Symantec, McAfee differ on Duqu malware threat
Security firms disagree on intent of a Trojan that Symantec calls the "precurser to next Stuxnet"
By Jaikumar Vijayan | Computerworld US | Published: 12:40, 20 October 2011
Two top security vendors appear to have come to slightly different conclusions about the specific dangers posed by a newly discovered Trojan program called Duqu.
Symantec and McAfee Tuesday both released detailed analyses of the Duqu Trojan after obtaining a sample of the malware from an unidentified source.
Symantec released a 60-page report that called Duqu a precursor to the next Stuxnet worm that is being used largely to steal information from makers of industrial control systems.
Related Articles on Techworld
On the other hand, rival McAfee's analysis said that Duqu is primarily used to target Certificate Authorities (CA) in parts of Asia, Europe and Africa.
The security vendors had different accounts of a code signing certificate associated with Duqu, which appears to have been originally issued to a Symantec customer.
Stolen certificate or forged in CA attack?
McAfee suggested that the certificate used by Duqu had been forged in a direct attack at a CA, while Symantec said that the certificate appeared to have been stolen.
A Symantec spokesman this afternoon said the company has seen no evidence that Duqu specifically targets certificate authorities.
"Up to this point the threat's primary purpose seems to have been to gather intelligence data and assets from very specific entities in order to more easily conduct a future attack against another third party," the company said. "At this time, what we know as fact is that at least one of these entities is a Europe-based industrial control systems manufacturer."
In an email to Computerworld, Adam Wosotowsky, senior research analyst at McAfee Labs said that while Duqu appears to be a "reconnaissance agent," its true purpose in unknown. "But the assumption was made that it was looking for keys that would allow it to infiltrate secure networks more successfully," he said.
In its report, Symantec said Duqu was most likely created by the authors of last year's Stuxnet worm and is being used specifically to steal critical information from makers of industrial control systems.
Duqu, the next Stuxnet
Symantec said it received a sample of the new malware on 14 October from what it described as "research lab with strong international connections." Symantec has so far analysed two variants of Duqu and recovered additional variants from an organisation in Europe that it didn't identify.
Symantec said that it believes that Duqu is being used to steal information that can be used to develop the next Stuxnet. Symantec noted that the new Trojan uses the same code as Stuxnet and mimics many of the same behaviors exhibited by its predecessor.
Unlike Stuxnet, Duqu is not targeted at industrial control systems specifically, Symantec noted.
However, in a blog post somewhat dramatically titled "The Day of the Golden Jackal - The Next Tale in the Stuxnet Files: Duqu" two security researchers from McAfee said the Trojan was primarily targeting "CAs in regions occupied by "Canis Aureus," or "the Golden Jackal."
An accompanying map showed that region to be parts of Asia, the Middle East and Africa.
Like Symantec, McAfee too said that it had received a sample of the new malware from what it described as an "independent team of researchers." And like Symantec, McAfee noted that Duqu is closely related to the original Stuxnet worm and said "the code, delivered via exploitation, installs drivers and encrypted DLLs that function very similarly to the original Stuxnet code."
"In fact," the McAfee report added, "the new driver's code used for the injection attack is very similar to Stuxnet, as are several encryption keys and techniques that were used in Stuxnet."
No risk found for Symantec's systems
Mcfee's blog post offers a detailed description of the threat but makes no mention of industrial control systems. The blog instead concludes with a warning to CAs to "carefully verify if their systems might have been affected by this threat or any variations."
The blog noted that McAfee Labs has identified a "likely variation" at another site it didn't identify.
The McAfee researchers said the code signing certificate associated with Duqu belonged to a company called C-Media Electronics, based in Taipei. It added that it's "highly likely" that the key was forged.
Symantec said it has known that some of the malware files associated with Duqu were signed with private keys associated with a code signing certificate issued to a Symantec customer. The certificate was revoked on October 14, the company said.
"Our investigation into the key's usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware," Symantec said.
The researcher claimed that at no time were Symantec's roots and intermediate CAs at risk. "Our investigation shows zero evidence of any risk to our systems," Symantec said.
Duqu deletes itself after 36 days
Anup Ghosh, CTO and founder of security vendor Invincea, said Duqu is most noteworthy in that it reportedly targets ICS vendors.
"If it was found on some other company's system, it would look a lot like any other remote access Trojan," he said.
Besides the fact that it reuses Stuxnet code, and the fact that it self-deletes in 36 days, there is little in fact to distinguish Duqu from other advanced persistent threats, Ghosh said. It can be used to steal data from any system, not just those of ICS vendors, he said.
Ghosh added that Duqu appears to be very well written code that was likely developed by a nation-state or by a group with deep resources.
The fact that Duqu is configured to delete itself from an infected system after 36 days is noteworthy, he said.
"This is what you do when you are trying to be extremely stealthy. This is what you do in and hit and grab operation," he said.