Analysis: Duqu Targets Certificate Authorities

With virus researchers scrambling to decode a new piece of malware that is based on the code of the Stuxnet worm, an analyst at McAfee is speculating that the new worm, Duqu, may have been created to target certificate authorities.

With virus researchers scrambling to decode a new piece of malware that is based on the code of the Stuxnet worm, an analyst at McAfee is speculating that the new worm, Duqu, may have been created to target certificate authorities.

Writing on McAfee’s research blog, Guilherme Venere and Peter Szor say that an analysis of the Duqu code by McAfee experts suggests that the worm was created “for espionage and targeted attacks against sites such as Certificate Authorities (CAs).” The McAfee analysis, if accurate, is the first to explicitly mention the type of organization that the Duqu worm targeted, and would suggest that those behind the worm intended to use it as a precursor to subsequent, targeted attacks. 

Certificate authorities have been prominent targets of hackers in recent months. In just the most recent example, the Dutch CA Diginotar was compromised and used to generate fraudulent certificates for Google, Mozilla, The Tor Foundation and other prominent Web sites. The Dutch government eventually broke ties with Diginotar, which was forced to declare bankruptcy in the wake of the incident. In March, the CA Comodo also reported that it was the victim of a compromise. 

McAfee said that the Duqu worm has been identified in “professional, targeted attacks” against CAs in parts of Europe, the Middle East, Asia and Africa. The researchers speculate that a digital certificate belonging to the firm C-Media, based in Taipei, was not stolen, but forged by a compromised CA. 

The McAfee analysis fills in some details omitted from a longer analysis released by Symantec Corp on Tuesday. That research declined to name the kind of firm targeted by the worm, but provided a detailed analysis of the Duqu code, which bears a close resemblance to Stuxnet, with shared code used for the injection attack and several encryption keys and techniques that were used in Stuxnet. 

Like Symantec’s report, the analysis from McAfee says that it knows of only a few infections linked to Duqu, and says the worm doesn’t appear to be designed to attack industrial control systems, as Stuxnet was. 

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.