Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/20/2011
04:46 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

'Duqu' Not After Same Target As Stuxnet, Researchers Say

New Kaspersky Lab analysis finds two distinct pieces of malware

Just what the attackers behind the newly discovered Stuxnet-like "Duqu" backdoor malware are after remains unclear, but researchers at Kaspersky Lab say it isn't likely after Iranian nuclear facilities as Stuxnet had been.

"Unlike Stuxnet, the amount of infections is rather confined with Duqu. So the fact that we see Duqu in a few different countries basically rules out that it has the same target as Stuxnet," says Roel Schouwenberg, senior researcher at Kaspersky Lab. "Stuxnet clearly had one very specific target."

The malware, which originally was found in some unnamed European organizations and then analyzed by Symantec and McAfee, appears to be attacking industrial control-system vendors and certificate authorities (CAs), with multiple variants in circulation.

And according to Kaspersky Lab's analysis, the Duqu infections are made up of at least two malware programs, a main module and a keylogger. It's the main module that so closely resembles Stuxnet, not the keylogger, according to Kaspersky.

"The module is very similar to Stuxnet -- both in structure and in behavior. However, the name Duqu has almost no connection with it. This name is based on the names of the files that are related to a completely different malicious spy-program!" blogged Alex Gostev, Kaspersky Lab's chief malware expert today.

The main module comprises three elements: a driver that places a DLL into system processes, the DLL that works with the command-and-control, and a configuration file, according to Kaspersky.

"The separate keylogger is like a downloaded stand-alone plug-in for the main module -- we currently assume it's downloaded by the main module," Schouwenberg says. "It's strange to name the entire threat after a plug-in, [Duqu]. The keylogger produces the ~DQ file."

Kaspersky hasn't seen the earmarks of the original Stuxnet attack, such as a clear target against PLCs, self-replication, or zero-days, he says. "So it was very easy for people to get confused. The likeness is in the internal structures."

But Kaspersky agrees with analysis by Symantec and McAfee that the latest threat could be the handiwork of the original Stuxnet attackers, or at least someone with access to the Stuxnet source code. Schouwenberg says there's no way to know for sure whether the creators of this new malware are the same ones who wrote Stuxnet, but it's likely. "It would be a huge amount of work to get to this level of similarity by reverse-engineering," he says.

Still unknown, too, is the first phase of the attack that placed Duqu onto the infected machines. "We -- like everyone else -- are looking to find the initial installer," he says. It might be that the installer used a zero-day exploit, or some self-replication function, he says.

And if it is the same authors as Stuxnet, there are hints that they might have learned a few lessons on how to better remain under the radar this time.

"Perhaps the fact that we haven't found it -- yet -- means the creators have learned. However, as this operation may still be ongoing, any extra day we don't have the installer means an easier time for the bad guys," Schouwenberg says.

Another example of an improvement over Stuxnet is the digital certificate used in the new attack, he says. "One of the drivers was signed using a stolen digital certificate from C-Media. The signing process was where the Stuxnet authors had been a bit sloppy. With Duqu, they didn't repeat that mistake. It's signed in an 'untraceable' way," Schouwenberg says. That could indicate that if it's the same attackers that were behind Stuxnet, they have learned from their mistakes, he says.

Kaspersky's analysis of Duqu is here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22392
PUBLISHED: 2021-08-02
There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause verification bypass and directions to abnormal addresses.
CVE-2021-22396
PUBLISHED: 2021-08-02
There is a privilege escalation vulnerability in some Huawei products. Due to improper privilege management, a local attacker with common privilege may access some specific files in the affected products. Successful exploit will cause privilege escalation.Affected product versions include:eCNS280_TD...
CVE-2021-22397
PUBLISHED: 2021-08-02
There is a privilege escalation vulnerability in Huawei ManageOne 8.0.0. External parameters of some files are lack of verification when they are be called. Attackers can exploit this vulnerability by performing these files to cause privilege escalation attack. This can compromise normal service.
CVE-2021-22398
PUBLISHED: 2021-08-02
There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit after a series of operations. Affected product versions incl...
CVE-2021-22412
PUBLISHED: 2021-08-02
There is an Integer Overflow Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause random kernel address access.