As with the original Stuxnet code, Symantec has published an in-depth report on the malware, which bears a strong similarity to the original and may have been developed using the Stuxnet source code.
According to the report, Duqu – which comes in 300 kilobytes of code versus 500Kb seen in Stuxnet – could be a precursor to the “next Stuxnet” and, while it is similar to the original malware, it appears to have a different purpose, namely the gathering of intelligence on industrial control systems.
Symantec also reported that multiple variants of Duqu have also been discovered, and asserted that its primary purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party.
“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility. Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)”, said Symantec, adding that the code does not self-replicate.
“Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants”, added the vendor.
Like Stuxnet, Duqu reportedly hides itself as legitimate code using a driver file signed with a valid digital certificate, which Symantec says belongs to a company based in Taipei, Taiwan. While Symantec has declined to identify the company, fellow IT security vendor F-Secure claims the firm is C-Media Electronics.
The Wired newswire quoted the lead author of the Symantec report, Liam O Murchu. as saying that, when he and his team talked about Stuxnet before, they expected there was another component of Stuxnet that was gathering information about how a plant was laid out.
“But we had never seen a component like that [in Stuxnet]. This may be that component”, he told the newswire, adding that the Duqu appears to have been operative for at least a year.
“Based on the dates the binary files were compiled, Symantec says attacks using the malware may have been conducted as early as December 2010, about five months after Stuxnet was discovered, and about 18 months after Stuxnet was believed to have first been launched on computers in Iran”, the newswire noted.
“The real surprising thing for us is that these guys are still operating,” Murchu told Kim Zetter, a reporter with Wired.
“We thought these guys would be gone after all the publicity around Stuxnet. That’s clearly not the case. They’ve clearly been operating over the last year. It’s quite likely that the information they are gathering is going to be used for a new attack. We were just utterly shocked when we found this.”
Commenting on the discovery of Duqu and its variants, Bill Roth, executive vice president with LogLogic, said that the worm appears to be logging keystrokes and using encryption assets to encrypt and extract payloads.
He said that anyone who is surprised by the appearance of the Duqu virus ought to have their head examined and that the malware is Stuxnet, retro-fitted for general remote access.
“The infection model and just about everything else is the same; just no need for a nuclear centrifuge this time”, he said, adding that organizations that have a solid logging infrastructure on their network would clearly notice connections to an unknown, foreign host.
“This would be a dead giveaway that you have been hacked. People who do not monitor their networks with a log management infrastructure, are like the homeowner who buys fake surveillance cameras for their house… and still gets ripped off. CAs are clearly not taking their own security seriously”, he explained.