Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Duqu Trojan a precursor to next Stuxnet, Symantec warns

New malware shares Stuxnet code and targets makers of industrial control systems

Article comments

Symantec is warning of a new malware threat that it says could be a precursor to the next Stuxnet.

The new threat, dubbed W32.Duqu, is a remote access Trojan (RAT) that appears to have been written by the authors of Stuxnet, or at least by someone who has access to Stuxnet source code, security vendor Symantec said in a report yesterday.

"We have confirmed Duqu is a threat nearly identical to Stuxnet, but with a completely different purpose," Symantec said.

Duqu's purpose is to steal data from manufacturers of industrial control systems that can then be used to craft attacks against entities using such systems, Symantec warned.

Symantec's analysis shows that the Trojan is "highly targeted" at a limited number of organisations, said Kevin Haley, director of product management.

Remote access Trojan

Though Duqu uses a lot of the same code as Stuxnet, its payload is completely different, Haley added.

While Stuxnet is designed to sabotage industrial control systems, Duqu is simply a Trojan with remote access capabilities that appears to have been created specifically to gather information about industrial control systems.

News of the new Trojan is sure to reinforce concerns about targeted cyberattacks against the industrial control systems used in critical infrastructures, such as power plants, water treatment facilities and chemical plants.

The Stuxnet worm, which some security researchers call the most sophisticated malware program ever written, has affected industrial control systems in many countries, including and especially Iran.

The worm is noteworthy as the first piece of malware known to have morphed into physical destruction of a resource,

Keystroke logging

Attackers have used Duqu to install keystroke loggers and network enumerators for stealing information that can be used in future attacks, Haley said. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control system.

Haley said that Duqu has been used to carry out attacks against a handful of European companies that manufacture industrial control systems.

In at least one case, the attackers were unsuccessful in their attempts to steal such data. But information is not yet available on all cases where Duqu has been used to launch an attack, Symantec said.

Symantec said it received a sample of the new malware on October 14 from what it described as "research lab with strong international connections." Symantec has so far analysed two variants of Duqu and recovered additional variants from an organisation in Europe that it didn't identify.

Mystery origins

Attacks using Duqu and its variants may have been going on since last December based on a review of file-compilation times, Symantec said.

Duqu cannot replicate or propagate on its own, Haley said. It is configured to run for 36 days after which it removes itself from the infected machine.

Symantec has not yet figured how attackers have been infecting systems with the Trojan.

"We have not recovered the installer so we don't know yet how Duqu propagates," Haley said. "There's nothing in Duqu that says 'copy me to a USB' or 'look for a network share and take me there.' It just sits there and works as a remote access tool. We don't know how it gets there."

The new malware is named Duqu because it creates files with filenames having the prefix "DQ", Symantec said in a detailed description of the new Trojan.

Taipei links

The Trojan consists of three files - a driver file, a dynamic link library and a configuration file. The files need to be installed by a separate executable which has not yet been recovered, Symantec said.

Besides the link between Duqu and Stuxnet, there is no other information on who might be behind the Trojan, Haley said.

A driver file on one of the variants was signed with a digital certificate that belongs to company headquartered in Taipei. The certificate, set to expire in August 2012, was revoked on October 14.

Duqu uses HTTP and HTTPS to communicate with a command and control server hosted in India, according to Symantec.

Attackers have been using the C&C server to download key loggers, network enumerators and other information stealing programs. The stolen information is stored on a "lightly encrypted' file and then uploaded back to the server.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *