Symantec researchers have discovered a new worm in the wild that has the potential to attack and cripple industrial control systems, much like Stuxnet did.
The new worm, dubbed Duqu, shares a lot of the code with Stuxnet, leading Symantec researchers to believe it was either created by the same team or by another group with access to the Stuxnet source code, Symantec researchers said in a 46-page white paper released Oct. 18. Unlike Stuxnet, which was designed to attack a very specific type of computer system, Duqu does not appear to have a clear target.
Discovered a little over a year ago, Stuxnet is considered one of the most sophisticated pieces of malware ever developed. It compromised several industrial control systems at Iran’s Natanz nuclear facility. Observers believe the malware set Iran’s nuclear program back years. Although researchers around the world have analyzed Stuxnet, the source code is “not out there,” according to Mikko Hypponen, chief research officer of F-Secure, noting that “only the original authors have it.”
“Duqu is essentially the precursor to a future Stuxnet-like attack,” Symantec Security Response researchers wrote on the Symantec Connect blog. The researchers did not speculate on its origins.
Considering the time and resources required to develop tools like this, Lookingglass’ CTO Jason Lewis told eWEEK that a nation-state was the likely author.
Duqu’s primary purpose at the moment appears to be intelligence-gathering from industrial control system manufacturers, according to Symantec. Duqu does not interfere with the operations of the infected system, but focuses on reconnaissance.
Attackers were looking for information such as design documents for supervisory control and data acquisition (SCADA) systems used to control machinery and other key operations that could be used when attacking a power plant or industrial facility. They have been silently monitoring computers since December 2010, and Duqu’s activities are most likely a precursor to a larger, more comprehensive attack.
“The key thing missing here, unlike Stuxnet, is we don’t know what they are looking for,” Symantec said.
At the moment, Duqu only creates a backdoor on infected systems and connects with a command-and-control server somewhere in India, according to Symantec. The backdoor is open precisely for 36 days, after which the malware self-destructs.
The C&C server appears not to have sent any instructions yet, Symantec said. The short 36-day lifecycle implies there is a specific target, according to Lewis.
According to McAfee’s analysis of the worm, the malware installs drivers and encrypted DLLs that can act as keyloggers on the system to monitor all processes and messages. It also has no mechanism to replicate itself.
Symantec researchers saw Duqu for the first time Oct. 14, when another firm that had been working with a victim in Europe sent the sample. Symantec researchers analyzed the sample and have since determined that industrial computers “around the globe” have already been infected. Symantec declined to name the initial victim or the security firm, or state the number of victims affected.
Duqu’s code overlapped with Stuxnet to such an extent that F-Secure’s antivirus tool initially identified the sample as Stuxnet and not as a different variant, Hypponen said on Twitter. “The code similarities between Duqu and Stuxnet are obvious,” Hypponen added on the F-Secure blog.
Duqu “is Stuxnet, retrofitted for general remote access,” Bill Roth, CMO of LogLogic, told eWEEK, noting that “everything else” is the same. “Anyone surprised by the Duqu virus ought to have their head examined,” he added.
McAfee researchers Guilherme Venere and Peter Szor are fairly confident that Duqu was created by the same developers responsible for Stuxnet. They based their conclusions on the fact that both viruses use similar encryption keys and techniques, injection code and fraudulent digital certificates, which had been issued to companies in Taiwan. The digital certificate keys appear to be real, which also make the programs look legitimate.
“It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA [Certificate Authority] as part of a direct attack,” Venere and Szor wrote.
McAfee Labs advised Certificate Authorities to carefully verify if their systems might have been affected by this threat or any variations of it.