Symantec Corp. researchers have revealed the presence of new malware that is strikingly similar to the dangerous Stuxnet Trojan, and could be a precursor to a future Stuxnet-style attack.
Because of the amount of time and effort that went into creating the Stuxnet code, it’s not surprising that the people behind it would try to reuse it.Kevin Haley, director of security response, Symantec Corp.
Symantec Security Response researchers say Duqu (pronounced dyü-kyü), named because it creates files with the file name prefix “~DQ”, was first identified on October 14. The security vendor issued a report Tuesday outlining its analysis of Duqu (.pdf).
The Mountain View, Calif.-based vendor said parts of the Duqu are nearly identical to Stuxnet, indicating it was created by someone who has access to the Stuxnet source code.
Unlike Stuxnet, which was created to disrupt industrial control systems, Win32.Duqu was designed to gather intelligence data and assets “in order to more easily conduct a future attack against another third party,” Symantec said. It was recovered from computer systems in Europe and researchers only began analyzing the malware last week.
“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” Symantec said in its report.
Duqu Trojan infections were discovered in Europe, mainly in industrial control systems manufacturers, said Kevin Haley, director of Symantec security technology and response. Haley said it’s not uncommon for malware authors to reuse their code.
“Because of the amount of time and effort that went into creating the Stuxnet code, it’s not surprising that the people behind it would try to reuse it,” Haley said. “Stuxnet was an incredibly complex piece of code and something you would want to get your money’s worth out of.”
It’s currently unknown how the malware spreads. Researchers are scouring the Internet to find the installer and determine how systems can be infected by the malware, Haley said.
According to additional analysis by McAfee researchers, attacks appear to be also targeting certificate authorities in Africa, Southeastern and Central Europe and the Middle East. McAfee is warning CAs to analyze their systems for the malware.
It’s meant to be stealthy, so if they can’t get the data they need they’ll try something else.
Jason Lewis, CTO, Lookingglass Cyber Solutions Inc.
Once a system is infected with Duqu, attackers install a keylogger, which records keystrokes and seeks out additional system information. Symantec said the mawlare can copy lists of running processes, account details and domain information. It can take screenshots, record network information and explore files on all drives, including removable drives.
“In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases,” Symantec said. Stolen data is sent to a command-and-control (C&C) server, which, according to McAfee, has been blacklisted by the ISP and is no longer functioning.
Two variants of the malware were recovered, and Symantec data suggests attacks using Duqu could have been conducted as early as December 2010. Symantec said the Trojan is configured to run for 36 days and then it automatically removes itself from the infected system.
The short lifespan of the malware indicates it has a specific target, said Jason Lewis, chief technology officer at Baltimore-based security software services firm Lookingglass Cyber Solutions. Lewis, a former global network exploitation and vulnerability analyst with NSA, said it was likely authored by a nation state, given the time and resources it takes to develop a sophisticated piece of malware.
“It’s meant to be stealthy, so if they can’t get the data they need they’ll try something else,” Lewis said. “Because of the time and money that goes into developing something like this, you don’t want someone to discover it right away and then have Symantec analyze it to push out detection signatures.”
The Stuxnet Trojan, which surfaced in 2010, was heralded by most security experts as a uniquely sophisticated piece of malware. It targeted Supervisory Control and Data Acquisition (SCADA) systems, which are used to manage power, water and sewage plants and other industrial facilities.
Stuxnet specifically sought out Siemens' SCADA software and was designed to then inject itself into the programmable logic controllers that automate the most critical parts of an industrial facility's processes. The New York Times reported in January that Stuxnet was a joint effort by the U.S. and Israeli governments, created to take down Iran's Nantaz uranium enrichment facility, which reports suggest it did successfully.