A new worm targeting industrial control system manufacturers has a strong resemblance to Stuxnet, leading researchers to dub it "Son of Stuxnet."
Symantec researchers have
discovered a new worm in the wild that has the potential to attack and cripple
industrial control systems, much like Stuxnet did.
worm, dubbed Duqu
, shares a lot of the code with Stuxnet, leading Symantec
researchers to believe it was either created by the same team or by another
group with access to the Stuxnet source code, Symantec researchers said in a
46-page white paper released Oct. 18. Unlike Stuxnet, which was designed to
attack a very specific type of computer system, Duqu does not appear to have a
Discovered a little over a
year ago, Stuxnet is considered one of the most sophisticated pieces of malware
ever developed. It compromised several industrial control systems at Iran's
Natanz nuclear facility. Observers believe the malware set Iran's nuclear
program back years. Although researchers around the world have analyzed
Stuxnet, the source code is "not out there," according to Mikko
Hypponen, chief research officer of F-Secure
noting that "only the original authors have it."
"Duqu is essentially
the precursor to a future Stuxnet-like attack," Symantec
Security Response researchers
wrote on the Symantec Connect
blog. The researchers did not speculate on its origins.
Considering the time and
resources required to develop tools like this, Lookingglass' CTO Jason Lewis
that a nation-state was
the likely author.
Duqu's primary purpose at
the moment appears to be intelligence-gathering from industrial control system
manufacturers, according to Symantec. Duqu does not interfere with the
operations of the infected system, but focuses on reconnaissance.
Attackers were looking for
information such as design documents for supervisory control and data
acquisition (SCADA) systems used to control machinery and other key operations
that could be used when attacking a power plant or industrial facility. They
have been silently monitoring computers since December 2010, and Duqu's
activities are most likely a precursor to a larger, more comprehensive attack.
"The key thing missing
here, unlike Stuxnet, is we don't know what they are looking for,"
At the moment, Duqu only
creates a backdoor on infected systems and connects with a command-and-control
server somewhere in India, according to Symantec. The backdoor is open precisely
for 36 days, after which the malware self-destructs.
The C&C server appears not
to have sent any instructions yet, Symantec said. The short 36-day lifecycle
implies there is a specific target, according to Lewis.
According to McAfee's
analysis of the worm
, the malware installs drivers and encrypted DLLs that
can act as keyloggers on the system to monitor all processes and messages. It
also has no mechanism to replicate itself.
Symantec researchers saw
Duqu for the first time Oct. 14, when another firm that had been working with a
victim in Europe sent the sample. Symantec researchers analyzed the sample and
have since determined that industrial computers "around the globe"
have already been infected. Symantec declined to name the initial victim or the
security firm, or state the number of victims affected.
Duqu's code overlapped with
Stuxnet to such an extent that F-Secure's antivirus tool initially identified
the sample as Stuxnet and not as a different variant, Hypponen said on Twitter.
"The code similarities between Duqu and Stuxnet are obvious," Hypponen added on
the F-Secure blog.
Duqu "is Stuxnet,
retrofitted for general remote access," Bill Roth, CMO of LogLogic, told eWEEK,
noting that "everything
else" is the same. "Anyone surprised by the Duqu virus ought to have
their head examined," he added.
McAfee researchers Guilherme
Venere and Peter Szor are fairly confident that Duqu was created by the same
developers responsible for Stuxnet. They based their conclusions on the fact
that both viruses use similar encryption keys and techniques, injection code
and fraudulent digital certificates, which had been issued to companies in Taiwan.
The digital certificate keys appear to be real, which also make the programs
"It is highly likely
that this key, just like the previous two known cases, was not really stolen
from the actual companies, but instead directly generated in the name of such
companies at a CA [Certificate Authority] as part of a direct attack,"
Venere and Szor wrote.
McAfee Labs advised
Certificate Authorities to carefully verify if their systems might have been
affected by this threat or any variations of it.