As reported late last week, Symantec published an in-depth report into the Duqu malware, which it said bears a strong similarity to the original and may have been developed using the Stuxnet source code. The vendor noted that multiple variants of Duqu have also been discovered, and asserted that its primary purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers to more easily conduct a future attack against another third party.
“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility. Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)”, said Symantec.
Now key management specialist Venafi has added its analysis to the mix, noting that the malware appears to be written by an organization with access to the original Stuxnet source code. Since Stuxnet is estimated to have taken ten man-years to develop, and has an extremely sophisticated code base, this new development should be a major worry for all organizations, big or small.
Calum MacLeod, the security key management specialist's director of EMEA, said that 2011 is the year of third-party compromises.
“We have seen five significant compromises in the last year that have targeted the highest-value attack targets: third-party trust providers, including Stuxnet, Comodo, StartSSL, DigiNotar and now Duqu”, he said, adding that early analysis of the Duqu malware suggests that it is a refined version of the original Stuxnet.
However the difference, he said, is that it is fitted with a remote access trojan, making it the embodiment of pre-attack strategies leveraged in militaries all around the world: namely to send in reconnaissance agents, gather intelligence and report back.
“This is what this new malware does on an automated basis: gathering intelligence data and other digital assets from systems that use industrial control technologies, and then relaying that information back to base”, he said, adding that the discovery of the Duqu malware should act as a major wakeup call to the IT security industry to be prepared to repel the threat that Duqu and its variants undeniably poses – and to do so immediately.
“I think the fact that Duqu has used a rogue digital certificate to fool IT users into thinking that it represents trusted code is highly significant. Organizations must have a complete inventory of all the certificates from their certificate authority – monitor them and know which ones are within policy – in order to revoke and remove those that are not or they are facing unquantifiable risk”, he said.
“It is notable that this is second reported incident of a digital certificate being deployed in this type of attack, and must be viewed as an ominous sign of things to come, both in terms of cyberwarfare and the hijacking of digital certificates as a subversion and infection methodology”, MacLeod added.