Security alert: meet ‘Duqu’ the son of Stuxnet

19 Oct 2011

Dubbed ‘the son of Stuxnet’ a new attack called Duqu with similar characteristics is on the rampage. Duqu’s purpose is to gather intelligence from industrial control systems used in manufacturing and power plants that could be used in future cyber attacks.

Duqu shares a great deal of code with Stuxnet; however, the payload is different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities.

“Duqu is essentially the precursor to a future Stuxnet-like attack,” Symantec warned this morning.

“The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.

“The attackers are looking for information, such as design documents, that could help them mount a future attack on an industrial control facility.”

Symantec said Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT).

“The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organisations for their specific assets. However, it’s possible that other attacks are being conducted against other organisations in a similar manner with currently undetected variants.

“The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases.

“Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on 1 September . However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.”

How Duqu works

Symantec said one of the variant’s driver files was signed with a valid digital certificate that expires 2 August 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on 14 October 2011.

Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.

The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years