researchers have revealed the presence of new malware that is strikingly similar
to the dangerous Stuxnet
Trojan, and could be a precursor to a future Stuxnet-style attack.
Symantec Security Response researchers say Duqu (pronounced dyü-kyü), named because it creates
files with the file name prefix “~DQ”, was first identified on October 14. The security vendor
issued a report Tuesday outlining its analysis
of Duqu (.pdf).
The Mountain View, Calif.-based vendor said parts of the Duqu are nearly identical to Stuxnet,
indicating it was created by someone who has access to the Stuxnet source code.
Unlike Stuxnet, which was created to disrupt industrial control systems, Win32.Duqu was designed
to gather intelligence data and assets “in order to more easily conduct a future attack against
another third party,” Symantec said. It was recovered from computer systems in Europe and
researchers only began analyzing the malware last week.
“The attackers are looking for information such as design documents that could help them mount a
future attack on an industrial control facility,” Symantec said in its report.
Duqu Trojan infections were discovered in Europe, mainly in industrial control systems
manufacturers, said Kevin Haley, director of Symantec security technology and response. Haley said
it’s not uncommon for malware authors to reuse their code.
“Because of the amount of time and effort that went into creating the Stuxnet code, it’s not
surprising that the people behind it would try to reuse it,” Haley said. “Stuxnet was an incredibly
complex piece of code and something you would want to get your money’s worth out of.”
It’s currently unknown how the malware spreads. Researchers are scouring the Internet to find
the installer and determine how systems can be infected by the malware, Haley said.
According to additional analysis by McAfee researchers, attacks appear to be also targeting
certificate authorities in Africa, Southeastern and Central Europe and the Middle East. McAfee
is warning CAs to analyze their systems for the malware.
It’s meant to be stealthy, so if they can’t get the data they need they’ll try something else.
Jason Lewis, CTO, Lookingglass Cyber Solutions Inc.
Once a system is infected with Duqu, attackers install a keylogger, which records keystrokes and
seeks out additional system information. Symantec said the mawlare can copy lists of running
processes, account details and domain information. It can take screenshots, record network
information and explore files on all drives, including removable drives.
“In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but
details are not available in all cases,” Symantec said. Stolen data is sent to a
command-and-control (CC) server, which, according to McAfee, has been blacklisted by the ISP
and is no longer functioning.
Two variants of the malware were recovered, and Symantec data suggests attacks using Duqu could
have been conducted as early as December 2010. Symantec said the Trojan is configured to run for 36
days and then it automatically removes itself from the infected system.
The short lifespan of the malware indicates it has a specific target, said Jason Lewis, chief
technology officer at Baltimore-based security software services firm Lookingglass Cyber
Solutions. Lewis, a former global network exploitation and vulnerability analyst with NSA,
said it was likely authored by a nation state, given the time and resources it takes to develop a
sophisticated piece of malware.
“It’s meant to be stealthy, so if they can’t get the data they need they’ll try something else,”
Lewis said. “Because of the time and money that goes into developing something like this, you don’t
want someone to discover it right away and then have Symantec analyze it to push out detection
signatures.”
The Stuxnet
Trojan, which surfaced in 2010, was heralded by most security experts as a uniquely
sophisticated piece of malware. It targeted Supervisory Control and Data Acquisition (SCADA)
systems, which are used to manage power, water and sewage plants and other industrial
facilities.
Stuxnet specifically sought out Siemens’ SCADA software and was designed to then inject itself
into the programmable logic controllers that automate the most critical parts of an industrial
facility’s processes. The New York Times reported in January that Stuxnet was
a joint effort by the U.S. and Israeli governments, created to take down Iran’s Nantaz uranium
enrichment facility, which reports suggest it did successfully.
Article source: http://searchsecurity.techtarget.com/news/2240102018/New-Duqu-malware-shares-Stuxnet-code-similarities
View full post on National Cyber Security » Virus/Malware/Worms