Pages

Wednesday, October 19, 2011

New variant of Stuxnet discovered

From eWeek:
A new worm targeting industrial control system manufacturers has a strong resemblance to Stuxnet, leading researchers to dub it "Son of Stuxnet"

Symantec researchers have discovered a new worm in the wild that has the potential to attack and cripple industrial control systems, much like Stuxnet did.

The new worm, dubbed Duqu, shares a lot of the code with Stuxnet, leading Symantec researchers to believe it was either created by the same team or by another group with access to the Stuxnet source code, Symantec researchers said in a 46-page whitepaper released Oct. 18. Unlike Stuxnet, which was designed to attack a very specific type of computer system, Duqu does not have appear to have a clear target.

Discovered a little over a year ago, Stuxnet is considered one of the most sophisticated pieces of malware ever developed. It compromised several industrial control systems at Iran's Natanz nuclear facility. Observers believe Iran's nuclear program had been set back years by the malware. Despite the fact that researchers around the world have analyzed Stuxnet, the source code is "not out there," according to Mikko Hypponen, chief research officer of F-Secure, noting that "only the original authors have it."

"Duqu is essentially the precursor to a future Stuxnet-like attack," Symantec Security Response researchers wrote on the Symantec Connect blog. The researchers did not speculate on its origins.

Considering the time and resources required to develop tools like this, Lookingglass’ CTO Jason Lewis told eWEEK that a nation state was the likely author.

Duqu's primary purpose at the moment appears to be intelligence-gathering from industrial control system manufacturers, according to Symantec. ...

"The key thing missing here, unlike Stuxnet, is we don't know what they are looking for," Symantec said.

At the moment, Duqu only creates a back door on infected systems and connects with a command-and-control server somewhere in India, according to Symantec. The backdoor is open precisely for 36 days, after which the malware self-destructs.

The C&C server appears to not have sent any instructions yet, Symantec said. The short 36 day lifecycle implies there is a specific target, according to Lewis.

According to McAfee's analysis of the worm, the malware installs drivers and encrypted DLLS that can act as keyloggers on the system to monitor all processes and messages. It also has no mechanism to replicate itself.

McAfee researchers Guilherme Venere and Peter Szor are fairly confident that Duqu was created by the same developers responsible for Stuxnet. They based their conclusions on the fact that both viruses utilize similar encryption keys and techniques, injection code and fraudulent digital certificates which had been issued to companies in Taiwan. The digital certificate keys appear to be real, which also make the programs look legitimate.
I don't know how difficult it is to modify Stuxnet to do other things, but the description here isn't making much sense to me. I cannot see the value of using already-known exploits to try to gather new infomation when everyone with any concept of computer security would have already put up defenses against it.

On the other hand, Symantec says that this code uses a new stolen digital certificate from Taiwan that had not been breached before, and that the code seems to have been written in December 2010. A normal hacker is not usually able to steal digital certificates - that requires real-world espionage.

(h/t CHA, Zach)