Stuxnet team returns with Duqu

Stuxnet's creators have returned with a fresh piece of malware, which may be a precursor to another Stuxnet-like attack.

The team behind the most sophisticated piece of malware ever seen has returned with some fresh malicious software.

Stuxnet creators have used much of the same code for their new creation, known as Duqu, which has grabbed the attention of security researchers after an unnamed independent team detected it.

However, Duqu is not as sophisticated as Stuxnet and is not targeting the same SCADA systems used in power plants.

The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Instead, Duqu has been used to acquire information in the lead-up to another Stuxnet-esque attack in the future, researchers have suggested.

A small number of organisations have been hit, including some in the manufacturing of industrial control systems.

"The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," a blog post from Symantec read.

"Our telemetry shows the threat was highly targeted toward a limited number of organisations for their specific assets. However, it's possible that other attacks are being conducted against other organisations in a similar manner with currently undetected variants."

Attacks using Duqu could stretch back as far as December 2010. The malware has been used to download a separate information stealer onto systems. That info-stealer was able to pilfer data in a variety of ways, including keystroke logging, before sending it off to a command and control centre in India inside an encrypted file.

The malware was programmed to run for 36 days before removing itself from systems.

Stuxnet similarities

Security researchers across the board have been fairly certain Duqu was created by the same team behind Stuxnet, even though there is no direct proof.

"They had to have access to the original source code, which only the creators of Stuxnet have. There are various decompilations available online. Those would not do," Mikko Hypponen, chief research officer at F-Secure, told IT Pro.

"It's perfectly possible they [the team behind Stuxnet] did a similar information-cathering phase in 2008 or 2009 for the original Stuxnet and we just missed it."

Aside from the code similarities, Duqu's driver files are signed with certificates apparently stolen from a Taiwanese company, as were Stuxnet's.

Certificates were stolen from RealTek and JMicron in the case of Stuxnet, whereas in Duqu only one was compromised - C-Media Electronics Incorporation.

In recent cases, certificate authorities have been compromised so hackers could issue fraudulent certificates, as was seen with the now-defunct CA DigiNotar. However, the certificate used to sign Duqu appears to have been stolen somehow, even though McAfee's analysis suggested otherwise.

"Symantec has known that some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer," the security giant said today.

"Symantec revoked the customer certificate in question on 14 October 2011. Our investigation into the key's usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware."

Hack map

(Source: Wikipedia)

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Neiman Marcus data breach hits 4.6 million customers
data breaches

Neiman Marcus data breach hits 4.6 million customers

4 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
McAfee Total Protection review: Quick, effective and affordable
antivirus

McAfee Total Protection review: Quick, effective and affordable

23 Aug 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021