New Malware: Duqu

A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original.

EDITED TO ADD (11/14): A contrarian view.

Posted on October 19, 2011 at 11:05 AM • 31 Comments

Comments

John David GaltOctober 19, 2011 12:01 PM

It seems to me that if there is going to be "cyberwar" in our future, it will be because sites with equipment that could be harmful if an attacker takes control of it is connected to the net anyway, without adequate defenses in place.

So perhaps some good guy should write a vector like this Duqu, and make it send reports on what it finds to the owners of vulnerable systems: sort of like leaving notes that "This could have been a bomb, but it's not!" I'd sure rather receive that sort of wake-up call than the real thing.

M E ZuckerbergOctober 19, 2011 12:14 PM

@John David Galt
"...sites with equipment that could be harmful if an attacker takes control of it is connected to the net anyway, without adequate defenses in place."

I think those can be disabled by Bruce posting some interesting link to them at his blog. The subsequent traffic to the sites will crash the servers.

AndrewOctober 19, 2011 12:21 PM

We can find Bin Laden in an ISI safehouse in the middle of the Pakistan military heartland, but we can't find the creators of Stuxnet.

Surely even Mossad agents are not as invisible as they think.

The truth in the matter is, the US sponsored the Israeli's to create the worm, because it is in line with their foreign policy to disarm Iran.

The blowback from such a sponsorship, is that the code is out there for anyone to redevelop, and to attack the western energy & utilities sector.

Was the security trade-off worth the risk, just to slow down Iran from allegedly building a nuclear bomb for a few more months?

Stuxnet was the worst foreign policy decision of recent times.

ScottOctober 19, 2011 12:33 PM

@M E Zuckerberg:
"I think those can be disabled by Bruce posting some interesting link to them at his blog. The subsequent traffic to the sites will crash the servers."

Slashdot refers to that as a slashdotting. Neil Gaiman's version is #neilwebfail.

Surely, if Bruce does it, it should be called a "Bruce-force attack."

(Yeah, that's probably on Schneier Facts somewhere. I do wonder at what point one's personal influence earns its own name for the effect, though.)


Duqu StuxnetOctober 19, 2011 12:42 PM

@Scott:

We also have used the term, "Schneiered," as in "Looks like the site got Schneiered after Bruce posted a link to it."

Max RockatanskyOctober 19, 2011 12:55 PM

"the infrastructure-destroying Stuxnet"

Over the past year, I've had one brief electrical power outage due to a severe storm; my drinking water is clean and tasty; no natural gas issues in my region; consistent Internet access; food supply in good shape, except perhaps for a cantaloupe or two; .... I guess there are a great number of highly talented security professionals working in "infrastructure" companies here in the United States. Maybe we can borrow some of them to work on highway safety or in medical research.

RHOctober 19, 2011 1:34 PM

Without access to the sourccode itself, how does one determine that someone else had access to the sources, instead of merely binaries?

AnnoyedOctober 19, 2011 1:58 PM

Much ado about nothing. The symantec report is full of assumptions and practically no real data to back it up.

Annoyed 2October 19, 2011 3:19 PM

The security community seems MORE interested in calling each other out and discrediting our own peers these days than actually offering real/practical advice. If someone publishes something that might even have an ounce of credibility, we want to immediately be the first to either support it, or point fingers. We all hop on twitter/blogs/social media platforms and type out our opinions so quickly...because we all want to take a chance to be right and grab the spotlight away from each other. Nothing quite like "see, I was right back on October 19th!!!" to bolster your own personal resume or agenda. This is a huge problem. Not the report, not the potential news...the problem is each other.

Here's the bottom line, Stuxnet existed. No matter who authored it (again, more debate to prove who is right), we all have reasonable evidence by now that it was real...right? If there is a possible variant...wouldn't you rather have some information on it...even if it's limited? Even if it's 'much ado about nothing'? Do you really demand pictures and proof or else you call it fake/sensationalism?

I wonder how many of you, who demand proof...subscribe to some sort of religion. I bet many of you do. You probably don't require 'proof' there do you?

How about some common sense like: "if you protect any of the 18 DHS critical infrastructure industries and you have the agility to build some potential detection in a reasonable amount of time based on some of the 'alleged' evidence so far, probably not a bad idea to do so (transport, destination, payload, etc). If you don't have the resources or the agility, then keep an eye out for more news."

Case closed. Easy. Instead we get arguing, debating, finger pointing and chest pounding from every imaginable direction. It's pathetic actually. Head out to Twitter, Infosec Island and any other security news outlet you can think of and see what I'm referring to. Shameful. I don't work for an AV vendor, nor do I do anything related to AV at all. However I do work in the industry and would much rather operate on the side of caution and keep my eyes peeled rather than spend 4 hours blogging about it so that I can be 'right'.

