The Latest in IT Security

Duqu, son of Stuxnet raises questions of origin and intent

19
Oct
2011

Laptop spyEarly today Symantec published an inside look at a new targeted malware attack called Duqu. This might not be important news if it weren’t for its ties to Stuxnet.

Early analysis of Duqu shows it has evolved from the Stuxnet codebase. We shouldn’t jump to conclusions that it was developed by the same authors, but whoever created this malware likely had access to the original source code used to compile Stuxnet.

The components that were reused were not the pieces used to target SCADA/industrial control systems, but rather related driver files that provide the malware the ability to download additional components.

Symantec reports that after it retrieves the additional malicious files it is focused on gathering information rather than industrial sabotage.

SophosLabs confirms that the driver files are signed, similar to the drivers used by Stuxnet. In this case the certificate purports to belong to C-Media, a Taiwanese firm known for their embedded audio chipsets.

Signature of driver file:

SHA1 hash of file: A5190A8E01978C903BF1FABCFCBA40D75996D8B9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 3/08/2028 12:59:59 AM
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B

Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 21/05/2019 12:59:59 AM
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

Issued to: C-Media Electronics Incorporation
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: 3/08/2012 12:59:59 AM
SHA1 hash: 83F430C7297FBF6C1D910B73414132DB48DBDE9C

This may not be a coincidence, as Stuxnet used certificates that appeared to belong to RealTek and JMicron, two other embedded chip manufacturers in the same neighbourhood.

The mystery remains, however. Were these certificates stolen, or simply generated through compromised certificates to appear to belong to these organizations?

As with Stuxnet, it is too early to determine anything definitive about the who, why or what this malware was designed to do. I can assure you that the security industry will be analyzing these samples diligently to determine their intent.

Sophos customers are protected against the primary sample of this malware as Troj/Bdoor-BDA and the malicious driver files as W32/Duqu-A.

Related posts:
  1. Duqu – Stuxnet 2
  2. Stuxnet v2 or TR/Duqu
  3. Duqu – Stuxnet 2.0
  4. Kernel Vulnerabilities and Zero Days: a Duqu Update
  5. Duqu: Questions and Answers

Tags:  
Written by Naked Security - Sophos
0 Comments

Leave a reply


Categories

TUESDAY, APRIL 23, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments