Son of Stuxnet - A Not so Melodrama?

Wednesday, October 19, 2011

Kevin McAleavey

Ba829a6cb97f554ffb0272cd3d6c18a7

Having spent twelve years of my life in the antivirus and antimalware business, I'm relieved at now working with an operating system that doesn't require me to put in the 20 hour days and the neverending daily mobilization for Iwo Jima that was an every day part of protecting "Windows world."

There are many times that I miss the action, but more than anything else I miss the fun and challenges of the detective work. The majority of malware that I analyzed for a living was mundane, boring, and often pure amateur hour.

Every now and then a new rogue malware came along that made the hunt interesting and rewarding, and wrestling those provided the rare sense of accomplishment that made the madness of being in the industry rewarding.

If I were offered a gig back in the antivirus business again, this one would probably be a more interesting ride than the three hour tour on the Lulz boat.

Thanks to some of my colleagues at the Wilder's security forums I was made aware of an allegedly new variant or precursor of a new version of Stuxnet, known as "W32.Duqu" making the rounds, with writeups and reports on it hitting the blogs last Friday.

Curiously enough however, Symantec notes that when they reviewed sample submissions of this new malware, they found previous samples dating back to September and possibly as far back as December of 2010. The rogues are signed with private certificates issued to a Symantec customer in Taiwan by Symantec. Symantec revoked the rogue certificate last Friday.

Speculation about Duqu is that it's a precursor to another attack against embedded systems, and has been gathering information already about industrial systems, particularly engineering data and other design information.

MSNBC in an interview with Mikko Hypponen of F-Secure, goes into further detail claiming that Duqu at this time has only created a backdoor into systems and is connecting to a C&C in India awaiting further instructions.

However if this backdoor has been around for nearly a year now undetected, I for one would be concerned that it could have already done its intended job since anyone in the antimalware business as well as the people we monitor know that when you successfully land on a machine, you'd better get your business done right away because it's only a matter of hours or days before your "RAT" gets detected. Or at least that's the way it used to be.

That a virus with samples in the hands of the antivirus companies is still operating nearly a year after the first samples of it were received should be of great concern, especially something like stuxnet.

Then again, we've got drones flying around infected with a cheesy little password stealer called "AGENT.KGB" which I detected in our BOClean product nearly five years ago, so anything's possible these days.

So for those of you who are responsible for infrastructure, please be on the lookout for W32.Duqu if you're running Windows. For me, I'm going to go back to my browser now and continue arguing with trolls on the forums since Duqu doesn't work on KNOS and therefore nothing for me to do about it here.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system for client computers ( http://www.knosproject.com ) and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
11915
Viruses & Malware
Information Security
SCADA malware Symantec Stuxnet Network Security Infrastructure DUQU
Post Rating I Like this!
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Kevin,
I am right there with you. I also think that Symantec rushed the report to get a jump on the rest of the AV vendors out there on getting attention about this. There is little data to say that this was coded by the same makers as Stuxnet itself. Never mind the allusions that it was seeking power grid data..

That is unless they are holding a lot back. I find the report shoddy and its suppositions suspect...

And now back to *nix...
1319041458
4085079c6fe0be2fd371ddbac0c3e7db
Jamie Adams Excellent information. Kevin, your insight is always much appreciated.
1319043489
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey @Krypt3ia

I dunno _what_ to make of it other than as you say, spin. I was surprised to see the admission in Symantec's report that they apparently had ignored this sample for so long. I'm sure you remember my long-winded commentary on the industry. This is the problem with "automated analysis" which they're all doing now - sample comes in, gets tossed in the blender along with a rather large frog and something like this has as much weight going into the database as another browser hijacker that can be readily uninstalled. :(

I understand with the sheer volume of holes in Billyworld that the sheer volume of variants overwhelms even the biggest companies, but something like this SHOULD have raised numerous flags when the emulator watched so many unique instructions fly by before tossing it into the "suspicious" bin.

As to stuxnet, I was appalled when I finally got my hands on a sample. Almost nothing in it was new except for the actual payload. It was nothing more than stitching numerous old malware together ... ones that we detected years ago. In fact, I ran an old copy of BOClean with the last database I did for it in 2007 and it was detected immediately as soon as it lit up and was stopped.

I'd love to see what happens with this one, but I haven't been on the samples lists since 2009 when I left COMODO because they just didn't get it either and were quite satisfied in using the same "secret sauce" as everybody else. So I went and did this instead since I've always believed that not getting infected in the first place is the better solution. :)

---

@ Jamie

Thanks!
1319101188
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.