UPDATED 07:02 EST / OCTOBER 20 2011

NEWS

Will Duqu Be The New Stuxnet?

Back in 2009, a malicious program dubbed as Stuxnet, hindered Tehran’s goal of making nuclear weapons.  Experts involved in scrutinizing the malware soon found out that Stuxnet is precisely calibrated so that nuclear centrifuges would go haywire.  This infected thousands of computers in over 155 countries.  Later on, it was determined the cyber-attack was designed as an American-Israeli project to sabotage Siemens Corporation computers used that are used in uranium enrichment at the Natanz site.

Now, experts found a new malicious program called Duqu, a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised machine; the acquired information may be used to launch another Stuxnet-like attack.

According to Symantec, the company that discovered the malicious program, “Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”

“The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.”

Unlike Stuxnet, Duqu only affected a handful of computers and it has a 36-day lifespan.  Thirty-six days after the initial infection, Duqu removes itself from the infected computer.

The most recent update from Symantec states that “some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer. Symantec revoked the customer certificate in question on October 14, 2011. Our investigation into the key’s usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware. At no time were Symantec’s roots and intermediate CAs at risk, nor were there any issues with any CA, intermediate, or other VeriSign or Thawte brands of certificates. Our investigation shows zero evidence of any risk to our systems; we used the correct processes to authenticate and issue the certificate in question to a legitimate customer in Taiwan.”


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU