McAfee: Why Duqu is a big deal

Summary:Dave Marcus, head of security research at McAfee, delves into the workings of Duqu, an information-stealing piece of malware that is shaping up to be as big a threat as Stuxnet

...reached out to the independent researcher, and then the independent researcher who reached out to us and a couple of competitors, and that's actually fairly standard.

Unless we are told specifically we cannot, we share samples with competitors, because there's a bigger picture. There's the bigger computing community that needs to be protected. We share our samples with Symantec, CA and everybody else, and they share their samples with us.

Did you look at the type of information Duqu was created to harvest?
Our competitors' researchers focused a bit more on the industrial controller aspect of Duqu, because the networks that this appears to be targeting are industrial controller-type networks.

Have you found anything in Duqu yet to say which particular networks it's going after?
Nothing yet — an investigation based upon the victim is still very much in play.

How many infected machines have there been?
It's not widely dispersed. With something like this, you're not going to see widespread infection. This is one of the ways Duqu differs from Stuxnet. Whereas Stuxnet is a worm, Duqu has much more Trojan-like behaviour. Duqu may inject itself into processes, but it doesn't look like it spreads like Stuxnet — through its autorun capabilities and USB sticks. Duqu seems to be much more specifically targeted rather than [designed] to expand like Stuxnet.

How did the target get infected? Was it a spear-phishing attack?
That's a good question. That's still in play. Probably what will come out will be one of two ways. I'm guessing that it will probably be spear-phishing with an attachment or a link to a malicious site. You click on it, download the malware, and there you are. It could be that someone has been sent a message saying, 'Hey, we've just updated our key, install our new key'. Spear-phishing is one of the classic social-engineering techniques, and it works.

The initial infection vector is still under investigation. Exactly what the attackers were going after — that's still in play. But it looks like they are targeting industrial controller networks and certificate authorities. The CA part of it I think is the bigger, long-term issue.

Do you think that the certification model is getting a bit outdated?
I'm not that close to the model, but I think there's a lot of validity in it. The struggle implementation-wise is that people get very nervous over the concept of keys. Who owns the master key? That's what historically has made people a little bit nervous. Especially in the States — we have control issues. Who holds the keys to my encryption is a big issue. It's probably the same all over the place.

Whereas Stuxnet is a worm, Duqu has much more Trojan-like behaviour. Duqu may inject itself into processes, but it doesn't look like it spreads like Stuxnet.

One of the problems with the model, and with email encryption, is the exchanging of keys. It's problematic for everyone.

I don't know that the model is broken or anything like that. This is the third known compromise. That's a big deal, but it's not like it's the 80th or 90th compromise.

If I was part of a CA, I'd be stepping back at this point and saying, "All right — this is the third time. What is in common between these three attacks? Why were those CAs targeted? How are people getting in and getting this done, and how do we step back and do some pen-testing and other procedures to make sure it doesn't happen to us?"

If I was a CA, I would assume I'm potentially next and start taking steps.

What's the next stage of looking at the effects of Duqu?
We want to start doing some tracking globally of Duqu with our threat intelligence network. We're also going to be looking at telemetry data worldwide, to see if we're seeing Duqu anywhere else in the world. We can then reach out to any people who are experiencing problems, and we can fill in some of the gaps in the knowledge that we have. We're going to see if alerts are dispersed, or if they are going to be geographically focused, so we can start answering some of those questions.

McAfee has said Duqu seems to be targeting a specific geographical area, stretching in a band across North Africa, the Balkans, the Middle East, India and parts of the Far East.
It seems to be targeting certain parts of the world.

Why did McAfee call that band the 'Golden Jackal'?
You know, Peter [Szor] came up with that name. Canis aureus [the golden jackal] has to do with that part of the world.

Why did you initially think the malware was targeting that area?
It looked like there was activity in that part of the world. The CAs, business-wise, are in the same part of the world.

Did Duqu look like it was trying to connect back to a command-and-control server there?
I believe it was trying to connect back to a command-and-control server IP address in India, which has been shut down. You've these certain parts of the world that seem to keep coming up.

I know you don't like the term 'advanced persistent threat' (APT), but would it be unreasonable to say this could be cyber-espionage by a country?
I don't think it would be unreasonable to say that. When you talk about the undermining of certificate authorities, that's as APT as you get to call APTs – that's as bad as it gets.

Duqu has got a lot of advanced capabilities. Do I think there's an advanced conspiracy? Not necessarily, but you can't discount the geographical implications — if the CAs are in a certain area, you know, you have to look at that. If your infection dispersal is in a certain area, you have to look at that. You can't ignore it.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.

Topics: Security


Tom is a technology reporter for, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.