Vulnerabilities / Threats
03:46 PM
Connect Directly
Repost This

Researchers: 'Precursor' To Son Of Stuxnet Spotted In The Wild

Process-control vendors, certificate authorities among those in the bull's eye for what might be prelude to a new Stuxnet attack, Symantec and McAfee say

It was only a matter of time: What might be the first stage of the next Stuxnet attack has been spotted in the wild -- and there are multiple versions of the second-generation malware in circulation, including ones that target industrial-control system vendors and certificate authorities (CAs).

Researchers at Symantec say newly discovered malware, dubbed "Duqu," shares much of the code from Stuxnet and shows that the authors had access to the source code of Stuxnet. That suggests the malware might have been developed by the same attackers who devised Stuxnet.

Meanwhile, researchers at McAfee say they have been studying a malware kit "closely related to the original Stuxnet worm" -- a.k.a. Duqu -- that wages targeted attacks against sites such as CAs and for other cyberespionage purposes, according to McAfee.

"The threat that we call 'Duqu' is based on Stuxnet and it is very similar. Only a few sites so far are known to be attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code which is delivered via exploitation, installs drivers, and encrypted DLLs that function very similar to the original Stuxnet code. In fact, the driver’s code used for the injection attack, is very similar to Stuxnet, as well as several encryption keys, and techniques that were used in Stuxnet," McAfee researchers Guilherme Venere and Peter Szor in a blog post today.

Other security researchers say there's not enough information yet to confirm the malware is indeed Stuxnet, The Sequel. "Code-recycling is endemic to professional malware development," says Gunter Ollmann, vice president of research at Damballa. Ollman says the use of stolen certificates here for code-signing is "an interesting trend."

Vikram Thakur, principal security response manager at Symantec, says the malware contains the same code as that of Stuxnet: "It was done by the same people who did Stuxnet, or a related group who has the source code," Thakur says.

Symantec has been studying a process-control, system-related version of Duqu. But unlike Stuxnet, which was aimed at sabotaging a specific line of Siemens process-control systems in Iran's nuclear facilities, Duqu is all about reconnaissance: It attempts to siphon information, such as design documents, from industrial-control system vendors, researchers at Symantec say.

"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," Symantec researchers said in a blog post today. "Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)."

Thakur says multiple organizations have been hit by Duqu. "The majority of the samples have been manufacturers or related to industrial-control systems [industry]," Thakur says. "It's very possible for a Stuxnet 2 attack ... using this reconnaissance phase and launching what would be more aptly called Stuxnet 2."

It's not self-replicating like a worm, and Duqu could be in use against other types of organizations in different versions of the malware, according to Symantec. Symantec is also studying some newly found variants from another organization based in Europe, it says.

Security experts say Duqu appears to be the first stage of a Son of Stuxnet attack. "Duqu is essentially the precursor to a future Stuxnet-like attack," according to the Symantec blog post.

Duqu installs a keylogger, with one variant discovered around Sept. 1. But, interestingly, attacks with variants of Duqu might have been under way since December of last year, Symantec found.

"One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011," Symantec said in its post.

That syncs with McAfee's findings. McAfee says while Stuxnet employed forged certificates from two companies from Taiwan, Duqu was signed with a key that belongs to Taipei-based Cmedia. "It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack," the McAfee researchers said in their blog post.

Duqu's command-and-control mode is via HTTP and HTTP-S to a server in India, and the attackers use some light encryption and compression to log the pilfered information they grab.

Like Stuxnet, Duqu comes with an expiration date. It automatically removes itself from the system after 36 days, and its keylogger can hide files in rootkit.

A technical analysis of Duqu is available here (PDF) from Symantec.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web