On October 19, Symantec released its analysis of a new threat, called Duqu, that appears to be the precursor to a future, Stuxnet-like attack. Parts of Duqu are nearly identical to the Stuxnet worm
, but its sole purpose is to gather intelligence that could be used to give attackers the insight they need to mount future attacks. Duqu is not widespread, but it is highly targeted at suppliers to industrial facilities.
In at least one targeted organization, Symantec has confirmed that the installer file was a Microsoft Word document, which exploited a previously unknown kernel vulnerability that allows code execution. When the document was opened, malicious code executed and installed the main Duqu binaries. Microsoft is aware of the vulnerability, and is working on issuing a patch and an advisory.
Duqu was recovered from a limited group of organizations based in Europe and first analyzed by the Laboratory of Cryptography and System Security in Budapest.
Where Stuxnet was designed to reprogram industrial control systems (hardware used to manage industrial environments such as power plants and oil refineries), attackers have used Duqu to install keystroke loggers to gather information from the infected computers.
Although Duqu uses some of the same source as Stuxnet, its payload is not destructive. It is primarily a remote access Trojan that does not self-replicate in order to spread itself, which means it is not a worm.
Two variants of the threat were initially recovered, although Symantec has since discovered additional variants.
Duqu consists of an installer, a driver file, a main DLL, and a configuration file. Like Stuxnet, Duqu masks itself as legitimate code using a driver file signed with a valid digital certificate. The certificate, which belongs to a company headquartered in Taipei, was revoked on October 14.
Attacks using Duqu and its variants may have been going on since last December based on a review of file-compilation times, according to Symantec.
Duqu uses HTTP and HTTPS to communicate with two known command-and-control (C&C) servers that are both now inactive. Attackers were able to download additional executables through the C&C servers, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which is then exported.
The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring JPG files, other data is encrypted and sent out.
Duqu is configured to run for 30 or 36 days, at which point it will automatically remove itself from a system.
So far, Duqu infections have been confirmed in at least six organizations in eight countries (France, the Netherlands, Switzerland, the Ukraine, India, Iran, Sudan, and Vietnam).
While Duqu does not directly target industrial control systems, its discovery has reignited fears about cyberattacks targeted at the systems behind equipment at critical infrastructure such as power plants, water treatment facilities, and chemical plants.
Stuxnet, which infected tens of thousands of computers last year, created a worldwide sensation when Symantec revealed that it was designed to sabotage hardware used in uranium enrichment at an Iranian nuclear site.
Symantec researchers noted that the industrial sector is not Duqu’s sole target, adding that they have identifi'd "one or more targets outside the industrial industry who provide assets that would aid a future attack."
"Considering the history of Stuxnet, the potential of the same attackers, and currently known targets, we urge industrial control system manufacturers and any other organizations who provide solutions to industrial facilities to audit their network for Duqu."
The investigation by Symantec researchers concluded that some of the files associated with Duqu were signed with a private key stolen from an organization, whose systems appear to have been compromised. The private key was associated with the code-signing certificate issued to that customer.
While it isn't known how this particular key was compromised,'Symantec offers the following recommendations to better protect private keys:
- Separate test signing and release signing. It is a best practice to set up a parallel code-signing infrastructure using test certificates generated by an internal test root certificate authority. This ensures that business-critical private certificates used to sign officially released software aren’t stored on insecure build systems used for routine R&D software development tasks, reducing the likelihood that they will be compromised.
- Cryptographic hardware modules. Keys stored in software on general-purpose computers are susceptible to compromise. It is more secure, and a best practice, to store keys in secure, tamper-proof, cryptographic hardware devices.
- Physical security. There is no security without physical security. If it’s possible for an outsider, or a malicious insider, to gain access to code-signing keys, then all cryptography measures are for naught. Cameras, guards, fingerprint scanners, and additional measures are all appropriate to protect critical assets and should be taken seriously.
Stuxnet opened the door to malware having profound political and social ramifications. While there is still much to be learned from the complexity of this threat, Stuxnet has already changed the way researchers approach malware and view the security threat landscape. The story continues now with Duqu, a new threat whose goal is to gather the intelligence that attackers need to mount a future, Stuxnet-like attack.