Duqu-pocalypse Reveals Gulf Between Security, Critical Infrastructure Sectors

To hear many of the leading computer security experts, Tuesday, October 18 was “D-Day,” with the “D” standing for “Duqu,” a new piece of malware that virus experts were tripping over each other to call “Stuxnet 2.0.” “Stuxnet Clone ‘Duqu’ Possibly Preparing Power Plant Attacks” read a headline on the Website of Foxnews, summing up the air of hysteria surrounding the new malware. But less than a day later, questions are being raised about the purpose and threat posed by the new malware.

To hear many of the leading computer security experts, Tuesday, October 18 was “D-Day,” with the “D” standing for “Duqu,” a new piece of malware that virus experts were tripping over each other to call “Stuxnet 2.0.” “Stuxnet Clone ‘Duqu’ Possibly Preparing Power Plant Attacks” read a headline on the Website of Foxnews, summing up the air of hysteria surrounding the new malware. But less than a day later, questions are being raised about the purpose and threat posed by the new malware.

Experts from the industrial control sector voiced skepticism about the hype surrounding the Trojan’s discovery, which came to light after anti malware firm Symantec released a 13 page analysis of Duqu calling it a “precursor to the next Stuxnet.” Many industrial control systems (ICS) experts noted that the malware didn’t contain any code to infect industrial systems and said that, while it may have infected PCs in a similar manner as Stuxnet, likening the two malicious programs created an undeserved sense of urgency for those in the critical infrastructure sector.

In an alert sent out Tuesday, the Department of Homeland Security’s ICS-CERT emphasized that, although the malware may be collecting information for a future attack on industrial control facilities, Duqu – an example of what is known as a remote access Trojan, or RAT, doesn’t attack ICS systems. The ICS-CERT alert advised readers to adhere to standard best practices to limit exposure of control system devices to malware infections.

That subdued tone was present in comments from other experts in the space. At Digital Bond, a products and consulting firm that specializes in SCADA and ICS systems, Founder and CEO Dale Peterson wrote that he was “wary about the relevance” of Symantec claims that Duqu was laying the groundwork for future attacks on ICS systems. “If Duqu generically targeted GE, Siemens and Hitachi, it would be a leap to say they wanted ICS information,” Peterson wrote. “Also given the vulnerabilities in so many of the systems an attacker would be much better off targeting ICS users to gain their credentials that would allow access from the corporate network to the ICS.”

In other words: eventual attacks leveraging data about ICS systems stolen by Duqu are a remote concern for critical infrastructure firms, especially given the immediate danger of known and exploitable software vulnerabilities in ICS systems, let alone the improperly configured or spec’d systems that are in production. In one indication of how big the problem of ICS systems that are “vulnerable by design” is, the DHS recently said that it would start calling such vulnerabilities “design issues” instead.

SCADA security expert Ralph Langner was also nonplussed by the news of Duqu’s discovery. In a terse blog post, Langner said that Stuxnet follow-up attacks and copycat attacks were to be expected, but that the malware appeared unrelated to control systems. “From a practical point of view it hardly seems to matter which category it actually falls in,” Langner wrote. 

The mixed reaction speaks more to the wide gulf that exists between the industrial control sector and a computer security and anti virus industry that grew up addressing threats to Windows based PCs and traditional, IP based corporate networks.

In his blog post, Peterson of Digital Bond suggests that one reason for the dissonance is that the anti malware industry tends to look at malicious programs on the basis of how they work, whereas the ICS community is far more interested on what they do – and whether they are serious and credible threats.

“To an anti-malware organization like Symantec, Duqu appears like Stuxnet because the way it infects the PC is similar,” Peterson wrote. “To most in the ICS community it appears nothing like Stuxnet because it is not attacking a PLC or process in any way.”

In other words, the most salient characteristic of Stuxnet wasn’t its infection mechanism(s) or its use of a digital certificate to sign malware components – it was what it did to Siemens ICS systems. And, in that vein, ICS experts are much less concerned about a new threat that uses Stuxnet code, then about a new threat that copies Stuxnet’s methodology of compromising programmable logic controllers. Stripped of any features that can actually harm or modify ICS systems,Duqu is just “another remote access trojan that is a concern, like many other attack vectors, for an adversary trying to find a way into a SCADA or DCS control center through the corporate network,” Peterson writes.

Finally, different analyses of the Duqu malware have clouded discussion of its purpose. Symantec’s thorough analysis of the Trojan left out details about which organizations it was found on, but described them as in the manufacturing and critical infrastructure. In a separate analysis, however, researchers at McAfee suggested that Duqu could have been targeted at certificate authorities. In short, while its clear that Duqu was designed to steal information, what type of digital information and from whom are still very much open questions, experts say.

Suggested articles

Discussion

  • Dan Geer on

    The distinction between "how it works" and "what does it do" is neither irrelevant nor merely stylistic.

    Case in point: Intrusion tolerance as a strategy stipulates that one cannot, in practice, even enumerate all the avenues for penetration but that one can prevent defined losses that an intrusion would facilitate. While Chief Scientist at data protection firm Verdasys, we demonstrated this by methodically exposing intentionally unpatched systems to the entire contents of the Wild List. Those unpatched systems, inevitably-infected, suffered no data exfiltration at all based on blocking only nine (9) actions crafted under the presumption that the thief was in the house. The design point is that the cardinality of attack methods is O(10,000) whereas the cardinality of data outhaul methods is O(10) -- therefore it is both more efficacious and more cost effective to target the latter.

    Biologic analogy: Anti-angiogenesis -- who cares if you have an hundred tumors if none can grow beyond a millimeter in diameter?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.