NobodySpecialOctober 19, 2011 3:42 PM

@Max
Gas pipelines have already been done (http://fcw.com/articles/2004/04/26/tech-sabotage-during-the-cold-war.aspx?sc_lang=en)

The difference is that it took the Soviets stealing secrets on one side and a CIA operation on the other.
The problem now is that every pipeline, water supply, factory, air traffic control, traffic signal etc in the world is vulnerable to some kid in a basement anywhere in the world!

filosofisOctober 19, 2011 3:54 PM

Wasent the Source for Stuxnet leaked/discoverd/deCompiled last winter? Have a memory of that circulating

Dirk PraetOctober 19, 2011 5:01 PM

From the information available right now it's rather hard to tell if it's a precursor to Stuxnet or a successor. As described in the F-Secure link mentioned by Bruce, the main functional difference is that Duqu seems more of a reconaissance probe sending data to a sink hole rather than actually sabotaging stuff.

What I do find quite interesting is that only a couple of hours ago, Symantec has redacted its original 46-page whitepaper on their site to 14 pages. Whatever its origin and purpose, I can only hope it serves as yet another warning to the SCADA vendor community that they have to start taking their security a bit more serious rather than systematically downplaying any vulnerability or exploit pointed out to them.

JayOctober 19, 2011 6:12 PM

@Max:

Maybe nobody actually wants to disrupt your power, contaminate your water, disable your heating and disrupt your communications.

Today, anyway.

(Testing cannot prove the absence of bugs... and who said there's been testing? Assuming a malicious adversary? And some adversaries can get physical access, and/or access to driver signing keys...)

Nick POctober 19, 2011 6:30 PM

@ Dirk Praet

Actually, it's not going to happen that way. SCADA vulnerability reporting is only going to get worse. Clive Robinson gets the credit for first discovering this terrifying policy shift:

http://www.langner.com/en/2011/09/23/...

Clive and I thought it was for vulnerability stockpiling, but can't know for sure.

JayOctober 19, 2011 7:09 PM

@filosofis, RH:

I'm guessing that - assuming one could build this from the decompiled Stuxnet sources / components - the challenge would be to *sign* it with the key. Which only Realtek and the Stuxnet authors are known to have - right?

Dirk PraetOctober 20, 2011 8:18 AM

@Nick P

I sadly concur. It's symptomatic for the increased trend towards secrecy and censorship almost all state actors are going these days. Edwards is just another puppet on a string who is more concerned with doing the bidding of his masters than working on actual solutions . It's back to the old "security by obscurity" maxim which as any security professional knows just doesn't work.

I was pretty shellshocked this morning that even over here in Europe we have utter morons actually considering a proposal by some retarded Italian MEP who has filed a bill for black boxes in every internet-capable device under the usual "protect the children" argumentation. See http://activepolitic.com:82/News/2011-10-19d/... .

J JOctober 20, 2011 9:06 AM

@filosofis
I am not sure if the Stuxnet source code has been leaked in the past but I doubt it. According to F-secure (http://www.f-secure.com/weblog/archives/00002255.html) the un-de-compiled source code is not in the wild. You can find de-compiled versions on the internet but those are likely not directly compilible to Stuxnet.


@Dirk Praet:
Symantecs 46-page analysis on Duqu is still available, here:
http://www.symantec.com/content/en/us/enterprise/...

Dirk PraetOctober 20, 2011 10:52 AM

@ J J

I know. A couple of hours after I noticed it had been redacted they issued a statement that it was a mistake and they reposted a full version again.

Nick POctober 20, 2011 12:01 PM

@ JJ

"I am not sure if the Stuxnet source code has been leaked in the past but I doubt it. According to F-secure (http://www.f-secure.com/weblog/archives/00002255.html) the un-de-compiled source code is not in the wild. You can find de-compiled versions on the internet but those are likely not directly compilible to Stuxnet. "

Many of the analysis I read on Stuxnet had decompiled assembler code in them. Additionally, you have the decompiled versions on the net. Combine these & there's a decent chance that the original Stuxnet authors didn't make Duqu. It may have been repurposed by other APT-style malware makers, who are sophisticated enough to compile the thing. Of course, it may HAVE been made by the original Stuxnet authors, but I think the media should be looking at the alternative a bit closer.

James SutherlandOctober 20, 2011 5:25 PM

"Wonder if anyone provides certified Schneier-proof web hosting?"

I don't know about certified, but it isn't that difficult with an efficient setup; my own site is served as static content (comments and analytics via third parties: good luck overwhelming Disqus or Google with any flash crowd!) so even before moving it to a mix of Amazon Cloudfront and Akamai, the only real risk was an expensive bandwidth bill.

This page comes to 54k and six objects; even a million hits would only be 54 Gb and six million requests - barely even a blip to a CDN; packed into a single hour, the traffic will max out a 100 Mbps connection for that hour.

If you're pulling the static content out of a database in PHP for each request or something, yes, you'll be crushed by the CPU overhead - but that's inefficiency, not heavy traffic.

Back to Duqu: it wouldn't surprise me if they had common origins - for example, the Stuxnet developers having had and used some of the same code while Duqu was being developed - it's not as if they would have to worry about being sued over the copyright!

Michael October 21, 2011 3:07 AM

Hello JJ,

Maybe...you should be careful when stating something about Nazi...as the US may be becomming more NAZI than Nazi Germany. Technology has enabled the ease of spying without involving neighbors. What do you think????

