Duqu : The next gen of Viruses after StuxNet
The new threat, dubbed W32.Duqu, is a remote access Trojan (RAT) that appears to have been written by the authors of Stuxnet, or at least by someone who has access to Stuxnet source code, Symantec said in a report released today.Duqu’s purpose is to steal data from manufactures of industrial control systems that can then be used to craft attacks against entities using such systems, Symantec warned.
Symantec’s analysis shows that the Trojan is “highly targeted” at a limited number of organizations, said Kevin Haley, director of product management.
Though Duqu uses a lot of the same code as Stuxnet, its payload is completely different, Haley added.While Stuxnet is designed to sabotage industrial control systems, Duqu is simply a Trojan with remote access capabilities that appears to have been created specifically to gather information about industrial control systems.
News of the new Trojan is sure to reinforce concerns about targeted cyberattacks against the industrial control systems used in critical infrastructures, such as power plants, water treatment facilities and chemical plants.
The worm is noteworthy as the first piece of malware known to have morphed into physical destruction of a resource. Attackers have used Duqu to install keystroke loggers and network enumerators for stealing information that can be used in future attacks, Haley said. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control system.
Haley said that Duqu has been used to carry out attacks against a handful of European companies that manufacture industrial control systems. In at least one case, the attackers were unsuccessful in their attempts to steal such data. But information is not yet available on all cases where Duqu has been used to launch an attack, Symantec said.
Symantec said it received a sample of the new malware on October 14 from what it described as “research lab with strong international connections.” Symantec has so far analyzed two variants of Duqu and recovered additional variants from an organization in Europe that it didn’t identify.
Duqu cannot replicate or propagate on its own, Haley said. It is configured to run for 36 days after which it removes itself from the infected machine.
Duqu was designed, said Symantec and Kaspersky, by advanced hackers, most likely backed by an unknown country’s government. Unlike Stuxnet, it was not crafted to wreak havoc on uranium enrichment centrifuges, but to scout out vulnerable installations and computer networks as a lead-in to the development of another worm targeting industrial control systems.
The footprints of the have been cleaned
Earlier Wednesday, another Kaspersky expert posted an update on the company’s investigation into Duqu that noted the Oct. 20 hackers’ house-cleaning.
According to Kaspersky, each Duqu variant — and it knows of an even dozen — used a different compromised server to manage the PCs infected with that specific version of the malware. Those servers were located in Belgium, India, the Netherlands and Vietnam, among other countries.
“The attackers wiped every single server they had used as far back as 2009,” Kaspersky said, referring to the Oct. 20 cleaning job.
The hackers not only deleted all their files from those systems, but double-checked afterward that the cleaning had been effective, Kaspersky noted. “Each [C&C server] we’ve investigated has been scrubbed,” said Schouwenberg.
Kaspersky also uncovered clues about Duqu’s operation that it has yet to decipher.
The attackers quickly updated each compromised server’s version of OpenSSH — for Open BSD Secure Shell, an open-source toolkit for encrypting Internet traffic — to a newer edition, replacing the stock 4.3 version with the newer 5.8.
Although there have been reports that OpenSSH contains an unpatched, or “zero-day,” vulnerability — perhaps exploited by the Duqu hackers to hijack legitimate servers for their own use — Kaspersky eventually rejected that theory, saying it was simply “too scary” to contemplate.
By updating OpenSSH from the possibly-vulnerable OpenSSH 4.3, the Duqu developers may have intended to ensure that other criminals couldn’t steal their stolen servers.
Iran, which last year acknowledged some systems, including ones in its nuclear facilities, had been infected with Stuxnet, two weeks ago admitted Duqu had also wiggled its way onto PCs in the country.
Duqu has been traced to attacks in several countries other than Iran, including the Sudan, and may have been under construction since August 2007.
The future danger
Hackers know that this was done by the funded by US Cyber Army. But what is more surprizing or shocking is that they have been able to use the virus as a weapon. And the latest news among hackers is that StuxNet’s code is available for free on Internet for anyone to use or download. Although its too high-level for simple hackers but groups like Anonymous etc. could use these for mass destruction.