CG1110-hacker
CG1110-hacker
CG1110-hacker
CG1110-hacker
CG1110-hacker

Duqu Riles ICS Security Pros

Oct. 21, 2011
Son of Stuxnet? A Close Cousin? Variations on a Theme? The Industrial Security World Works to Sort Out Yet Another Piece of Malware Aimed at Industrial Systems

Since July of 2010, when the process industries got a scary wake-up call about vulnerabilities to their control systems in the form of a nasty piece of computer malware called Stuxnet, one of recurring messages coming from security experts has been that Stuxnet was only the beginning. Once the code was reverse-engineered, we could only expect more of the same from multiple sources.

Now Duqu, another piece of malware, seems to have fulfilled this prophecy. In mid-October, security systems provider Symantec announced that it had been informed by what it calls in its official blog, "a research lab with strong international connections" that samples of Duqu (or, more properly, Win32.Duqu) had been found operating in systems in Europe. The company's analysts also say that it is a threat "nearly identical to Stuxnet, but with a different purpose." (Read more.)

Whoever wrote Duqu had access to the Stuxnet source code, but in this case, the code's purpose seems to be industrial espionage rather than to damage any operating systems. Symantec says that Duqu is designed to take intelligence data and assets from organizations, such as industrial control system manufacturers, and that the information could be used to conduct future attacks against another third party. Symantec analysts believe that the attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Unlike Stuxnet, Duqu does not contain any code related to industrial control systems. It is what is call a RAT or remote access Trojan. The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information.

Also, unlike Stuxnet, Duqu does not self-replicate. It is configured to run for 36 days and then automatically remove itself from the infected system.

Researchers from other security firms, including F-Secure and McAfee, published their own reports that largely echoed Symantec's findings.

Don't Panic

While certainly this isn't good news, there may be no reason to panic. Not everyone in the security business is convinced that Duqu is "Son of Stuxnet." It may be a cousin, certainly. It shares a lot of Stuxnet DNA, but the fact that it has no code related to ICSs and is incapable of replicating itself, unlike Stuxnet, lead some experts to believe that there is no need for ICS users or system vendors do take any more security precautions than they should be already taking. (Whether ICS users are indeed taking sufficient precautions is separate question.)

The website for Langner, whose principal, Ralph Langner, cracked the Stuxnet code, contains the following terse announcement. "Please note that we don't research Duqu, as it appears to be unrelated to control systems."

Joe Weiss, ControlGlobal.com's "Unfettered" security blogger and principal at Applied Control Solutions, says he's not surprised that a Stuxnet variation has appeared. He says, "Just about everybody in the malware world is trying to reproduce this.  On the one hand, that's good, because that's where everybody's looking. We're watching out for all these hackers who are trying to re-engineer this. We're more alert. God forbid they should be doing something else that we're not looking for."

As for Duqu itself, Weiss says that as of the time of our interview (within days of the Duqu announcement) he hasn't yet completely studied Symantec's detailed report on the malware, but at the moment he is not convinced that ICSs are the chief target. He says, "I don't think it's the same people. I think people are looking for Stuxnet everywhere, even where it's not. If Duqu's not attacking controllers, what's it doing? Just because they are using the Stuxnet template doesn't mean they're doing the same thing. Industrial espionage is not the same as taking over a controller."

Security system vendor Kaspersky posted the following on its website on Oct. 21.
"Though there are some overall similarities between the two worms Duqu and Stuxnet, there are also significant differences. Shortly after several variants of Duqu were found, the Kaspersky Lab experts started to track in real time infection attempts by the worm among users of the cloud-based Kaspersky Security Network. What was surprising was that during the first 24 hours only one system had been infected by the worm. Stuxnet, on the other hand, infected tens of thousands of systems all around the world; it is assumed that it had, however, a single ultimate target—industrial control systems used in Iran's nuclear programs. The ultimate target of Duqu is as yet unclear."

The Kaspersky site also points out that one of the remaining mysteries about Duqu is how it gets into systems in the first place. The site says, "The hunt for this module of Duqu continues, and it is specifically this module that will help us in finding the ultimate target of this malicious program."

That is, perhaps, the most troubling thing about Duqu. It is designed to steal information, not damage systems per se. The question is what do its users intend to do with any information they get?

Duqu Coverage in the News

To learn more about Duqu join Symantec’s security response researchers in the webcast “Duqu: Precursor to the Next Stuxnet” and learn more about this intriguing new malware.

Son of Stuxnet Found in the Wild on Systems in Europe
Wired Magazine

New Malicious Program by Creators of Stuxnet Is Suspected
The New York Times

Researchers Warn of New Stuxnet Worm
BBC News

Stuxnet-Derived Malware Found Infecting SCADA Makers
The Register

Spying Program Affects Industrial Sites
Financial Times

Son of Stuxnet
Forbes

New Stuxnet-Like Code Is Discovered
The Washington Post