McAfee is among the security companies raising an alarm about Duqu, a data-stealing Trojan that looks to pose as great a threat to businesses' critical infrastructure as Stuxnet.
Duqu uses Microsoft Windows-exploiting code similar to Stuxnet, a worm designed to attack Siemens industrial software, which has been linked to cyber-sabotage of nuclear bodies in Iran and other organisations. Unlike Stuxnet, however, it has specific restricted targets, rather than trying to spread itself widely, and it is designed to collect information rather than undermine systems.
Last week, an independent security researcher warned that Duqu has infected a number of organisations, but did not disclose which ones. However, Symantec said it has discovered an organisation in Europe that has been infected with variants of the malware. It believes the hackers were looking for information such as design documents to launch an attack on a third party.
While the broad outline of Duqu is known, McAfee and Symantec have disagreed on the details. ZDNet UK sat down with Dave Marcus, McAfee's director of security research and communications, to talk about its ongoing investigation into Duqu and why it believes the malware could be the basis of a Stuxnet-like attack.
Q: What is Duqu, and what does it do?
A: This is password-stealing and espionage data-capture malware — that seems to be the goal. There's a lot of functionality in the malware to get to the point where it's doing its sniffing and data gathering.
Duqu uses similar code to Stuxnet. Are the same people responsible, or has a different group used portions of the Stuxnet code?
Stuxnet had signed keys, and you have the same thing in this instance.
Does that mean Duqu was coded by the same people who created Stuxnet?
Not necessarily. Duqu shows certain characteristics in its coding, injection and behaviour that is indicative of the Stuxnet code. That most likely means that someone studied the Stuxnet code and said, 'Oh, those five things make sense, I'll do that'.
Duqu is very different from Stuxnet. Stuxnet injects code into a programmable logic controller, to get a kinetic response. There's no evidence of that in Duqu. This looks more like it's data gathering and performing espionage on industrial controller networks.
Duqu was signed with a certificate was supposedly issued by the C-Media audio-product company. Does that mean the certificate was stolen, or was it forged?
You've got a rogue certificate. There's not a lot of evidence that it was a stolen rogue certificate. It looks like it was a rogue-created certificate. That may mean people had access to another certificate authority (CA), but it's hard to tell at this point.
The certificate compromise comes after compromises of Comodo and DigiNotar. Is this significant?
We have at this point now a third rogue key — that's a bigger issue than people realise. People targeting CAs, and the ability to create rogue signed keys, is a big deal.
You've got the undermining of trust on a variety of levels. Trust in the operating system is undermined. These keys are used on the operating system to sign drivers and dynamic link libraries (DLLs). People taking malware, signing it and encrypting it to a valid key means the malware becomes whitelisted, and has full reign on the operating system. That's certainly not good.
People targeting certificate authorities, and the ability to create rogue signed keys, is a big deal.
Unless the key is revoked, it's whitelisted. At that point, the malware can inject itself into different processes.
The issue we saw with Duqu is that it was injecting itself into running processes. That's an effective technique to avoid detection by information security. Injecting into running memory, injecting into space, is a really good way to avoid detection, because there's no disk access. Disk access is what generally sets off an on-access scan by security software or hardware. By injecting into running memory, you get a sophisticated technique similar to Stuxnet injections.
And that's just on the host side of the house. Then there's the whole stolen-key/website, man-in-the-middle side of the house. Duqu can be used to sniff traffic locally, and man-in-the-middle locally. Then you've the potential signed key on a website, which you can now man-in-the-middle.
You've got this whole breakdown of trust, potentially. It's a big deal.
With a signed key, it's possible to make web browsers believe that a website is bona fide, isn't it?
Absolutely. You have a client, a real website and the fake key installed in something that pretends to be the valid website. The client doesn't know, so the traffic goes to the fake site, and every piece of data is captured.
The good thing is with Duqu, VeriSign decommissioned the key — the key is invalidated. The command-and-control server being used to extrude data — that's been blacklisted by ISPs. Pretty much all security vendors have got protection for Duqu at this point.
Does Duqu have rootkit functionality?
It's got userland rootkit functionality, not kernel rootkit functionality. Userland functionality is a different animal altogether. There's a difference in technique, and a difference in how you detect it.
With a kernel-mode step, you're going to attack memory spaces and attack kernel table steps and inject your code into the kernel: but that's only one way of rootkitting a machine. By using userland, you're attacking different processes and different areas. It's a very different way of owning a system.
When did you first see the Duqu code?
We got the code from an independent researcher [in October]. It was the victim who...