Wednesday, October 19, 2011
Stuxnet's Little Brother
Researchers at F-Secure and Symantec have reportedly found a Stuxnetesque Trojan affecting industrial and manufacturing systems in Europe. The trojan uses similar methods of stealth by using a legitimate driver signed with a valid digital certificate from Taiwan. Again.
They’re calling this Trojan “Duqu” and from what we’re hearing, it’s the precursor to future Stuxnetesque attacks. This particular Trojan seems to only watch what’s occurring on the infected systems. It doesn’t seem to change anything on the devices or send commands to destroy the industrial equipment like Stuxnet. Duqu seems to be the part of Stuxnet that was missing; the data gathering piece. It’s still early, but Duqu seems to be the intelligence gathering module for future attacks. Using data that’s siphoned out of these companies on potentially how systems work, and who’s using what, is a valuable part of creating the next Stuxnet version. The trojan also supposedly uses custom protocols to communicate to its command-and-control server. Duqu doesn’t have had a payload and doesn't seem to have a way of replicating itself. I’m very interested in seeing how it was initially installed; I’m guessing spear phishing here.
Despite this trojan opening a window into how Stuxnext might have been developed, it opens up a few others?
First, the authors of Stuxnet haven’t been dormant. This software was created after Stuxnet was initially found and they’ve obviously been busy. They don’t seemed phased by the celebrity of Stuxnet and rightfully so. People still don’t know who created it so why be concerned with continuing. If this is a nation-state, which I’m pretty sure it is, the funding and the mission are still there. I think by the mere exception of it not being installed in America is a good factor that the USA has something to do with it.
Secondly, the authors are getting ready for another strike. If this is an information gathering tool that’s used to create Stuxnet 2.0, than it’s only a matter of time before they attack again. The industrial sector needs to be aware of what’s going on and ways to protect themselves from these types of attacks.
Thirdly, why is this being focused only in Europe? I think we all know why Iran was targeted, but what's so special about these locations in Europe? What's the motive here?
Lastly, it was reported that the trojan was using custom protocols to communicate to the CC server. This is something we’re starting to see a lot of now. The authors of their code are not only creating custom malware, but they’re communicating the data back over custom protocols that they've created. This adds yet another layer of obfuscation to an already mysterious trojan.