DuquVirus researchers at Symantec Corp. have discovered a variant of the Stuxnet worm, dubbed Duqu, that is designed to steal information about industrial control systems. Symantec said the malware, which has turned up on more than one customers’ network, could be used to gather data for a future attack.

A report from Symantec’s Security Response organization said the worm, W32.Duqu, was first identified on October 14 and has already turned up on the networks of more than one firm in Europe. The company’s claim that Duqu was “Stuxnet 2.0″ garnered immediate attention online. However, Duqu is hardly revolutionary in the way that Stuxnet was. Indeed, Symantec said that Duqu was most likely written by the same authors and “shares a great deal of code with Stuxnet.” Like Stuxnet, Duqu has a modular structure and uses similar infection mechanisms. Duqu also uses a valid certificate to sign one of its key drivers. The certificate belongs to C-Media Electronics, Inc., a Taiwanese audio chip maker.

While Duqu appears to have been derived from the Stuxnet worm, however, its purpose is different, Symantec said. Rather than destroying industrial control systems, Duqu appears to be an information stealing Trojan that collects keystrokes and other information that might be used in subsequent attacks, Symantec said.

F-Secure, the Finnish anti malware firm, said that its software already had a detection for the worm’s Trojan dropper (a key component that delivers the malicious payload – such as a keylogger – to the infected system. The malware was identified as “Gen:Trojan.Heur.FU.fuW@aGQd0Wpi,” according to a Twitter post sent out Tuesday by Mikko Hypponen, CSO of F-Secure.

Although the provenance of the Duqu worm isn’t known, Symantec said an analysis of the worm code dates the info stealing component to at least June of 2011, putting its first appearance well after the appearance of Stuxnet in late 2009 and early 2010.

The worm takes its name from a file prefix – DQ – that is used to name a key worm component. When run, Duqu injects itself into one of four, common Windows processes: Explorer.exe, IEExplore.exe, Firefox.exe or Pccntmon.exe. Once installed, the worm downloads and installs an information stealing component which harvests information from the infected system and stores it in an encrypted files on the infected system for export to the attackers system. Among the information harvested by Duqu are lists of running processes, account and domain information, lists of configured drives and shared, network drives, screenshots, local file and network information as well as user keystrokes and screenshots from active sessions.

Categories: Data Breaches, Government, Malware, SMB Security, Vulnerabilities

Comments (2)

  1. Larry Constantine (Lior Samson)
    1

    The mission of Duqu makes clear that more is on its way. Once the desired intelligence has been gathered, it will almost certainly be out to use. Industrial security experts like ralph Langner and others have been predicting a Son of Stuxnet for a long time, and I joined the Greek Chorus over a year ago. The reconnaisance mission of Duqu may be limited, but the concepts embodied in it and in Stuxnet can be reconfigured to carry out surgical strikes against industrial targets–or wreak havoc on a wider scale. The scenario in the prescient novel, Web Games (Gesher Press, 2010), in which U.S. electric power is threatened, is completely plausible. The intelligence operatives who are likely behind Stuxnet and Duqu are not only carrying out targeted strikes with specific purposes, they are laying the foundations for a new era of cyberwarfare and cyberterrorism. This is the message I delivered this month at Cyberworlds 2011 in Banff, Canada. We could be the next target; you could be the next target.

    –Prof. Larry Constantine (Lior Samson) | http://www.liorsamson.com

  2. Anonymous
    2

    This is just the begining of the end for USA….. While they are busy in Afghanistan ,we are busy in Destroying their backs…!! We know the Stux authors, as well as we also targetted the so called sophisicated and secured CC, bunch of idiots!!

Comments are closed.