Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

Summary: Symantec warns of a new high-end Trojan that's "nearly identical to Stuxnet" but notes that the malware has a completely different goal.

SHARE:
TOPICS: Security
38

[ UPDATE: McAfee says DuQu's main objective is espionage and targeted attacks against sites such as Certificate Authorities (CAs). ]

Researchers at Symantec have sounded an alarm for a new piece of malware with "striking similarities" to Stuxnet, the mysterious computer worm that targeted nuclear facilities in Iran.

The new malware, identified as Duqu, is a highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.follow Ryan Naraine on twitter

Inside Stuxnet: Researcher drops new clues about origin of worm ]

"The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," according to Symantec's security response team.

Symantec said it got a copy of the in-the-wild malware from an unnamed research lab with strong international connections.

The company found that parts of Duqu are "nearly identical to Stuxnet" but noted that the malware has a completely different goal.

Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created after the last recovered Stuxnet file. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

The company said Stuxnet and Duqu shared the same modular structure, injection mechanisms, and a driver that is digitally signed with a compromised key.

Stuxnet: A possible attack scenario ]

Unlike Stuxnet, Symanted said the new malware does not contain any code related to industrial control systems.  It was built to be a  remote access Trojan (RAT) that does not self-replicate.

"The threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants," the company warned.

The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered and, in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.

One of the variant’s driver files was signed with a valid digital certificate expiring August 2, 2012. The digital certificate belongs to C-Media Electronics Incorporation, company with headquarter in Taipai, Taiwan. The certificate was revoked on October 14, 2011.

Symanted noted that Duqu uses HTTP and HTTPS to communicate to a command and control server which is currently operational.

Some more details on Duqu:

Through the command and control server the attackers were able to download additional executables, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.

The threat uses a custom command and control protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received.

Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.

Symantec's researchers believe that the creators of Duqu had access to the source code of Stuxnet.

A technical paper describing the similarities between Stuxnet and Duqu can be found here [PDF].

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

38 comments
Log in or register to join the discussion
  • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

    So, the US government successfully used Stuxnet to set back the Iranian's nuclear development. One could reasonably assume that Duqu is another ongoing covert US intelligence operation that you have now successfully blown the cover of. Back in WWII, there was a very common poster that was hung at various manufacturing facilities and military bases. It read, "Loose Lips Sink Ships!" There is a difference between journalism and responsible journalism. Quite frankly, I think you may have crossed that line...
    wineaux
    • If this indeed was a U.S. covert operation ....

      @wineaux
      .... Symantec would not be publishing these warnings in the first place. We already know that there are government sniffers that the security software deliberately ignores and that we never know about unless accidentally discovered ala Sony's root kit fiasco!
      kd5auq
      • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

        @kd5auq - Your tin foil hat is crooked...
        PollyProteus
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @wineaux
      I'm sorry, but I have to laugh! Did you really come to ZDNet
      for responsible journalism? Oh, if the information is already
      in the public domain, does reporting on it here or elsewhere
      constitute irresponsible journalism?
      wizard57m-cnet
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @wineaux
      If you cross a line between journalism, and responsible journalism...now you're in the domain of responsible journalism. I think you meant something else.
      mmmikkke@...
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @wineaux There is no way Symantec had not already talk to US government intelligence sources to make sure it's not a covert US operation. And there's no way Symantec didn't also make sure it was okay to publicize this to ZDNet.
      OCres
      • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

        @RonShepston ... No disrespect intended here, but if you would have read the article in full you would see that "Symantec said it got a copy of the in-the-wild malware from an unnamed research lab with strong international connections.". Perhaps a black counter op?
        t_mach
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @wineaux

      Ever think someone could be using it against us (as in the US)??

      Where's the command and control center located? If it's on our home turf or in a country with friendly ties, you may have a point; but if the CCC is elsewhere we may just be the target, especially since our power grid and other vital networks are SO secure...
      jimsj
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @wineaux
      A ???responsible assumption??? is still an assumption and once you cross that line, you are no longer dealing with facts.
      duncan.mctavish@...
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @wineaux: It's been an 'interesting'. day and I needed the laugh!
      nkfro
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @wineaux
      It's funny how you assumed that this is a United States malware?? My thoughts were maybe Iran is getting back at US??? In that case there would be no loose lips. Sunken ships yet to be determined!!!
      eargasm
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @wineaux Who says it is or was the US government? Maybe it was the North Koreans, Chinese or someone else who wants to steal secrets from US weapons manufacturers. Maybe it is being used by organized crime to break into banks. Maybe it is being used by terrorists. Why can you reasonably assume Duqu has anything to do with the US? Where is the war? In WWII we knew who we were at war against. Since when did the US say they are at war with Iran? To declare a true war you have to declare who it is you have declared war against. Just to say "the war on terror" is not declaring war with anyone since they don't state which country the war is against.
      jsargent
  • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

    @wineaux
    Indeed, the first thing a Covert US Op would do would be to make itself "invisible" to any known security software.
    mpaint@...
  • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

    very interesting article. Is this Trojan targeting windows? aren't most industrial plants running unix/Linux OSes behind really big firewalls? I don't really understand how Trojan can get into what should really hyper secure sites that should simply not be connected to the web. Can someone say a bit more about how security works in those nuclear plants and whether there are windows/Linux pc connected to the net in those even if in the DMZ???
    Drakkhen
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @Drakkhen
      Wow... did you mean to imply that Unix isn't 100% secure and invulnerable against all attacks!? ;-) sorry, couldn't pass that one up...

      But, on the serious side, I think many of the critical industrial and/or vital infrastructure facilities are actually in a closed system which *should* eliminate outside influence. However, it's really hard to say because there is so much mobile tech running around that it's virtually impossible to lock anything down anymore.
      BET7139
      • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

        @BET7139
        Thanks. I did not know Symantec was looking at viruses on Linux/Unix. I thought their market was windows. That is all. Also in a closed environment nothing can get in or out except via usb stick which should be eliminated. So a Trojan in close environment could harvest stuff but as long as it can't send anything... that is fine I would presume
        Drakkhen
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @Drakkhen
      I believe the article says that it was targeted at the industrial control manufacturers and not at the controlled factories/facilities. The purpose was to gather information about the controls and would probably be used to for a future attack on the controlled systems themselves.

      BTW, some of the factory control systems have gone to controllers based on Windows. However, no system is completely invulnerable.

      FTH
      fromthehip
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @Drakkhen Actually, most of the control systems at my plant are running on Windows. Honeywell, Rockwell, Neles, Emerson are all on Windows 2003 servers. Our boilers, natural gas turbines, water systems and manufacturing processes are all controlled in this fashion. Our whole MES runs on GE's Proficy information system - Windows servers again. At the power plants I've visited I saw similar controls.
      longrunner
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @Drakkhen

      Too many people are using windows for sensitive data, unfortunately.

      Security in nuclear plants is a very good question.

      So many Nuclear vulnerabilities without Windows PCs, I hope they are not running Windows. Hopefully the age of most US plants will mean that they are too ancient for Windows.
      richardw66
    • RE: Stuxnet 2.0? Researchers find new 'cyber-surveillance' malware threat

      @Drakkhen

      Most worms/bots today are installed using self booting USB thumb drives - this is why most government facilities will (should?) not let you use them anymore. Though the worm would still need some kind of net access to report the data it harvested.
      lrj2@...