Researchers Believe Newly Discovered Duqu Worm is Stuxnet 2.0
By: Fahmida Y. Rashid
A new worm targeting industrial control system manufacturers has a strong resemblance to Stuxnet, leading researchers to dub it "Son of Stuxnet"
The new worm, dubbed Duqu, shares a lot of the code with Stuxnet, leading Symantec researchers to believe it was either created by the same team or by another group with access to the Stuxnet source code, Symantec researchers said in a 46-page whitepaper released Oct. 18. Unlike Stuxnet, which was designed to attack a very specific type of computer system, Duqu does not have appear to have a clear target.
Discovered a little over a year ago, Stuxnet is considered one of the most sophisticated pieces of malware ever developed. It compromised several industrial control systems at Iran's Natanz nuclear facility. Observers believe Iran's nuclear program had been set back years by the malware. Despite the fact that researchers around the world have analyzed Stuxnet, the source code is "not out there," according to Mikko Hypponen, chief research officer ofF-Secure, noting that "only the original authors have it."
"Duqu is essentially the precursor to a future Stuxnet-like attack," Symantec Security Response researchers wrote on the Symantec Connect blog. The researchers did not speculate on its origins.
Considering the time and resources required to develop tools like this, Lookingglass’ CTO Jason Lewis told eWEEK that a nation state was the likely author.
Duqu's primary purpose at the moment appears to be intelligence-gathering from industrial control system manufacturers, according to Symantec. Duqu does not interfere with the operations of the infected system, but focuses on reconnaissance. Attackers were looking for information such as design documents for supervisory control and data acquisition (SCADA) systems used to control machinery and other key operations that could be used when attacking a power plant or industrial facility. Silently monitoring computers since December 2010, Duqu's activities are most likely a precursor to a larger and more comprehensive attack.
"The key thing missing here, unlike Stuxnet, is we don't know what they are looking for," Symantec said.
At the moment, Duqu only creates a back door on infected systems and connects with a command-and-control server somewhere in India, according to Symantec. The backdoor is open precisely for 36 days, after which the malware self-destructs.
The C&C server appears to not have sent any instructions yet, Symantec said. The short 36 day lifecycle implies there is a specific target, according to Lewis.
According to McAfee's analysis of the worm, the malware installs drivers and encrypted DLLS that can act as keyloggers on the system to monitor all processes and messages. It also has no mechanism to replicate itself.
Symantec researchers saw Duqu for the first time on Oct. 14, when another firm who had been working with a victim in Europe sent the sample. Symantec researchers analyzed the sample and have since determined that industrial computers "around the globe" have already been infected. Symantec declined to name the initial victim, the security firm, or state the number of victims.
Duqu's code overlapped with Stuxnet to such an extent that F-Secure's antivirus tool initially identified the sample as Stuxnet and not as a different variant, Hypponen said on Twitter. “The code similarities between Duqu and Stuxnet are obvious,” Hypponen added on the F-Secure blog.
Duqu "is Stuxnet, retrofitted for general remote access," Bill Roth, CMO of LogLogic, told eWEEK, noting that "everything else" is the same. "Anyone surprised by the Duqu virus ought to have their head examined," he added.
McAfee researchers Guilherme Venere and Peter Szor are fairly confident that Duqu was created by the same developers responsible for Stuxnet. They based their conclusions on the fact that both viruses utilize similar encryption keys and techniques, injection code and fraudulent digital certificates which had been issued to companies in Taiwan. The digital certificate keys appear to be real, which also make the programs look legitimate.
"It is highly likely that this key, just like the previous two, known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack," Venere and Szor wrote.
McAfee Labs advised Certificate Authorities to carefully verify if their systems might have been affected by this threat or any variations.