Duqu: Is It the Next Stuxnet?

The Stuxnet virus has received a great deal of attention over the past few years because it brought into reality what had previously been considered on a hypothetical basis: a sophisticated cyber attack on a critical infrastructure. Though we have debated the level of hype surrounding the Stuxnet virus, considering that it specifically targeted Iran's nuclear program, industry experts have warned that this particular malware was just the beginning, and industrial networks need to be prepared for similar attacks. Now another piece of malware has been found operating in systems in Europe.

Symantec (www.symantec.com), receiving the news from a research lab in mid-October, confirmed that the new threat—called Duqu because it creates files with the file name prefix "~DQ"—is a precursor to another Stuxnet-like attack. Duqu appears to have been created since the last Stuxnet file was recovered, according to Symantec, and its structure and design philosophy are very similar to Stuxnet. Parts of Duqu's source code are nearly identical to Stuxnet. Whether that means Duqu was created by the same group that created Stuxnet or by somebody who gained access to the Stuxnet code is unknown, but regardless the new virus appears to have a different purpose.

"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party," Eric Chien wrote in Symantec's official blog. "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."

Unlike Stuxnet, Duqu does not contain any code related to industrial control systems, according to Symantec, which reported that Duqu is primarily a remote access Trojan (RAT) and does not self-replicate. "Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets," Chien wrote. "However, it's possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants."

Duqu executables were designed to capture information such as keystrokes and system information, Symantec said. The attackers were searching for assets that could be used in a future attack. Although it would appear that they did not retrieve any sensitive data, details are not available in all cases. Two variants were recovered. The first recording of one of the binaries was Sept. 1, 2011. "However, based on file compile times, attacks using these variants may have been conducted as early as December 2010," Chien explained.

Duqu has been less widespread than Stuxnet, and was designed to eliminate itself after 36 days of running in a system. The threat uses a custom command-and-control protocol, Symantec said, primarily downloading or uploading what appear to be jpeg files. It then also transfers additional data for exfiltration.

Although Stuxnet was designed to sabotage an industrial control system, Duqu is geared toward general remote access capabilities. "The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party," Chien wrote. "While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks."

Symantec said it was alerted to the Stuxnet-like sample by "a research lab with strong international connections." Although the organization provided a detailed report, it has remained anonymous. "As we are in academia, we have limited resources to analyze malware behavior," the original researchers commented in their report. "That means we leave several questions for further investigation."

More News:

  • IDS Is Among the First Vision Manufacturers to Introduce USB 3.0 Camera With Sony IMX174

    Equipped with image sensors, this new IDS camera model delivers outstanding imaging performance previously unattainable by CMOS-based cameras in terms of high sensitivity, high dynamic range, low fixed pattern noise, and highly accurate color reproduction.

  • China Adopts EtherCAT as a National Technology Standard

    Chinese company representatives shared experiences about their numerous EtherCAT systems and applications with the audience and explained the benefits realized through implementation.

  • HART-Fieldbus Foundation Marriage Complete

    The final step in constructing a single organization to lead process automation communications and integration technologies was completed at the end of August when the members of both the HART Communication Foundation and Fieldbus Foundation approved the merger proposed by their respective boards.

  • Use of BYOD Spreads, But Holdouts Remain

    Manufacturing workers are jumping on the bring-your-own-device (BYOD) bandwagon,

  • ISA100 Wireless Standard Gains Final IEC Approval

    ANSI/ISA-100.11a-2011, "Wireless Systems for Industrial Automation: Process Control and Related Applications," has been unanimously approved by the IEC as an international standard

  • Mergers, Acquisitions & Alliances: Danfoss Makes Offer, Hardinge Acquires Assets, and Fanuc and Rockwell Collaborate

    Danfoss made a public tender offer for all shares of the Finnish ac drives company Vacon. Hardinge, international provider of advanced metal-cutting solutions, agreed to acquire the assets of the Voumard internal diameter (ID) grinding business from Peter Wolters GmbH in Rendsburg, Germany. Maverick Technologies, acquired CQS Innovation, a system integrator specializing in control and information systems for life sciences, chemical and metals industries.

  • Belden Advocates Ethernet, Security and Wireless

    The Internet of Things (IoT) and the industrial IoT will use increasingly intelligent network infrastructures, but this will create more risk and increase the need to protect those critical infrastructures and their data. That's why we're investing both organically and through acquisition in Ethernet, security and wireless—so we can help transform this interconnected world.

  • The Future Is Forged at IMTS 2014

    Front and center was large-scale additive manufacturing in the form of the world's first 3D-printed car, which was printed and assembled on-site at the show. The project was a cooperative effort by Local Motors, Cincinnati Inc.; Oak Ridge National Laboratory; the University of Tennessee; and IMTS' Association for Manufacturing Technology (AMT).

  • Big Manufacturing Trade-Shows Dominate November Calendar

    There Will be More than 100 Exhibits Featuring Products and Services from Rockwell Automation and its Network of more than 100 Partners.

  • Honeywell OneWireless Takes the Prize for Best Wireless Solution

    The OneWireless Network is designed to enhance efficiency, safety and reliability in business processes. The OneWireless Network offers flexibility and scalability, wire-like performance with wireless security and best-in-class data availability with a low cost of ownership.

All news »

What are your comments?

Join the discussion today. Login Here.

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments