Waiting For 'Son Of Stuxnet' To Attack

Duqu is considered the intel-gathering step in advance of a new attack -- but could it have been part of the original Stuxnet attack?

Now we wait for the real attack: With the intelligence-gathering Duqu malware spotted and identified by experts as based on the same code as Stuxnet, researchers are now on the lookout for signs of a subsequent attack on the target or targets.

That is, unless Duqu actually preceded Stuxnet, which some experts still wonder.

The malware, which originally was found in some unnamed European organizations and then analyzed by Symantec and McAfee, appears to be attacking industrial control-system vendors and certificate authorities (CAs), and there are multiple variants in circulation. Both Symantec and McAfee say it's likely that Duqu is the first stage of the next Stuxnet attack, specifically the reconnaissance phase. Symantec describes Duqu as a worm that opens a backdoor and downloads files on to the infected machine; it also contains a rootkit feature.

Researchers from Symantec, McAfee, and F-Secure all say whoever wrote the backdoor had their hands on Stuxnet source code. About half of the code in Duqu is the same as the code used in Stuxnet, according to Symantec.

"We compared the two threats and saw that there are a lot of similarities between the two threats. In fact, our analysis shows that 50 percent of the code in Duqu is exactly the same as code used in Stuxnet. This means that the creators of Duqu had access to the source code from Stuxnet," says Liam O Murchu, manager of operations for Symantec Security Response. "Also, Duqu uses a certificate stolen from a company in Taiwan, and Stuxnet used two stolen certificates from companies in Taiwan also, so that is another close tie between the two threats."

But what remains unclear is the actual time line: Did Stuxnet come first, or was Duqu the tool used to gather intelligence for Stuxnet?

"Stuxnet was circulating for a long time before AV vendors stumbled over an infected system and were able to piece together the attack vector. The same could apply to Duqu. The happenstance of discovery may not reflect the sequence of release by the attackers. With that in mind, it could mean that Duqu was the tool for the information-gathering necessary for the targeted Stuxnet attack. Alternatively, Duqu could be the precursor to another SCADA-type attack. Or the events could be entirely independent," says Gunter Ollmann, vice president of research at Damballa. "At the present time, there isn't enough information to arrive at a conclusion. There are lots of organization mining their historical data archives, trying to piece together a time line for the attacks."

Symantec, however, says the two Duqu variants that were discovered came after Stuxnet. "Two variants [of Duqu] were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010," according to Symantec's report on Duqu.

Stuxnet was officially spotted in the summer of 2010.

As researcher continue to nail down the timing of the events, they also are waiting for the other shoe to drop. "Duqu collects various types of information from infected systems for a future attack. It's possible we'll eventually see a new attack targeting PLC systems, based on the information gathered by Duqu," Mikko Hypponen, chief research officer at F-Secure blogged. F-Secure points to glaring similarities between Duqu's and Stuxnet's drivers: The two look so much alike that F-Secure's back-end systems detected Duqu's kernel driver as Stuxnet.

Most experts agree that a nation-state was probably behind the attack, but none will go on record and say which one or whether it again was aimed at Iran's nuclear facilities.

According to Jason Lewis, CTO at Lookingglass Cyber Solutions, the time and money required to build Stuxnet and Duqu points to a nation-state sponsor. "It was targeted. They had specific people in mind who they wanted to gather data from," Lewis says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights