Symantec discovers Stuxnet sibling
Duqu virus is designed to gather intelligence data, assets to more easily control a future attack
Symantec has discovered a virus threat that has a great deal of similarities to Stuxnet, the company said.
The new malware has been named Duqu, because it creates files with the file name prefix "~DQ".
According to Symantec, parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose.
Duqu is designed to be the precursor to a future Stuxnet-like attack and the threat was written by the same authors, or authors that have access to the Stuxnet source code, and appears to have been created since the last Stuxnet file was recovered, Symantec said
The purpose of Duqu is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.
The attackers are using the virus to look for information such as design documents that could help them mount a future attack on an industrial control facility.
According to Symantec, Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT) and does not self-replicate.
Symantec's telemetry appears to show that the threat was highly targeted toward a limited number of organisations for their specific assets.
However, according to the security company, it is possible that other attacks are being conducted against other organisations in a similar manner with currently undetected variants.
"The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010," Symantec said on its official blog.
According to Symantec, one of the variant's driver files was signed with a valid digital certificate that expires 2nd August, 2012, which belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on 14th October, 2011.
Further investigations by Symantec revealed that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware.
Duqu uses both HTTP and HTTPS to communicate with a command-and-control (C&C) server that is still operational.
"The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.
The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring dummy JPG files, additional data for exfiltration is encrypted and sent, and likewise received. Finally, the threat is configured to run for 36 days. After 36 days, the threat will automatically remove itself from the system," said the Symantec blog post.