Stuxnet II Found in the Wild - Dubbed “Duqu”

Wednesday, October 19, 2011



On October 14th, Symantec was sent a sample of a Stuxnet variant from an organization in Europe.

The malware was very similar to Stuxnet, but the payload and purpose makes this a totally new creation.

Parts of the malware is basically Stuxnet, it is so close that a report from f-secure says that their backend systems even thought that it was Stuxnet.

But as researchers dug into it, they found an interesting twist. This version was not created to destroy PLC equipment. This one is an electronic spy.

According to a 42 page analysis of Duqu, Symantec claims that the code was written by the same authors who wrote stuxnet, or at least a group that had access to the source code. But the twist is, this one isn’t made to take out nuclear power plants, this version collects information, possibly for a follow up attack at a later time:

“Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."

"Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.”

The design also makes it difficult to ascertain the malware’s source nation. It uses a valid digital certificate from a company in Taipai, Taiwan (which has since been revoked). Communicates via HTTP and HTTPS communications to a Command and Control server in India. Encrypts data before transmission, communicates to the C&C server via dummy .jpg picture files and automatically removes itself in 36 days.

As this version seems to be an espionage tool, one has to wonder what is next. The author apparently wants to gather information on a target for what would seem to be future attacks. What could the future attack be?

Well, we may not need to wait long to find out, as Symantec received additional variants of Stuxnet from another European organization. These samples have a compilation date of October 17th. Symantec has not had time to analyze these new samples yet, but this is very interesting indeed.

For more information, check out Symantec’s detailed report.


Possibly Related Articles:
Viruses & Malware
SCADA malware Symantec Stuxnet Network Security Infrastructure Programmable Logic Controllers ICS DUQU
Post Rating I Like this!
Wanni Doule The computer malware Stuxnet has been tough for many computer experts to determine. In 2010, it infected nuclear control systems in Iran. Industrial control computers in Europe have been infected with a brand new malware. The Duqu virus doesn't appear to have direct influence, but mines for information that could be used for further attacks. The big news is Duqu virus uses Stuxnet DNA to mine industrial data .
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.