The security industry is buzzing today after Symantec released a whitepaper on a threat known as Duqu. What’s interesting about Duqu is that it’s heavily based on the Stuxnet source code, a worm that targets industrial control systems (ICS). The Stuxnet source code has never been made available publicly; it’s only available to the original attackers. Therefore it’s reasonable to assume that Duqu is written by the same people.
Duqu is not designed to attack Programmable Logic Controllers (PLCs) or any type of automation equipment, which was the ultimate purpose of Stuxnet. Instead, it acts as a reconnaissance tool that is designed to steal private information about these systems. With the information it obtains, further targeted attacks similar to Stuxnet can be executed.
One of the DLL drivers used in the Duqu attack is signed with a certificate issued to C-Media Electronics Corporation, a technology company in Taiwan. The certificate was revoked on 14th October, 2011:
While information about the Command & Control servers are still being researched, all known URLs are categorized as security risks (including a Dynamic DNS domain, a new category we released a few weeks ago for this specific purpose). Websense customers are protected against this family of malware and Advanced Persistent Threats (APT) attacks with ACE, our Advanced Classification Engine.
Symantec curently has the most information available about this threat as they were the ones to first receive the sample. Their whitepaper can be found here.
Leave a reply