Duqu: Is It the Next Stuxnet?

The Stuxnet virus has received a great deal of attention over the past few years because it brought into reality what had previously been considered on a hypothetical basis: a sophisticated cyber attack on a critical infrastructure. Though we have debated the level of hype surrounding the Stuxnet virus, considering that it specifically targeted Iran's nuclear program, industry experts have warned that this particular malware was just the beginning, and industrial networks need to be prepared for similar attacks. Now another piece of malware has been found operating in systems in Europe.

Symantec (www.symantec.com), receiving the news from a research lab in mid-October, confirmed that the new threat—called Duqu because it creates files with the file name prefix "~DQ"—is a precursor to another Stuxnet-like attack. Duqu appears to have been created since the last Stuxnet file was recovered, according to Symantec, and its structure and design philosophy are very similar to Stuxnet. Parts of Duqu's source code are nearly identical to Stuxnet. Whether that means Duqu was created by the same group that created Stuxnet or by somebody who gained access to the Stuxnet code is unknown, but regardless the new virus appears to have a different purpose.

"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party," Eric Chien wrote in Symantec's official blog. "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."

Unlike Stuxnet, Duqu does not contain any code related to industrial control systems, according to Symantec, which reported that Duqu is primarily a remote access Trojan (RAT) and does not self-replicate. "Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets," Chien wrote. "However, it's possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants."

Duqu executables were designed to capture information such as keystrokes and system information, Symantec said. The attackers were searching for assets that could be used in a future attack. Although it would appear that they did not retrieve any sensitive data, details are not available in all cases. Two variants were recovered. The first recording of one of the binaries was Sept. 1, 2011. "However, based on file compile times, attacks using these variants may have been conducted as early as December 2010," Chien explained.

Duqu has been less widespread than Stuxnet, and was designed to eliminate itself after 36 days of running in a system. The threat uses a custom command-and-control protocol, Symantec said, primarily downloading or uploading what appear to be jpeg files. It then also transfers additional data for exfiltration.

Although Stuxnet was designed to sabotage an industrial control system, Duqu is geared toward general remote access capabilities. "The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party," Chien wrote. "While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks."

Symantec said it was alerted to the Stuxnet-like sample by "a research lab with strong international connections." Although the organization provided a detailed report, it has remained anonymous. "As we are in academia, we have limited resources to analyze malware behavior," the original researchers commented in their report. "That means we leave several questions for further investigation."

More News:

  • Patent Dispute Settled Between Rockwell Automation and Beckhoff Automation

    Rockwell Automation's linear motor business, including its recent Jacobs Automation acquisition, has developed a substantial portfolio of patents comprising over 100 issued patents on linear motor technology alone.

  • Mergers, Acquisitions Alliances and Noteworthy News in Robotics

    Iten Industries, manufacturer of advanced composite components and materials headquartered in Ashtabula, Ohio, is now offering additive manufacturing and 3D printing services.

  • U.S. Economy Looks Up for Manufacturing Industries

    The August PMI is led by the highest recorded New Orders Index since April 2004, when it registered 67.1%.

  • ASME Forum Ignites 21st-Century Engineering

    Founder and president of HMI/SCADA software developer Iconics, Russ Agrusa, said the company is focusing on how to harness big data on any device and in any class of applications, and turn it into predictive analytics in manufacturing and business intelligence.

  • New Customer Care Center for Endress+Hauser

    To help customers keep up with today's challenges, Endress+Hauser's new, state-of-the-art Customer Center is suited to greet visitors with a top-notch certified training facility with multiple classrooms and its largest yet PTU controlled by Rockwell Automation's PlantPAx system for real-world process simulation with over 120 measuring points.

  • The Rise of Aluminum in the Industrial Sector

    It is not just price that makes aluminum appealing when put alongside copper in the production of items like electrical wires and cables, though.

  • Maverick Acquires CQS Innovation Expanding Process Expertise in the Life Sciences Industry

    The acquisition expands Maverick's size and scale as a global organization with 19 office locations and 500+ engineering professionals. In addition, Chris Roerig, current president of CQS Innovation, will join Maverick as industry manager for life sciences.

  • ISA Offers Cybersecurity Certificate Program

    The program consists of passing a course on using the ANSI/ISA-62443 standards to secure industrial control systems. The course is available in the classroom or online. Students must also pass a written exam in the classroom or online.

  • Fieldbus Groups 'Unite'

    The combined power of both organizations will aim to protect the investments that end users in process automation have made in HART and Foundation fieldbus communication technologies.

  • Guess Who Just Turned 125 Years Old?

    ABB recently celebrated its 125th anniversary in Finland.

All news »

What are your comments?

Join the discussion today. Login Here.


No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments