McAfee: Why Duqu is a big deal

Dave Marcus, head of security research at McAfee, delves into the workings of Duqu, an information-stealing piece of malware that is shaping up to be as big a threat as Stuxnet
Written by Tom Espiner, Contributor

McAfee is among the security companies raising an alarm about Duqu, a data-stealing Trojan that looks to pose as great a threat to businesses' critical infrastructure as Stuxnet.

Duqu uses Microsoft Windows-exploiting code similar to Stuxnet, a worm designed to attack Siemens industrial software, which has been linked to cyber-sabotage of nuclear bodies in Iran and other organisations. Unlike Stuxnet, however, it has specific restricted targets, rather than trying to spread itself widely, and it is designed to collect information rather than undermine systems.

Last week, an independent security researcher warned that Duqu has infected a number of organisations, but did not disclose which ones. However, Symantec said it has discovered an organisation in Europe that has been infected with variants of the malware. It believes the hackers were looking for information such as design documents to launch an attack on a third party.

While the broad outline of Duqu is known, McAfee and Symantec have disagreed on the details. ZDNet UK sat down with Dave Marcus, McAfee's director of security research and communications, to talk about its ongoing investigation into Duqu and why it believes the malware could be the basis of a Stuxnet-like attack.

Q: What is Duqu, and what does it do?
A: This is password-stealing and espionage data-capture malware — that seems to be the goal. There's a lot of functionality in the malware to get to the point where it's doing its sniffing and data gathering.

Duqu uses similar code to Stuxnet. Are the same people responsible, or has a different group used portions of the Stuxnet code?
Stuxnet had signed keys, and you have the same thing in this instance.

Does that mean Duqu was coded by the same people who created Stuxnet?
Not necessarily. Duqu shows certain characteristics in its coding, injection and behaviour that is indicative of the Stuxnet code. That most likely means that someone studied the Stuxnet code and said, 'Oh, those five things make sense, I'll do that'.

Duqu is very different from Stuxnet. Stuxnet injects code into a programmable logic controller, to get a kinetic response. There's no evidence of that in Duqu. This looks more like it's data gathering and performing espionage on industrial controller networks.

Duqu was signed with a certificate was supposedly issued by the C-Media audio-product company. Does that mean the certificate was stolen, or was it forged?
You've got a rogue certificate. There's not a lot of evidence that it was a stolen rogue certificate. It looks like it was a rogue-created certificate. That may mean people had access to another certificate authority (CA), but it's hard to tell at this point.

The certificate compromise comes after compromises of Comodo and DigiNotar. Is this significant?
We have at this point now a third rogue key — that's a bigger issue than people realise. People targeting CAs, and the ability to create rogue signed keys, is a big deal.

You've got the undermining of trust on a variety of levels. Trust in the operating system is undermined. These keys are used on the operating system to sign drivers and dynamic link libraries (DLLs). People taking malware, signing it and encrypting it to a valid key means the malware becomes whitelisted, and has full reign on the operating system. That's certainly not good.

People targeting certificate authorities, and the ability to create rogue signed keys, is a big deal.

Unless the key is revoked, it's whitelisted. At that point, the malware can inject itself into different processes.

The issue we saw with Duqu is that it was injecting itself into running processes. That's an effective technique to avoid detection by information security. Injecting into running memory, injecting into space, is a really good way to avoid detection, because there's no disk access. Disk access is what generally sets off an on-access scan by security software or hardware. By injecting into running memory, you get a sophisticated technique similar to Stuxnet injections.

And that's just on the host side of the house. Then there's the whole stolen-key/website, man-in-the-middle side of the house. Duqu can be used to sniff traffic locally, and man-in-the-middle locally. Then you've the potential signed key on a website, which you can now man-in-the-middle.

You've got this whole breakdown of trust, potentially. It's a big deal.

With a signed key, it's possible to make web browsers believe that a website is bona fide, isn't it?
Absolutely. You have a client, a real website and the fake key installed in something that pretends to be the valid website. The client doesn't know, so the traffic goes to the fake site, and every piece of data is captured.

The good thing is with Duqu, VeriSign decommissioned the key — the key is invalidated. The command-and-control server being used to extrude data — that's been blacklisted by ISPs. Pretty much all security vendors have got protection for Duqu at this point.

Does Duqu have rootkit functionality?
It's got userland rootkit functionality, not kernel rootkit functionality. Userland functionality is a different animal altogether. There's a difference in technique, and a difference in how you detect it.

With a kernel-mode step, you're going to attack memory spaces and attack kernel table steps and inject your code into the kernel: but that's only one way of rootkitting a machine. By using userland, you're attacking different processes and different areas. It's a very different way of owning a system.

