In association with heise online

19 October 2011, 15:22

New spyware from Stuxnet developers

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Symantec reports that anti-virus experts have discovered a trojan, thought to have been created by the makers of the infamous Stuxnet worm, on the computers of several companies across Europe. The malware was found at manufacturing facilities for industrial control systems, which suggests that it was designed to steal industrial secrets in preparation for further targeted attacks on specific companies.

Symantec's analysisPDF has shown that the worm, named Duqu by its discoverers, is similar to Stuxnet in many respects. Symantec said that it therefore assumes that the virus authors at least had access to the Stuxnet source code, or that the virus may even have been written by the same developers. However, unlike Stuxnet, which was designed to manipulate industrial systems, Duqu is a classical spyware program for harvesting classified information – current investigation results indicate that it doesn't contain any sabotage features, and Symantec has called it the "precursor to the next Stuxnet."

Like modern trojans such as ZeuS, Duqu communicates with a command and control server in encrypted form; infected computers submit the harvested data to this C&C server and collect new instructions from there. This allows botnet operators to install further software components. On one occasion, such an installation appears to have taken place: Symantec said that it found a spyware program that transferred screenshots and keyboard inputs as well as information about running processes and network shares.

Apparently, Duqu was only used for targeted attacks to ensure that it would stay undiscovered for as long as possible. Duqu waits for 15 minutes before it becomes active after first being injected, probably to avoid being detected through sandbox analysis. The malware will remove itself from the infected system after 36 days.

As Duqu was found on the computers of industrial control system manufacturers, Symantec said that it believes that the malware could be the precursor to new Stuxnet-like attacks. The attackers could use the stolen industrial control system data to prepare further attacks on companies where these systems are used. Stuxnet was used to sabotage Iran's nuclear program.

How the spyware is deployed remains unknown. Symantec says that systems are probably infected via a separate installer that the anti-virus experts have not had access to. When Symantec first reported on Duqu, the variants available to the company had been compiled at the end of last year and were probably deployed shortly afterwards. However, it has subsequently reported the discovery of a new variant in an organisation in Europe which has compilation date of 17 October 2011.

An interesting aspect is that, at the time of discovery, Duqu was signed with a certificate that would have been valid until August 2012 and was issued to a company based in Taipei, Taiwan. According to Symantec, the Duqu developers stole the required private key to sign the malware. With its valid signature, the malware could be injected into the system as a kernel driver and was reliably executed whenever the system was started. It then infected processes by redirecting function calls to its malware routines.

The certificate was issued by VeriSign and revoked after Duqu was discovered on 14 October. Stuxnet was also signed using valid private keys that had been issued to Taiwanese companies, which indicates a high level of professionalism.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit