Researchers: 'Precursor' To Son Of Stuxnet Spotted In The Wild

It was only a matter of time: What might be the first stage of the next Stuxnet attack has been spotted in the wild -- and there are multiple versions of the second-generation malware in circulation, including ones that target industrial-control system vendors and certificate authorities (CAs).

Researchers at Symantec say newly discovered malware, dubbed "Duqu," shares much of the code from Stuxnet and shows that the authors had access to the source code of Stuxnet. That suggests the malware might have been developed by the same attackers who devised Stuxnet.

Meanwhile, researchers at McAfee say they have been studying a malware kit "closely related to the original Stuxnet worm" -- a.k.a. Duqu -- that wages targeted attacks against sites such as CAs and for other cyberespionage purposes, according to McAfee.

"The threat that we call 'Duqu' is based on Stuxnet and it is very similar. Only a few sites so far are known to be attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code which is delivered via exploitation, installs drivers, and encrypted DLLs that function very similar to the original Stuxnet code. In fact, the driver’s code used for the injection attack, is very similar to Stuxnet, as well as several encryption keys, and techniques that were used in Stuxnet," McAfee researchers Guilherme Venere and Peter Szor in a blog post today.

Other security researchers say there's not enough information yet to confirm the malware is indeed Stuxnet, The Sequel. "Code-recycling is endemic to professional malware development," says Gunter Ollmann, vice president of research at Damballa. Ollman says the use of stolen certificates here for code-signing is "an interesting trend."

Vikram Thakur, principal security response manager at Symantec, says the malware contains the same code as that of Stuxnet: "It was done by the same people who did Stuxnet, or a related group who has the source code," Thakur says.

Symantec has been studying a process-control, system-related version of Duqu. But unlike Stuxnet, which was aimed at sabotaging a specific line of Siemens process-control systems in Iran's nuclear facilities, Duqu is all about reconnaissance: It attempts to siphon information, such as design documents, from industrial-control system vendors, researchers at Symantec say.

"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," Symantec researchers said in a blog post today. "Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)."

Thakur says multiple organizations have been hit by Duqu. "The majority of the samples have been manufacturers or related to industrial-control systems [industry]," Thakur says. "It's very possible for a Stuxnet 2 attack ... using this reconnaissance phase and launching what would be more aptly called Stuxnet 2."

It's not self-replicating like a worm, and Duqu could be in use against other types of organizations in different versions of the malware, according to Symantec. Symantec is also studying some newly found variants from another organization based in Europe, it says.

Security experts say Duqu appears to be the first stage of a Son of Stuxnet attack. "Duqu is essentially the precursor to a future Stuxnet-like attack," according to the Symantec blog post.

Duqu installs a keylogger, with one variant discovered around Sept. 1. But, interestingly, attacks with variants of Duqu might have been under way since December of last year, Symantec found.

"One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011," Symantec said in its post.

That syncs with McAfee's findings. McAfee says while Stuxnet employed forged certificates from two companies from Taiwan, Duqu was signed with a key that belongs to Taipei-based Cmedia. "It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack," the McAfee researchers said in their blog post.

Duqu's command-and-control mode is via HTTP and HTTP-S to a server in India, and the attackers use some light encryption and compression to log the pilfered information they grab.

Like Stuxnet, Duqu comes with an expiration date. It automatically removes itself from the system after 36 days, and its keylogger can hide files in rootkit.

A technical analysis of Duqu is available here (PDF) from Symantec.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.