A diagram from a Symantec report illustrates the two variants of Duqu
(WEB HOST INDUSTRY REVIEW) — More than a year after the Stuxnet worm was first detected, security firm Symantec (www.symantec.com) has discovered a threat called Duqu that researchers say is “essentially the precursor to a future Stuxnet-like attack.” Symantec believes that the threat was written by the same authors, or those with access to the Stuxnet source code.
In a blog post on Tuesday, Symantec says a research lab alerted it to a sample “very similar to Stuxnet” on October 14. The sample was recovered from computer systems in Europe, and parts of Duqu are nearly identical to Stuxnet, according to Symantec.
While some code may be the same, Symantec says Duqu’s purpose is to gather intelligence data and assets from entities like industrial control system manufacturers to conduct a future attack against another third party. It says attackers are looking for information that could help them launch an attack on an industrial control facility. Symantec says the threat was “highly targeted” toward a limited number of organizations for their specific assets.
Stuxnet was believed to be the attack that changed the complexity of cyberwarfare. Stuxnet attacked systems used to control nuclear plants in Iran and other industrial facilities. A report by Wired’s Threat Level blog says that though the majority of Stuxnet infections were based in Iran, the Duqu infections that have been discovered are not grouped in any geographical region.
VP of Symantec product management Michael Lin spoke at HostingCon 2011 about the top threats for hosting providers and used Stuxnet as an example of the highly sophisticated nature of modern threats In his presentation, Lin said that if hackers can launch attacks against nuclear power plants, “they can launch these attacks against hosting providers.”
According to Symantec, two variants of Duqu were recovered and one of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. Though Symantec would not name the company that the digital certificate belongs, the post says it is headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011.
Symantec says it has known that some of the malware files associated with the W32.D threat were signed with private keys associated with a code signing certificate issued to a Symantec customer. Symantec says the private key used for signing Duqu was stolen and not fraudulently generated for purpose of this malware. Symantec says at there were no issues with any CA, intermediate or other VeriSign or Thawte brands of certificates.
Symantec says the threat is configured to run for 36 days and after that time period will automatically remove itself from the system.
Duqu and Stuxnet share a lot of code but the payload is different, according to Symantec. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities.
To read the full report on Duqu, visit Symantec’s website.
About Nicole Henderson
Nicole Henderson writes full-time for the Web Host Industry Review where she covers daily news and features online, as well as in print. She has a bachelor of journalism from Ryerson University in Toronto, and has been writing for the WHIR since September 2010. You can find her on Twitter @NicoleHenderson.
No related posts.
