Duqu Damage Will Continue in Unforeseen Ways
Email
Print
The
Duqu worm, which Symantec calls the precursor to the next Stuxnet, has some unique
features, including the ability to remove itself from a system if it loses
touch with its command and control computer. It's also designed to communicate
through a peer-to-peer command and control system as a way to help avoid
detection. This and the ability to remove itself in 30 days or so are highly
sophisticated features in what is certainly not your average piece of malware.
Now
that both of the known command and control computers have been taken offline,
it's not clear what will happen with Duqu. It may be that the peer-to-peer
feature will eventually lead its reporting network to a new command and control
computer, and it's also possible that Duqu has already accomplished what it was
designed to do and will simply be allowed to quietly remove itself.
Clearly,
the Duqu worm was the second shot in a war that's quietly raging in the world's
networks. While we don't know who is waging the war, it's clear that these
attacks are coming from somewhere that has the technology to create and now
modify an extremely capable attack.
The
Duqu worm's installer is concealed in a Word file. That installer can perform
its basic functions and then wait for the chance to transmit the information
it's gathered. However, unlike Stuxnet, it needs access to the outside world to
reach its command and control computers, and as a way to eventually transmit
the intelligence it's gathered.
What's
also clear is that a Duqu infection can be prevented, despite its zero-day
exploit. The installer is a Word document that has to come from somewhere,
perhaps attached in an email, and perhaps stored on a USB memory stick. As I
explained in an earlier column,
all it takes is a little training to teach employees not to open strange
attachments and you'll defeat it.
Meanwhile,
this worm is circulating all over some parts of the world creating collateral
damage along the way. Unlike a weapon that is controlled by someone responsible
for the effects when it fires, this weapon, like Stuxnet that proceeded it, is
simply sent out with the hope that it'll find its target and produce the
required results. It's unclear whether this has happened. What is clear is that
this weapon has caused plenty of other damage in the process.
Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazineÃÃÃs Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.
