Thursday, October 20, 2011

"Son of Stuxnet?"

A new computer virus is making its rounds ... somewhere.  It goes by various names.  It's "official" name is "Duqu" but many are calling it the "Son of Stuxnet":

A powerful new computer virus that some are calling the "Son of Stuxnet" has been discovered, and researchers are concerned about its potential for attacking critical infrastructure computers around the world.
The mysterious Stuxnet worm -- perhaps the most powerful ever created -- managed to infiltrate computer systems in Iran and do damage to that nation's nuclear research program. The new worm, dubbed Duqu, has no such targeted purpose. But it shares so much code with the original Stuxnet that researchers at Symantec Corp. say it must either have been created by the same group that authored Stuxnet, or by a group that somehow managed to obtain Stuxnet's source code. Either way, Duqu's authors are brilliant, and mean business, said Symantec's Vikrum Thakur.
"There is a common trait among the (computers) being attacked," he said. "They involve industrial command and control systems."
Symantec speculates that Duqu is merely gathering intelligence as a precursor to a future industrial-strength attack on infrastructure computers.

“Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party,” Symantec said in an announcement.  “The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”
At the moment, Duqu only creates a back door into infected systems, connecting them to a command computer somewhere in India. No marching orders have yet been given, Thakur said. But those who control the machines could do virtually anything they wanted, Thakur said.
"The kinds of consequences we could see ... if the computer is told download this file, it will download the file. If the file says shut off this service, and that had an effect on a power plant or a conveyor belt, it would do that," he said.
Duku is so similar to Stuxnet that F-Secure's antivirus program initially identified it as Stuxnet, said F-Secure's Chief Research Officer Mikko Hypponen.
"Duqu's kernel driver is so similar to Stuxnet's driver that our back-end systems actually thought it was Stuxnet," he said in a Tweet.
The mysterious Duku is designed to leave the back door open for precisely 36 days, and then self-destruct.
Symantec was first alerted to the existence of Duqu on Friday, when an unnamed security firm that had already worked with a Europe-based victim shared his research with the firm. Symantec researchers worked through the weekend trying to understand the virus, which they have since learned has infected industrial computers "around the globe," Thakur said.  He wouldn't identify the initial victim or say how many known victims there are.
McAfee has more:
Stuxnet was possibly the most complex attack of this decade, and we expected that similar attacks would appear in the near future. One thing for sure is that the Stuxnet team is still active–as recent evidence has revealed. McAfee Labs received a kit from an independent team of researchers that is closely related to the original Stuxnet worm, but with a different goal–to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs).
How do we know it was the Stuxnet team? To start with, the attacks are targeting CAs in regions occupied by “Canis Aureus,” the Golden Jackal, to execute professional targeted attacks against sites such as small CAs, industry systems, and others. The Stuxnet worm utilized two “stolen” digital certificates belonging to two companies from Taiwan that operated in the same business district. Yet, the Stuxnet-related code, named Duqu, which McAfee Labs received as part of an on-going investigation, was signed with yet another key belonging to the company C-Media Electronics, in Taipei.
The threat that we call Duqu is based on Stuxnet and is very similar. Only a few sites so far are known to have been attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code, delivered via exploitation, installs drivers and encrypted DLLs that function very similarly to the original Stuxnet code. In fact, the new driver’s code used for the injection attack is very similar to Stuxnet, as are several encryption keys and techniques that were used in Stuxnet.
Duqu is very time sensitive, and is controlled by an extended, encrypted configuration file. It communicates with a command server in India. This IP address has since been blacklisted at the ISP and no longer functions. Yet it was specially crafted to execute sophisticated attacks against key targets and has remote control functionality to install new code on the target. These include keyloggers, which can monitor all actions on systems: running processes, window messages, and so on. Furthermore, the keylogger component also contains functionality to hide files with a user-mode rootkit.
ABC's report on Duqu is ominous.  Hot Air comments:
ABC also sees the Stuxnet team’s fingerprints on Duqu, noting that “the authors of the new virus apparently had access to original Stuxnet code that was never made public,” and McAfee reports that the new virus uses a digital certificate “stolen” from a business in the same neighborhood in Taipei as the businesses from whom Stuxnet “stole” its own certificates. That’s reassuring insofar as most experts believe Stuxnet was a U.S./Israeli operation targeting Iran; if Son of Stuxnet really is a product of the same team then obviously it’s working for us, not against us. But … working to do what? Stuxnet, remember, wasn’t mere spyware. It was designed to actually take over the controls at industrial plants — like, say, Iran’s uranium enrichment facility — and make them go haywire. Duqu is pure spyware, but of an exceptionally advanced kind. It’s designed to infiltrate the same sort of industrial infrastructure and record keystrokes, pilfer design documents, and so forth. And apparently it’s a prelude to something big.


Either this is some sort of massive industrial-espionage fishing expedition by the Stuxnet team or ABC is wrong and Duqu is spreading inadvertently far beyond the systems that were initially targeted. Symantec’s own blog post on this says, “Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.” I’m not sure how it could be “highly targeted” and yet affecting systems “around the globe.” Just how ambitious is this looming operation, anyway?
The most curious thing about all of the posts I’ve linked here is that they’re conspicuously vague about which systems in which countries have actually been infected. If the worm is “highly targeted,” then it must be clear from the pattern of infection who the focus of the operation is, yet everyone seems to be keeping mum about that. The only specific (and intriguing) detail, per NBC, is that the command computer appears to be located in India. With facts as meager as that, the only limit on speculation about what’s happening is your imagination. Maybe it really is a big fishing expedition. Or maybe it’s simply phase two of the original Stuxnet operation, with the U.S. and Israel gathering info on Iran’s infrastructure for a massive cyberattack in the event of war. (Iran has been experiencing new setbacks to its nuclear program lately, although they appear to be unrelated to cyber-sabotage.) Or maybe the U.S. and Israel are now partnering with India to target Pakistan’s nuclear facilities. Or maybe the entire Middle East is now under surveillance to see who else might be inching towards nuclear proliferation as Iran gets closer to the bomb. Or maybe the U.S. and Israel weren’t behind Stuxnet after all and this is all a diabolical plot by Chinese hackers backed by Beijing. Stuxnet was meant to throw the world off their scent by focusing on Iran, and now Duqu’s doing the info-gathering China needs for cyberwar on the west if/when it comes to that. Stop me before I “maybe” again.
My question: is there a connection between this "Son of Stuxnet" and the virus that seems to have recently infected the US drone fleet?

1 comment:

  1. It is so interesting calling the "Son of Stuxnet".This new latest vesion of virus Son of Stuxnet is merely gathering intelligence as a precursor to a future industrial-strength attack on infrastructure computers.Thanks a lot to sharing with us.
    San Diego Computer Services