Is Duqu Looking to Build Off of Stuxnet’s Success?

21 11 2011

In October of 2011, a laboratory notified the Symantec Corporation of a piece of malware that had some similarities to the Stuxnet worm that gained worldwide attention in 2010. Given the massive attention and allegations that the Stuxnet worm was a state funded operation, Symantec and other security experts began launching a full investigation into this new piece of malware. The malware was eventually given the name Duqu as a result of the software creating files with the prefix “~DQ” on an infected machine.

Before we delve into the details uncovered of the Duqu Trojan, let’s take some time to refresh our memories on what Stuxnet was and how it operates. Stuxnet is a computer worm that was designed to infect Siemens industrial software to disrupt the centrifuges used to enrich uranium. Stuxnet would rapidly increase and decrease the speed of the nuclear centrifuges in order to cause mechanical failures in the industrial equipment. While Stuxnet was doing its duty on the centrifuges it would also send back false information to the monitoring systems so the human operators would have no idea that their equipment was about to fail. It should be noted that while there is no way to be 100% sure, it is widely accepted that Stuxnet was targeting nuclear centrifuges in Iran. The beauty of the Stuxnet worm was that while it infected Microsoft Windows computers it was not designed to negatively impact the client. Unless it was determined that the host was used a piece of Siemens equipment used in nuclear plants, Stuxnet remained relatively dormant. Furthermore, (and even more staggering) was that Stuxnet’s target was a closed system. The worm couldn’t simply access its target via a network connection. So, it was sent out in the wild to infect as many Windows machines as possible with hopes that it was land on a specific laptop that would occasionally be connected to a Siemens PLC and from there it could start working on the centrifuges.

Stuxnet used Adobe PDF files and removable media such as flash drives to infect clients and once on a system used peer to peer connections to propagate itself across a network. Stuxnet was able to exploit four different zero day flaws in Windows to inject a driver into the operating system kernel. This technique is often typical in rootkits which allows the malicious software to operate outside of the realms of typical malware enabling the rootkit to hide itself or resist removal from anti-virus software. A rather brilliant aspect of Stuxnet was its use of digital signatures.  The Stuxnet software, in particular, the kernel driver was signed using a software signing certificate which gave the software a bit of inherited credibility due to trust chain of signed code.

You may be thinking “Ok…well why was Stuxnet so popular? The targets were such a small subset of the global computer world”. That is exactly why it was such a hot topic in the IT Security circles. Stuxnet was the Wayne Gretzky of malware it changed the way the game was played. Stuxnet was the first piece of malware to specially target an industrial asset and therefore single handedly changed the entire threat landscape for security professionals. Now your security stance needs to address industrial control systems as well as your computer systems. Another daunting thought was that the Stuxnet infection was so large it could have had devastating success of negatively impacting clients if they were the desired target.

Enter Duqu.

Duqu is a combination of malicious files that ultimately work together to exploit a specific target. Duqu, like Stuxnet, exploits a zero day flaw in Microsoft Windows to inject a digitally signed kernel driver into the operating system. The malicious driver will then launch a series of DLLs which in turn load a Remote Access Trojan (RAT) onto the infected client. A remote access trojan is malicious software that allows the operator of Duqu to gain information about the client remotely. In addition to the trojan malware Duqu also implement a key logger on the infected machine which will log the keystrokes entered on a client and then ship those logs off to the threat actor. Unlike Stuxnet the actual infection methods of Duqu are unknown as the initial installer or dropper is removed from the client once infected.  Also unlike Stuxnet, Duqu does not appear to be targeting industrial systems like PLCs. Instead, the end goal is to provide the attacker remote access to a client machine to gain information.  In that brief summary you can gather that at face value there appear to be some links between Duqu and Stuxnet. Both pieces of malware use a zero day exploit to inject kernel drivers into the operating system as a rootkit to hide files and possibly for persistence. They both also used digital signed code in their malware.

Here is a great table from Dell comparing some of the major aspects of Stuxnet and Duqu

Credit: Dell Secure Works “Duqu Trojan Questions and Answers”

However as I mentioned earlier, when first reported many security professionals were quick to label Duqu the “Son of Stuxnet”. There was additional speculation that Duqu was written and launched by the creators of Stuxnet or that it was the next evolution in the Stuxnet infection. However, there has been a shift in these speculations recently stating that the similarities while present don’t necessary provide enough evidence to say without a doubt that they are from the same actors. Dell Secure Works has stated that “One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level” (http://www.secureworks.com/research/threats/duqu/) . I should also mention that the Symantec Corporation has also done extensive research into the Duqu Trojan and they have stood by their initial assessment that Duqu is strongly related to Stuxnet and is likely the work of the same attackers.

In my opinion, I am more likely to side with Dell’s conclusion. I feel that Stuxnet was so widely researched and so much knowledge is available on the internet about the fundamental operations of Stuxnet it is within reason to think that someone could have used some portions of Stuxnet to create Duqu while not being involved in the Stuxnet operation. After all, Stuxnet has been completely reverse engineered and the source code is available for download. Whether or not it is related, it appears that Duqu appears to be a very specific attack and if you are in the cross hairs, you should be paying attention.

_____________________

Dell Secure Works Duqu Trojan Questions and Answers
http://www.secureworks.com/research/threats/duqu/

What is Duqu Up to
http://www.informationweek.com/news/security/cybercrime/231902209

Cyber Warfare: A different way to attack Iran’s reactors
http://www.cnn.com/2011/11/08/tech/iran-stuxnet/

Same authors created malware that infected nuclear facilities?
http://www.msnbc.msn.com/id/45136542/ns/technology_and_science-security/t/same-authors-created-malware-infected-nuclear-facilities/#.TrmqLbJU1Bk

Spotted in Iran, Duqu may not be “son of Stuxnet” after all
http://arstechnica.com/business/news/2011/10/spotted-in-iran-trojan-duqu-may-not-be-son-of-stuxnet-after-all.ars

W32.Duqu
http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet

Stuxnet Dossier
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: