Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/18/2011
03:46 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Researchers: 'Precursor' To Son Of Stuxnet Spotted In The Wild

Process-control vendors, certificate authorities among those in the bull's eye for what might be prelude to a new Stuxnet attack, Symantec and McAfee say

It was only a matter of time: What might be the first stage of the next Stuxnet attack has been spotted in the wild -- and there are multiple versions of the second-generation malware in circulation, including ones that target industrial-control system vendors and certificate authorities (CAs).

Researchers at Symantec say newly discovered malware, dubbed "Duqu," shares much of the code from Stuxnet and shows that the authors had access to the source code of Stuxnet. That suggests the malware might have been developed by the same attackers who devised Stuxnet.

Meanwhile, researchers at McAfee say they have been studying a malware kit "closely related to the original Stuxnet worm" -- a.k.a. Duqu -- that wages targeted attacks against sites such as CAs and for other cyberespionage purposes, according to McAfee.

"The threat that we call 'Duqu' is based on Stuxnet and it is very similar. Only a few sites so far are known to be attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code which is delivered via exploitation, installs drivers, and encrypted DLLs that function very similar to the original Stuxnet code. In fact, the driver’s code used for the injection attack, is very similar to Stuxnet, as well as several encryption keys, and techniques that were used in Stuxnet," McAfee researchers Guilherme Venere and Peter Szor in a blog post today.

Other security researchers say there's not enough information yet to confirm the malware is indeed Stuxnet, The Sequel. "Code-recycling is endemic to professional malware development," says Gunter Ollmann, vice president of research at Damballa. Ollman says the use of stolen certificates here for code-signing is "an interesting trend."

Vikram Thakur, principal security response manager at Symantec, says the malware contains the same code as that of Stuxnet: "It was done by the same people who did Stuxnet, or a related group who has the source code," Thakur says.

Symantec has been studying a process-control, system-related version of Duqu. But unlike Stuxnet, which was aimed at sabotaging a specific line of Siemens process-control systems in Iran's nuclear facilities, Duqu is all about reconnaissance: It attempts to siphon information, such as design documents, from industrial-control system vendors, researchers at Symantec say.

"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," Symantec researchers said in a blog post today. "Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)."

Thakur says multiple organizations have been hit by Duqu. "The majority of the samples have been manufacturers or related to industrial-control systems [industry]," Thakur says. "It's very possible for a Stuxnet 2 attack ... using this reconnaissance phase and launching what would be more aptly called Stuxnet 2."

It's not self-replicating like a worm, and Duqu could be in use against other types of organizations in different versions of the malware, according to Symantec. Symantec is also studying some newly found variants from another organization based in Europe, it says.

Security experts say Duqu appears to be the first stage of a Son of Stuxnet attack. "Duqu is essentially the precursor to a future Stuxnet-like attack," according to the Symantec blog post.

Duqu installs a keylogger, with one variant discovered around Sept. 1. But, interestingly, attacks with variants of Duqu might have been under way since December of last year, Symantec found.

"One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011," Symantec said in its post.

That syncs with McAfee's findings. McAfee says while Stuxnet employed forged certificates from two companies from Taiwan, Duqu was signed with a key that belongs to Taipei-based Cmedia. "It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack," the McAfee researchers said in their blog post.

Duqu's command-and-control mode is via HTTP and HTTP-S to a server in India, and the attackers use some light encryption and compression to log the pilfered information they grab.

Like Stuxnet, Duqu comes with an expiration date. It automatically removes itself from the system after 36 days, and its keylogger can hide files in rootkit.

A technical analysis of Duqu is available here (PDF) from Symantec.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29741
PUBLISHED: 2021-08-02
IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a local user to exploit a vulnerability in Korn Shell (ksh) to gain root privileges. IBM X-Force ID: 201478.
CVE-2021-37840
PUBLISHED: 2021-08-02
aaPanel through 6.8.12 allows Cross-Site WebSocket Hijacking (CSWH) involving OS commands within WebSocket messages at a ws:// URL for /webssh (the victim must have configured Terminal with at least one host). Successful exploitation depends on the browser used by a potential victim (e.g., exploitat...
CVE-2021-20332
PUBLISHED: 2021-08-02
Specific MongoDB Rust Driver versions can include credentials used by the connection pool to authenticate connections in the monitoring event that is emitted when the pool is created. The user's logging infrastructure could then potentially ingest these events and unexpectedly leak the credentials. ...
CVE-2021-37160
PUBLISHED: 2021-08-02
A firmware validation issue was discovered in HMI3 Control Panel in Swisslog Healthcare Nexus Panel operated by released versions of software before Nexus Software 7.2.5.7. There is no firmware validation (e.g., cryptographic signature validation) during a File Upload for a firmware update.
CVE-2021-37161
PUBLISHED: 2021-08-02
A buffer overflow issue was discovered in the HMI3 Control Panel contained within the Swisslog Healthcare Nexus Panel, operated by released versions of software before Nexus Software 7.2.5.7. A buffer overflow allows an attacker to overwrite an internal queue data structure and can lead to remote co...