АnonymousOctober 21, 2011 7:02 PM

It would be interesting to know just how much infrastructure really is connected to the net. We hear case histories of a few bad examples where critical systems were exposed in order to lower management costs, but I am beginning to suspect they are the exception not the rule.

For a project I am doing at present, I recently had to collect some data from a SCADA system. This was at a company with, I guess, a moderate level of security awareness, but certainly not high security. (For example, as part of OH&S policy all visitors have to be escorted everywhere on site; but there are a whole bunch of ways you could easily circumvent that.)

The SCADA system, including monitoring PCs, was totally air-gapped, with fairly strict rules about removable media (had to open the blister pack in front of the guy who would save the data, and then it could never go back.) Wireless was prohibited, and the network cables even ran in different conduits so they couldn't be inadvertently crossed over with intranet cables.

I mentioned to one of the engineers that this seemed pretty tight, and wasn't it the case that everyone nowadays is putting their SCADA on the LAN to lower costs? This guy was an engineer, not a security guy, but he immediately ridiculed the idea s being totally unacceptable from a security and public safety perspective. He regarded the dangers of that approach as being well known to everyone involved in SCADA, and that only shoddy outfits would even consider it.

J JOctober 21, 2011 9:29 PM

@Michael:
"Maybe...you should be careful when stating something about Nazi...as the US may be becomming more NAZI than Nazi Germany..."

Actually I would agree with you more than 100% if such was semantically possible. Some things just cannot be said without there being branded a foil-hat-lunatic. Thus I have decided to write a movie script instead and when it gets long enough (ok it is a side hobby next to my Uni studies and full time job) I will post it at studios.amazon.com.

cheers

J J FanOctober 24, 2011 12:19 AM

@J J, a-ha! "I have decided to write a movie script..." Indeed! You have revealed that you are in fact J J Abrams. We all know your full time job is film writer/director extraordinaire! Although it is news to me that you have gone back to school, presumably to get a masters or doctorate the hard way. Surely one of these places could give you an honourary one? You are, after all, a bona fide celebrity! You shouldn't have to work to get academic recognition, right?

Clive RobinsonOctober 25, 2011 3:02 AM

@ Bruce,

Computer world has written an article sugesting it's at best to soon to say with a quote from one of the "usuall suspects" indicating it's only a story because of the Stuxnet connection,

http://m.computerworld.com/s/article/9221105/...

Personaly I don't have enough hard info to come to any meaningfull conclusions on Duqu (who thinks up these names...).

However my initial gut feeling based on it's appparent low infection rate is it's either not been out there very long, or it's a highly targeted piece of malware. Both of which sugests it's a follow up to Stuxnet, and thus is possibly a "chinese knock off" as opposed to being from the original Stuxnet authors (however to little info even for assumptions).

What nobody appears to have mentioned in all the bru-ha is that whilst you might get some intel from Duqu, it is going to be fairly usless unless you have other intel from the target site.

This is because usually you cannot tell from an unlabled "wiring diagram" what devices the wires are connecting up, nor the purpose of those devices.

Even when the diagram is labled the physical configuration of the devices might not be very apparent, thus many industrial processes would look like each other at this low level, so you're left with the question "is it making bread or paint or processing sewage?" which other site specific intel would fairly quickly resolve.

So Duqu may have a low real world presence simply because it is a "directed intel" not a "fire and forget intel" system which Stuxnet had to be due to the lack of direct access to the site.

The Directed -v- Random attack vector is probably the most important question to have answered because it would provide an indication of the intended target security level ie commercial which are often directly connected to a publicly accessable network or military which are often "air-gapped".

Clive RobinsonOctober 25, 2011 3:29 AM

@ Anonymous,

"The SCADA system, including monitoring PCs, was totally air-gapped, with fairly strict rules about removable media (had to open the blister pack in front of the guy who would save the data, and then it could never go back."

As you've written it that system is a "security fail" due to "supply chain attacks".

It is no big secret that a number of hardware suppliers of devices containing flash memory have had "malware" installed in the factory prior to being sealed up in the individual product packaging.

As I've described in the past on this blog it is not that difficult to design "bi-directional air-gap" crossing malware. Secondly system owners tend to mistakenly think that if they stop "known malware" coming in to an air-gaped system it stops intel going out and thus fail to take suitable precautions...

Thus from what you have said their system is vulnerable to attack.

With regards,

"It would be interesting to know just how much infrastructure really is connected to the net. We hear case histories... ... to lower management costs, but I am beginning to suspect they are the exception not the rule."

Err no, in atleast one case the manufacturer makes giving product support dependent on having remote access for their "help desk" staff. And some distributors for other manufactures "suggest it to the point of being mandatory".

It is yet another example of "efficiency -v- security" which you will find at all levels which in turn makes systems insecure at all levels.

cyranoOctober 31, 2011 11:22 AM

The name "duqu" comes from the "dq" the malware uses as a prefix for the files it produces.

"dq" as a latin primitive for Hebrew, means "righteousness" or "observation".

Coincidence?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..