Home » Duqu Riles ICS Security Pros
Duqu Riles ICS Security Pros
By Nancy Bartels, Managing Editor
Since July of 2010, when the process industries got a scary wake-up call about vulnerabilities to their control systems in the form of a nasty piece of computer malware called Stuxnet, one of recurring messages coming from security experts has been that Stuxnet was only the beginning. Once the code was reverse-engineered, we could only expect more of the same from multiple sources.
Now Duqu, another piece of malware, seems to have fulfilled this prophecy. In mid-October, security systems provider Symantec announced that it had been informed by what it calls in its official blog, "a research lab with strong international connections" that samples of Duqu (or, more properly, Win32.Duqu) had been found operating in systems in Europe. The company's analysts also say that it is a threat "nearly identical to Stuxnet, but with a different purpose." (Read more.)
Whoever wrote Duqu had access to the Stuxnet source code, but in this case, the code's purpose seems to be industrial espionage rather than to damage any operating systems. Symantec says that Duqu is designed to take intelligence data and assets from organizations, such as industrial control system manufacturers, and that the information could be used to conduct future attacks against another third party. Symantec analysts believe that the attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Unlike Stuxnet, Duqu does not contain any code related to industrial control systems. It is what is call a RAT or remote access Trojan. The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information.
Also, unlike Stuxnet, Duqu does not self-replicate. It is configured to run for 36 days and then automatically remove itself from the infected system.
Researchers from other security firms, including F-Secure and McAfee, published their own reports that largely echoed Symantec's findings.
While certainly this isn't good news, there may be no reason to panic. Not everyone in the security business is convinced that Duqu is "Son of Stuxnet." It may be a cousin, certainly. It shares a lot of Stuxnet DNA, but the fact that it has no code related to ICSs and is incapable of replicating itself, unlike Stuxnet, lead some experts to believe that there is no need for ICS users or system vendors do take any more security precautions than they should be already taking. (Whether ICS users are indeed taking sufficient precautions is separate question.)
The website for Langner, whose principal, Ralph Langner, cracked the Stuxnet code, contains the following terse announcement. "Please note that we don't research Duqu, as it appears to be unrelated to control systems."
Joe Weiss, ControlGlobal.com's "Unfettered" security blogger and principal at Applied Control Solutions, says he's not surprised that a Stuxnet variation has appeared. He says, "Just about everybody in the malware world is trying to reproduce this. On the one hand, that's good, because that's where everybody's looking. We're watching out for all these hackers who are trying to re-engineer this. We're more alert. God forbid they should be doing something else that we're not looking for."
As for Duqu itself, Weiss says that as of the time of our interview (within days of the Duqu announcement) he hasn't yet completely studied Symantec's detailed report on the malware, but at the moment he is not convinced that ICSs are the chief target. He says, "I don't think it's the same people. I think people are looking for Stuxnet everywhere, even where it's not. If Duqu's not attacking controllers, what's it doing? Just because they are using the Stuxnet template doesn't mean they're doing the same thing. Industrial espionage is not the same as taking over a controller."
Security system vendor Kaspersky posted the following on its website on Oct. 21.
"Though there are some overall similarities between the two worms Duqu and Stuxnet, there are also significant differences. Shortly after several variants of Duqu were found, the Kaspersky Lab experts started to track in real time infection attempts by the worm among users of the cloud-based Kaspersky Security Network. What was surprising was that during the first 24 hours only one system had been infected by the worm. Stuxnet, on the other hand, infected tens of thousands of systems all around the world; it is assumed that it had, however, a single ultimate target—industrial control systems used in Iran's nuclear programs. The ultimate target of Duqu is as yet unclear."
The Kaspersky site also points out that one of the remaining mysteries about Duqu is how it gets into systems in the first place. The site says, "The hunt for this module of Duqu continues, and it is specifically this module that will help us in finding the ultimate target of this malicious program."
That is, perhaps, the most troubling thing about Duqu. It is designed to steal information, not damage systems per se. The question is what do its users intend to do with any information they get?
Duqu Coverage in the News
To learn more about Duqu join Symantec’s security response researchers in the webcast “Duqu: Precursor to the Next Stuxnet” and learn more about this intriguing new malware.
Son of Stuxnet Found in the Wild on Systems in Europe
New Malicious Program by Creators of Stuxnet Is Suspected
The New York Times
Spying Program Affects Industrial Sites
Son of Stuxnet
New Stuxnet-Like Code Is Discovered
The Washington Post
Metso Provides New Heating Solution for Finnish Utility
Finland's largest pellet-fired heating plant produces environmentally friendly energy in Tampere
NIST Releases Initial Cyber Security Framework Comment Analysis
The National Institute for Standards and Technology has released an initial analysis of the hundreds of comments by industry and the public they have received on the Obama Administration's "Improving Critical Infrastructure Cyber Security" executive order.
Past Time to Upgrade Your DCS?
Upgrading Your DCS: Why You May Need to Do It Sooner Than You Think
K-BIM Consortium Selects Siemens' Parasolid for New AEC Applications
-BIM, a consortium of commercial, academic and government organizations wants the new application suite to help create a national standard for building information management (BIM)
Friday p.m. Wrap-Up:This Week on ControlGlobal and Elsewhere
Some of the week's biggest stories in process automation
What's Bad Weather Costing Us?
U.S. taxpayers paid nearly $100 billion responding to damages caused by last year’s extreme weather events associated with climate change, about $1,100 per taxpayer, according to an analysis by the Natural Resources Defense Council (NRDC).
BP, Shell, Statoil Raided by EC
European Commission investigators raided the offices of oil companies BP, Royal Dutch Shell and Statoil as well as data collector Platts as part of a larger inquiry into price manipulation of the global crude market.
Invensys' SimSci Suite 2013 Now with More Usability Features
Invensys releases SimSci Suite 2013, a DVD catalogue providing a single source for all of Invensys' current SimSci-Esscor design, operator training, simulation and optimization software
What We Can Learn About Safety from the Titanic Hearings
This report from the U.K. publication The Engineer is instructive. It reprints a report from the May, 1912 hearings on the sinking of the Titanic.
Honeywell Integrates and Certifies FMC722 Subsea Automation Protocol
The integration and certification of these solutions will boost the productivity of oil and gas field operators and engineers
- All news »
Access the entire print issue on-line and be notified each month via e-mail when your new issue is ready for you. Subscribe today.
- Featured White Papers