Duqu: Is It the Next Stuxnet?

Nov. 17, 2011
Another Piece of Malware Has Been Found Operating in Systems in Europe

The Stuxnet virus has received a great deal of attention over the past few years because it brought into reality what had previously been considered on a hypothetical basis: a sophisticated cyber attack on a critical infrastructure. Though we have debated the level of hype surrounding the Stuxnet virus, considering that it specifically targeted Iran's nuclear program, industry experts have warned that this particular malware was just the beginning, and industrial networks need to be prepared for similar attacks. Now another piece of malware has been found operating in systems in Europe.

Symantec (www.symantec.com), receiving the news from a research lab in mid-October, confirmed that the new threat—called Duqu because it creates files with the file name prefix "~DQ"—is a precursor to another Stuxnet-like attack. Duqu appears to have been created since the last Stuxnet file was recovered, according to Symantec, and its structure and design philosophy are very similar to Stuxnet. Parts of Duqu's source code are nearly identical to Stuxnet. Whether that means Duqu was created by the same group that created Stuxnet or by somebody who gained access to the Stuxnet code is unknown, but regardless the new virus appears to have a different purpose.

"Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party," Eric Chien wrote in Symantec's official blog. "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."

Unlike Stuxnet, Duqu does not contain any code related to industrial control systems, according to Symantec, which reported that Duqu is primarily a remote access Trojan (RAT) and does not self-replicate. "Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets," Chien wrote. "However, it's possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants."

Duqu executables were designed to capture information such as keystrokes and system information, Symantec said. The attackers were searching for assets that could be used in a future attack. Although it would appear that they did not retrieve any sensitive data, details are not available in all cases. Two variants were recovered. The first recording of one of the binaries was Sept. 1, 2011. "However, based on file compile times, attacks using these variants may have been conducted as early as December 2010," Chien explained.

Duqu has been less widespread than Stuxnet, and was designed to eliminate itself after 36 days of running in a system. The threat uses a custom command-and-control protocol, Symantec said, primarily downloading or uploading what appear to be jpeg files. It then also transfers additional data for exfiltration.

Although Stuxnet was designed to sabotage an industrial control system, Duqu is geared toward general remote access capabilities. "The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party," Chien wrote. "While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks."

Symantec said it was alerted to the Stuxnet-like sample by "a research lab with strong international connections." Although the organization provided a detailed report, it has remained anonymous. "As we are in academia, we have limited resources to analyze malware behavior," the original researchers commented in their report. "That means we leave several questions for further investigation."