When did you first see the Duqu code?
We got the code from an independent researcher [in October]. It was the victim who...

...reached out to the independent researcher, and then the independent researcher who reached out to us and a couple of competitors, and that's actually fairly standard.

Unless we are told specifically we cannot, we share samples with competitors, because there's a bigger picture. There's the bigger computing community that needs to be protected. We share our samples with Symantec, CA and everybody else, and they share their samples with us.

Did you look at the type of information Duqu was created to harvest?
Our competitors' researchers focused a bit more on the industrial controller aspect of Duqu, because the networks that this appears to be targeting are industrial controller-type networks.

Have you found anything in Duqu yet to say which particular networks it's going after?
Nothing yet — an investigation based upon the victim is still very much in play.

How many infected machines have there been?
It's not widely dispersed. With something like this, you're not going to see widespread infection. This is one of the ways Duqu differs from Stuxnet. Whereas Stuxnet is a worm, Duqu has much more Trojan-like behaviour. Duqu may inject itself into processes, but it doesn't look like it spreads like Stuxnet — through its autorun capabilities and USB sticks. Duqu seems to be much more specifically targeted rather than [designed] to expand like Stuxnet.

How did the target get infected? Was it a spear-phishing attack?
That's a good question. That's still in play. Probably what will come out will be one of two ways. I'm guessing that it will probably be spear-phishing with an attachment or a link to a malicious site. You click on it, download the malware, and there you are. It could be that someone has been sent a message saying, 'Hey, we've just updated our key, install our new key'. Spear-phishing is one of the classic social-engineering techniques, and it works.

The initial infection vector is still under investigation. Exactly what the attackers were going after — that's still in play. But it looks like they are targeting industrial controller networks and certificate authorities. The CA part of it I think is the bigger, long-term issue.

Do you think that the certification model is getting a bit outdated?
I'm not that close to the model, but I think there's a lot of validity in it. The struggle implementation-wise is that people get very nervous over the concept of keys. Who owns the master key? That's what historically has made people a little bit nervous. Especially in the States — we have control issues. Who holds the keys to my encryption is a big issue. It's probably the same all over the place.

Whereas Stuxnet is a worm, Duqu has much more Trojan-like behaviour. Duqu may inject itself into processes, but it doesn't look like it spreads like Stuxnet.

One of the problems with the model, and with email encryption, is the exchanging of keys. It's problematic for everyone.

I don't know that the model is broken or anything like that. This is the third known compromise. That's a big deal, but it's not like it's the 80th or 90th compromise.

If I was part of a CA, I'd be stepping back at this point and saying, "All right — this is the third time. What is in common between these three attacks? Why were those CAs targeted? How are people getting in and getting this done, and how do we step back and do some pen-testing and other procedures to make sure it doesn't happen to us?"

If I was a CA, I would assume I'm potentially next and start taking steps.

What's the next stage of looking at the effects of Duqu?
We want to start doing some tracking globally of Duqu with our threat intelligence network. We're also going to be looking at telemetry data worldwide, to see if we're seeing Duqu anywhere else in the world. We can then reach out to any people who are experiencing problems, and we can fill in some of the gaps in the knowledge that we have. We're going to see if alerts are dispersed, or if they are going to be geographically focused, so we can start answering some of those questions.

McAfee has said Duqu seems to be targeting a specific geographical area, stretching in a band across North Africa, the Balkans, the Middle East, India and parts of the Far East.
It seems to be targeting certain parts of the world.

Why did McAfee call that band the 'Golden Jackal'?
You know, Peter [Szor] came up with that name. Canis aureus [the golden jackal] has to do with that part of the world.

Why did you initially think the malware was targeting that area?
It looked like there was activity in that part of the world. The CAs, business-wise, are in the same part of the world.

Did Duqu look like it was trying to connect back to a command-and-control server there?
I believe it was trying to connect back to a command-and-control server IP address in India, which has been shut down. You've these certain parts of the world that seem to keep coming up.

I know you don't like the term 'advanced persistent threat' (APT), but would it be unreasonable to say this could be cyber-espionage by a country?
I don't think it would be unreasonable to say that. When you talk about the undermining of certificate authorities, that's as APT as you get to call APTs – that's as bad as it gets.

Duqu has got a lot of advanced capabilities. Do I think there's an advanced conspiracy? Not necessarily, but you can't discount the geographical implications — if the CAs are in a certain area, you know, you have to look at that. If your infection dispersal is in a certain area, you have to look at that. You can't ignore it.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards