New malware variant: son of Stuxnet?

  • Article

Today, a co-worker pointed out to me a recent discovery – a precursor to a variant of the Stuxnet worm that appeared last year.

In case you have forgotten, Stuxnet was a worm that used several zero-day vulnerabilities and erased itself at a certain point in time.  Furthermore, it used two signed certificates from two certificate authorities (possibly stolen, perhaps not) and was a very complex worm.  At the time, the original payload was unknown but eventually researchers discovered that it was designed to disrupt the Iranian nuclear program by causing components used in the processing of nuclear material to spin too fast.  Nobody claimed responsibility for the worm but industry analysts believe it was a state government and a joint Israeli/US operation.

Today, researchers from Symantec and McAfee have discovered another attack in the wild, the next generation of Stuxnet called Duqu.  From Darkreading:

Researchers at Symantec say newly discovered malware, dubbed "Duqu," shares much of the code from Stuxnet and shows that the authors had access to the source code of Stuxnet, suggesting that it may have been developed by the same attackers who devised Stuxnet.

Meanwhile, researchers at McAfee say they have been studying a malware kit "closely related to the original Stuxnet worm" -- aka Duqu -- that wages targeted attacks against sites such as CAs and for other cyberespionage purposes, according to McAfee.

"The threat that we call 'Duqu' is based on Stuxnet and it is very similar. Only a few sites so far are known to be attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code which is delivered via exploitation, installs drivers, and encrypted DLLs that function very similar to the original Stuxnet code. In fact, the driver’s code used for the injection attack, is very similar to Stuxnet, as well as several encryption keys, and techniques that were used in Stuxnet," McAfee researchers Guilherme Venere and Peter Szor in a blog post today.

Other security researchers say there's not enough information yet to confirm the malware is indeed Stuxnet The Sequel. "Code-recycling is endemic to professional malware development," says Gunter Ollmann, vice president of research at Damballa. Ollman says the use of stolen certificates here for code-signing is "an interesting trend."

Symantec has been studying a process-control system-related version of Duqu. But unlike Stuxnet, which was aimed at sabotaging a specific line of Siemens process-control systems in Iran's nuclear facilities, Duqu is all about reconnaissance: it attempts to siphon information such as design documents from industrial control system vendors, researchers at Symantec say. "Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," Symantec researchers said in a blog post today. "Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)."

This is an intriguing development.  Here’s what we know so far based upon my 20 minutes of research:

  • Stuxnet was a worm that was designed to infect SCADA systems and cause disruption without detection.

  • Duqu uses many of the same properties as Stuxnet, see Symantec’s report.  However, I am not an expert in evaluating malware.  On page 18 of that report, they list similarities between Stuxnet and Duqu.  But how many generic pieces of malware have those same similarities as Stuxnet?  Is this just an example of the Barnum effect (like that one South Park episode where Stan Marsh talked to the dead and John Edward won the BDIU award)?  For all I know, half the malware out there can be classified as similar to Stuxnet.

  • Unlike Stuxnet, Duqu is designed to steal data instead of causing damage while remaining undetected.  After all, code recycling is prevalent among malware.  Perhaps the developers of Duqu just borrowed the ideas from Stuxnet.  Or maybe they got a hold of the code on the black market and modified it for their own purposes.

  • In the article, one of the security experts says “It's very possible for a Stuxnet 2 attack ... using this reconnaissance phase and launching what would be more aptly called Stuxnet 2.” 

    Maybe. 

    But not necessarily.  What we see in traditional APTs is that malware sits on systems undetected and steals data not to sabotage it but to give data to a competitor.  Stuxnet was written with a very clear motive in mind.  While most of the infections so far are industrial controllers, it could be that the original family (Stuxnet) targeted industrial controllers and the malware authors haven’t figured out yet how to update it to something more useful.

We often think of an APT as code that originates in China.  But Stuxnet demonstrated last year that the direction can be west-to-east instead of east-to-west.

Are Stuxnet and Duqu related?  I don’t know.  What I do know is that cyber espionage is the newest trend in malware this year and it won’t go away anytime soon.