Waiting For Son Of Stuxnet To Attack

  /     /     /  
Publicated : 22/11/2024   Category : security


Waiting For Son Of Stuxnet To Attack


Duqu is considered the intel-gathering step in advance of a new attack -- but could it have been part of the original Stuxnet attack?



Now we wait for the real attack: With the intelligence-gathering Duqu malware spotted and identified by experts as based on the same code as Stuxnet, researchers are now on the lookout for signs of a subsequent attack on the target or targets.
That is, unless Duqu actually preceded Stuxnet, which some experts still wonder.
The
malware, which originally was found in some unnamed European organizations and then analyzed by Symantec and McAfee
, appears to be attacking industrial control-system vendors and certificate authorities (CAs), and there are multiple variants in circulation. Both Symantec and McAfee say its likely that Duqu is the first stage of the next Stuxnet attack, specifically the reconnaissance phase. Symantec describes Duqu as a worm that opens a backdoor and downloads files on to the infected machine; it also contains a rootkit feature.
Researchers from Symantec, McAfee, and F-Secure all say whoever wrote the backdoor had their hands on Stuxnet source code. About half of the code in Duqu is the same as the code used in Stuxnet, according to Symantec.
We compared the two threats and saw that there are a lot of similarities between the two threats. In fact, our analysis shows that 50 percent of the code in Duqu is exactly the same as code used in Stuxnet. This means that the creators of Duqu had access to the source code from Stuxnet, says Liam O Murchu, manager of operations for Symantec Security Response. Also, Duqu uses a certificate stolen from a company in Taiwan, and Stuxnet used two stolen certificates from companies in Taiwan also, so that is another close tie between the two threats.
But what remains unclear is the actual time line: Did Stuxnet come first, or was Duqu the tool used to gather intelligence for Stuxnet?
Stuxnet was circulating for a long time before AV vendors stumbled over an infected system and were able to piece together the attack vector. The same could apply to Duqu. The happenstance of discovery may not reflect the sequence of release by the attackers. With that in mind, it could mean that Duqu was the tool for the information-gathering necessary for the targeted Stuxnet attack. Alternatively, Duqu could be the precursor to another SCADA-type attack. Or the events could be entirely independent, says Gunter Ollmann, vice president of research at Damballa. At the present time, there isnt enough information to arrive at a conclusion. There are lots of organization mining their historical data archives, trying to piece together a time line for the attacks.
Symantec, however, says the two Duqu variants that were discovered came after Stuxnet. Two variants [of Duqu] were recovered, and in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010, according to Symantecs report on Duqu.
Stuxnet was officially spotted in the summer of 2010.
As researcher continue to nail down the timing of the events, they also are waiting for the other shoe to drop. Duqu collects various types of information from infected systems for a future attack. Its possible well eventually see a new attack targeting PLC systems, based on the information gathered by Duqu, Mikko Hypponen, chief research officer at F-Secure
blogged
. F-Secure points to glaring similarities between Duqus and Stuxnets drivers: The two look so much alike that F-Secures back-end systems detected Duqus kernel driver as Stuxnet.
Most experts agree that a nation-state was probably behind the attack, but none will go on record and say which one or whether it again was aimed at Irans nuclear facilities.
According to Jason Lewis, CTO at Lookingglass Cyber Solutions, the time and money required to build Stuxnet and Duqu points to a nation-state sponsor. It was targeted. They had specific people in mind who they wanted to gather data from, Lewis says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Waiting For Son Of Stuxnet To Attack