a new threat whose goal is to gather intelligence in order to conduct a future Stuxnet-like attack. In at least one targeted organization, Duqu utilized a Microsoft Word document as an installer file by exploiting a previously unknown kernel vulnerability that allows code execution.
On October 19, Symantec released its analysis of a new threat called Duqu, which seems to be the precursor to a future, Stuxnet-like attack. Parts of Duqu are nearly identical to Stuxnet, but its sole purpose is to gather intelligence which could be used to give attackers the insight they need to mount future attacks. Duqu is not widespread, but it is highly targeted, and its targets include suppliers to industrial facilities.
In at least one targeted organization, Symantec has confirmed that the installer file was a Microsoft Word document (.doc) that exploited a previously unknown kernel vulnerability that allows code execution. When the file was opened, malicious code executed and installed the main Duqu binaries. Microsoft is aware of the vulnerability, and is working towards issuing a patch and advisory.
November 1, 2011
- An unpatched zero-day vulnerability is exploited through a Microsoft Word document and installs Duqu
- Attackers can spread Duqu to computers in secure zones and control them through a peer-to-peer C&C protocol
- At least six organizations in eight countries have confirmed infections
- A new C&C server hosted in Belgium was discovered and has been shut down
Learn more about Duqu from Symantec Security Response Experts
- Blog: Status Updates Including Installer with Zero-Day Exploit Found, November 1, 2011
- White Paper: W32.Duqu—The Precursor to the Next Stuxnet, version 1.3, November 1, 2011
- Blog: Duqu: Updated Targeting Information, October 21, 2011
- Blog: Duqu Status Update #1, October 21, 2011
- Blog: W32.Duqu—The Precursor to the Next Stuxnet, October 19, 2011
- Protection Information: W32.Duqu
Take a Look Back at Symantec's Role in Unraveling Stuxnet
"Unraveling Stuxnet" Source: Symantec
Click the image to view the entire timeline.
The Significance of Stuxnet
What makes Stuxnet particularly earth shattering is that it was designed to take a never-before-seen leap from the digital world into the physical world. Stuxnet is a computer worm designed to target industrial control systems used to monitor and run large-scale industrial facilities.
Much of the malware in play today is designed to steal information and pilfer banking accounts, both of which have indirect impacts on our real-world lives. However, Stuxnet went well beyond that. Its purpose was to reprogram industrial control systems—computer programs used to manage industrial environments such as power plants, oil refineries, and gas pipelines. Its final goal was to manipulate the physical equipment attached to specific industrial control systems so the equipment acted in a manner programmed by the attacker, contrary to its intended purpose. Such an outcome could have several underlying goals, but sabotage, destruction, and cyber warfare were the most obvious.
Stuxnet opened the door to the malware having deep political and social ramifications. There is much to be learned from the complexity of the Stuxnet threat. Indeed, Stuxnet has changed the way researchers approach malware and view the security threat landscape.
Security Response Blog Entries
Read what Symantec security researchers have written on Stuxnet worm since it appeared in July 2010.
- A Malware Anniversary to Remember, July 11
- Updated W32.Stuxnet Dossier is Available, February 14
- Stuxnet: A Breakthrough, November 12
- Stuxnet: Target Still Unknown, November 3
- Detecting PLC Infections, October 8
- Stuxnet Infection of Step 7 Projects, September 26
- Stuxnet Before the .lnk File Vulnerability, September 24
- Exploring the Stuxnet PLC Infection Process, September 21
- Stux to Be You, September 21
- Stuxnet Print Spooler Zero-Day Vulnerability not a Zero-Day at All?, September 17
- Stuxnet P2P component, September 17
- Stuxnet Using Three Additional Zero-Day Vulnerabilities, September 14
- Stuxnet Introduces the First Known Rootkit for Industrial Control Systems, August 6
- Sneakernet Revisited, August 5
- W32. Stuxnet Variants, July 29
- Distilling W32.Stuxnet Components, July 22
- W32.Stuxnet Network Information, July 22
- Hackers Behind Stuxnet, July 21
- W32.Stuxnet - Commonly Asked Questions, July 16