Duqu: Is It the Next Stuxnet?

The Stuxnet virus has received a great deal of attention over the past few years because it brought into reality what had previously been considered on a hypothetical basis: a sophisticated cyber attack on a critical infrastructure. Though we have debated the level of hype surrounding the Stuxnet virus, considering that it specifically targeted Iran's nuclear program, industry experts have warned that this particular malware was just the beginning, and industrial networks need to be prepared for similar attacks. Now another piece of malware has been found operating in systems in Europe.

Symantec (www.symantec.com), receiving the news from a research lab in mid-October, confirmed that the new threat—called Duqu because it creates files with the file name prefix "~DQ"—is a precursor to another Stuxnet-like attack. Duqu appears to have been created since the last Stuxnet file was recovered, according to Symantec, and its structure and design philosophy are very similar to Stuxnet. Parts of Duqu's source code are nearly identical to Stuxnet. Whether that means Duqu was created by the same group that created Stuxnet or by somebody who gained access to the Stuxnet code is unknown, but regardless the new virus appears to have a different purpose.

"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party," Eric Chien wrote in Symantec's official blog. "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."

Unlike Stuxnet, Duqu does not contain any code related to industrial control systems, according to Symantec, which reported that Duqu is primarily a remote access Trojan (RAT) and does not self-replicate. "Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets," Chien wrote. "However, it's possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants."

Duqu executables were designed to capture information such as keystrokes and system information, Symantec said. The attackers were searching for assets that could be used in a future attack. Although it would appear that they did not retrieve any sensitive data, details are not available in all cases. Two variants were recovered. The first recording of one of the binaries was Sept. 1, 2011. "However, based on file compile times, attacks using these variants may have been conducted as early as December 2010," Chien explained.

Duqu has been less widespread than Stuxnet, and was designed to eliminate itself after 36 days of running in a system. The threat uses a custom command-and-control protocol, Symantec said, primarily downloading or uploading what appear to be jpeg files. It then also transfers additional data for exfiltration.

Although Stuxnet was designed to sabotage an industrial control system, Duqu is geared toward general remote access capabilities. "The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party," Chien wrote. "While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks."

Symantec said it was alerted to the Stuxnet-like sample by "a research lab with strong international connections." Although the organization provided a detailed report, it has remained anonymous. "As we are in academia, we have limited resources to analyze malware behavior," the original researchers commented in their report. "That means we leave several questions for further investigation."

More News:

  • WEG Electric Introduces the CFW500 Machinery Drive

    WEG's engineers specifically designed this new drive with increased features that focus on the machinery manufacturer's needs. It is simple, efficient, flexible and can be commissioned quickly and easily.

  • Manufacturing Technology Orders Down in May 2014

    Expectations for the 2014 manufacturing technology market were for a soft first half of the year, followed by a stronger second half. The fluctuations seen in the past few months are on track with forecasts, and all indications are that U.S. manufacturing activity is and will remain strong

  • Fast 2014 Start for NA Robotics

    A record 14,135 robots, valued at $788 million were ordered from North American robotics companies in the first half of 2014, an increase of 30% in units and 16% in revenue over the same period in 2013.

  • WEG Electric Introduces the CFW100 Mini Drive

    Programing is easy with the built in keypad that monitors two different parameters at the same time along with operation status, alarms and faults.

  • New and Noteworthy: Ocean Data Systems Develop Specialized Survey and Omega Engineering Receives Honorable Mention

    Omega Engineering received an Honorable Mention in the 2014 Best of Sensors Expo Innovation Award for its M12LCP thermocouple probes with high- temperature M12 molded connectors. The Gold Award winner was AG-SL900A EPC sensor tag and data logger IC from ams.

  • IMTS Will Land Big Footprint in Chicago

    The IANA pavilion will showcase the newest technologies focusing on new ideas and topics ranging from resource-efficient manufacturing and network security to secure industrial control systems and big data. In addition to more than 120 vendors from 16 countries, who will demonstrate their products and services, IANA will host the Global Automation and Manufacturing Summit, Motion, Drive & Automation Conference, and ISA training program.

  • NI Week Aids Industrial IoT Convergence

    Truchard reported that NI divides IoT into industrial IoT and consumer IoT, and this industrial side is focused on using big analog data, analytics, distributed timing and synchronization, and intelligence via cyber-physical systems to help factories, power grids, cities and machines work better.

  • Infographic: Internet of Things - What The Future Will Be Like

    The past 25 years of Internet growth was fueled by human communications. The next 25 years of Internet growth will be fueled by machines. How is the Internet going to affect us and what we do?

  • Bits and Bytes: Moxa Gets UL Certification; Fieldbus Int'l and Fieldbus Inc. Enter Strategic Alliance, and More

    Lemo, a Swiss designer and manufacturer of custom connectors, acquired Northwire, U.S. specialty cable manufacturer of wire and multi-conductor cable and retractiles for the medical, aerospace and defense, energy and industrial markets.

  • Industrial Businesses Know They Need More Cybersecurity; Don't Do Much About It

    So what are companies waiting for? Reasons cover everything from lack of knowledge about threat severity to worry about the cost-effectiveness of remedial efforts and the effect they might have on uptime. A full one-third of those surveyed reported they were unaware of the potential vulnerabilities in their ICS/SCADA environment, and another 19% said they were unsure about the degree of threat.

All news »

What are your comments?

You cannot post comments until you have logged in. Login Here.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments