Intel gathering virus based on Israeli/U.S.-made Stuxnet discovered
By End the Lie
The Stuxnet virus is infamous for its usage in an attack on Iranian nuclear facilities and its considerably advanced code which utilized code signing certificates hijacked from legitimate companies to bypass cyberdefenses along with several zero-day vulnerabilities.
Now a new virus built by someone or a group of people with direct access to the Stuxnet source code has emerged, known as “Duqu” because it creates files with a “~DQ” prefix.
The Stuxnet virus was so incredibly sophisticated that it was called “groundbreaking” by Roel Shouwenberg a senior antivirus researcher at Kaspersky Lab and Liam O Murchu, manager of operations with Symantec’s Security Response Team said of Stuxnet, “It’s amazing, really, the resources that went into this worm”.
Interestingly, the virus disproportionately affected Iranian systems, in fact nearly 60% of all the computers infected with the virus were located in Iran.
In March of this year a leading security expert, Ralph Langner, revealed that the Stuxnet virus was created by the Israel and the United States, directly targeted at Iranian nuclear systems with the United States in the lead.
Langner said, “My opinion is that Mossad is involved” and that the project required “inside information” of extreme detail.
The virus was built to attack Windows-based PCs that managed large-scale industrial control systems known by the acronym SCADA, Supervisory Control and Data Acquisition.
SCADA systems control operations in power plants, oil pipelines and refineries, military systems, factories and more.
The Stuxnet worm was specifically targeted at Programmable Logic Controllers (PLCs) manufactured by Siemens, which can control a laundry list of industrial automated systems.
This incredibly complex virus, clearly aimed at Iran, was reportedly tested in Israel at the highly secretive Dimona complex, according to an American expert on nuclear intelligence cited by The New York Times.
The timing of this latest appearance of a code based directly off of the source code upon which Stuxnet was built is strangely serendipitous given the farcical plot to assassinate the Saudi Ambassador on American soil which was quickly (despite all of the logical inconsistencies) attributed to the Quds Force and the Iranian government.
The new virus, Duqu, is notable because it is not aimed at directly attacking the control systems to manipulate proper functioning like Stuxnet, instead it is an intelligence gathering trojan.
Duqu is designed to get remote access capabilities and is known technically as a Remote Access Trojan (RAT), according to Symantec.
Symantec says that “Duqu does not contain any code related to industrial control systems” and yet, “The creators of Duqu had access to the source code of Stuxnet”.
Duqu is aimed at gathering data on the industrial control systems themselves in order to make it easier to launch a more effective attack with a Stuxnet-like virus in the future.
This new virus is not technically a worm, meaning it does not replicate itself in order to spread through the system and does not deliver a destructive payload like Stuxnet aimed at damaging the systems it infects.
The virus gathers information like design documents and keystrokes from entities like industrial control system manufacturers in order to carry out more effective attacks on other third parties, which helps mask the intended target by drawing attention to the manufacturer and not the real target, for instance, Iran.
Instead of doing the damage itself, Duqu acts like a military reconnaissance team, marking targets and locating vulnerabilities in order for a more deadly attack to be carried out down the line.
“Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose,” Symantec said. “Duqu is essentially the precursor to a future Stuxnet-like attack.”
Since Stuxnet didn’t fully disable Iranian nuclear facilities, it isn’t much of a logical leap to postulate that Duqu could have been created by Israel and the United States in order to launch a more destructive Stuxnet-like assault on Iranian facilities.
Symantec has published an official blog post going over some of the available analysis on Duqu so far.
This post reveals that attacks using the Duqu virus may have been carried out as early as December of 2010.
The threat was highly targeted towards a small number of organizations for their specific assets according to Symantec, meaning that the designers know what equipment they are targeting.
Disturbingly, the virus remotely connects to a command-and-control (C&C) server via HTTP and HTTPS which is still operational as of 12 hours from the time of writing.
Hackers were able to obtain additional programs through the C&C server including a so-called “infostealer” which could gather system information and record keystrokes then encrypt the data into a compressed local file which is ready for later exfiltration.
The C&C server uses a custom protocol transferring dummy JPG files and other encrypted information to and from the target system for a total of 36 days, after which it removes itself from the system.
Interestingly, Symantec makes it clear that the developers of the Duqu virus did not just have access to the Stuxnet binaries, but to the entire source code of the mega-virus, which one would hope is not easily obtainable.
Symantec has also published a more detailed whitepaper on Duqu and received more unique variants from an additional unnamed European organization which were compiled on October 17th, 2011, the analysis of which are forthcoming.
In explaining why the origin of the original variants received on October 14th and the additional variants compiled on October 17th are being kept anonymous, Liam O Murchu of Symantec said, “Obviously this is a sensitive topic, and for whatever reason, they’ve decided at this point they don’t want to be identified.”
Wired’s Threat Level indicates that Murchu was “referring to earlier beliefs about Stuxnet had been created by a nation state [read: Israel/U.S.] with the aim of sabotaging Iran’s nuclear program.”
Initially Symantec received two variants of Duqu which had infected a single machine and since then they discovered variants on roughly 10 more machines.
Symantec has refused to reveal in what countries the malware was identified, what specific industries it targeted (we can assume it was nuclear based on its relation to Stuxnet) other than saying that it is in the “critical infrastructure” and manufacturing sector.
Nuclear facilities would definitely qualify as “critical infrastructure” by anyone’s metric.
Like Stuxnet, and unlike the run-of-the-mill malware out there, Duqu utilizes a highly sophisticated technique to hide itself in the memory of an infected computer instead of the hard drive which helps the virus avoid anti-virus detection.
According to O Murchu, Duqu is composed of five files: a dropper file that places all of the necessary components onto an infected system, a loader that loads files into memory when the computer boots up, the remote access Trojan that allows data to be loaded and unloaded from the infected system, another loader that executes the remote access Trojan, and a so-called keylogger which records all keystrokes on the infected system.
While Stuxnet was passed on to the computers it infected through a USB stick using a zero-day vulnerability, it is not yet clear how Duqu was delivered to infected systems.
“There’s an installer component [to Duqu] we haven’t seen,” O Murchu told Wired. “We don’t know if the installer is self-replicating. That’s a piece of the jigsaw that we’re missing right now.”
According to O Murchu, the dummy JPG files sent to the C&C server are 100×100 pixels in size and the data transmitted is still under analyses by researchers due to the encryption.
Major questions remain: Who developed Duqu and what exact manufacturers were infected? Who is the final target?
If we find out what manufacturers were targeted we can start to investigate the final targets marked for the more effective attack built upon the reconnaissance provided by Duqu.
If you have any information on this virus or anything related please do not hesitate to contact me at [email protected] and if you are a cybersecurity expert I would especially like to talk to you and I might use you in our next feature on Duqu and Stuxnet.