According to researchers at Symantec Security Response, Duqu has been developed to steal the kind of information needed to mount another Stuxnet-like attack. As the story continueswith this new malicious program, Symantec looks to what this next chapter in large-scale high profile attacks could mean.
“Stuxnet opened the door to malware having profound political and social ramifications. While there is still much to be learned from the complexity of this threat, Stuxnet has already changed the way researchers approach malware and view the security threat landscape.” said Bulent Teksoz, Chief Security Strategist for Emerging Markets with Symantec
“While Duqu does not directly target industrial control systems, its discovery has reignited fears about cyberattacks targeted at power plants, water treatment facilities, and chemical plants.Considering the history of Stuxnet, the potential of the same attackers, and currently known targets, we urge industrial control system manufacturers and any other organizations that provide solutions to industrial facilities to audit their network for Duqu.”
What is Duqu? A 10-Step-Guide:
*Parts of Duqu are nearly identical to the Stuxnet worm, but its sole purpose is to gather intelligence that could be used to give attackers the insight they need to mount future attacks.
* Stuxnet, which infected tens of thousands of computers last year, created a worldwide sensation when Symantec revealed that it was designed to sabotage hardware used in uranium-enrichment at an Iranian nuclear site.
* So far, Duqu infections have been confirmed in at least six organisations in eight countries (France, the Netherlands, Switzerland, the Ukraine, India, Iran, Sudan, and Vietnam).
* It is primarily a remote access Trojan that does not self-replicate in order to spread itself, which means it is not a worm.
* Duqu uses HTTP and HTTPS to communicate with two known command-and-control (C&C) servers that are both now inactive. Attackers were able to download additional executables through these servers, including an ‘infostealer’ that can gather system information. The information is logged to a lightly encrypted and compressed local file, which is then exported.
* Duqu is configured to run for 30 or 36 days, at which point it will automatically remove itself from a system.
* Duqu is not widespread, but it is highly targeted at suppliers to industrial facilities.
* Symantec researchers noted that the industrial sector is not Duqu’s sole target, adding that they have identified one or more targets outside the industrial industry who provide assets that would aid a future attack.
* Attacks using Duqu and its variants may have been going on since last December based on a review of file-compilation times, according to Symantec.
* Duqu was recovered from a limited group of organisations based in Europe and first analysed by the Laboratory of Cryptography and System Security in Budapest.