Researchers have identified a new malware threat which has been dubbed “Duqu”. The new threat is apparently developed by the same author who developed the Stuxnet worm that was used in targeted attacks against Iranian nuclear power plants, but Duqu has its sights set on a completely different target.
Independent researchers in Europe have shared the malware code with researchers at McAfee and Symantec, and all parties agree that Duqu is built on the same source code as Stuxnet. A blog post from Symantec explains, “Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered.”
Although the core code may be the same, A McAfee Labs blog post says that Duqu does not have the PLC-compromising capabilities of its predecessor. Duqu installs drivers and encrypted DLLs on infected machines similar to the original Stuxnet, though, and McAfee claims that the code used for the injection attack, and several of the encryption keys and techniques used by Duqu are all close to those used by Stuxnet.
After analyzing the captured code, researchers believe that Duqu is specifically designed to target certificate authorities. Certificate authorities are trusted sources of digital certificates used to verify authenticity of servers and ensure that the systems you connect to on the Internet are what they claim to be. Attackers in possession of rogue certificates may be able to lure or redirect victims to rogue servers while appearing to be a legitimate server.
The trust on which the Web relies has already been shaken a couple times this year. First with the breach of RSA Security and compromise of the encryption keys used in the SecurID two-factor authentication tokens, and more recently with the hack of DigiNotar–a certificate authority.
The payload of Duqu is quite different from Stuxnet. Stuxnet was designed to sabotage industrial control systems, but Duqu provides remote command and control capabilities, and sophisticated keylogger tools. It seems to be intended to infiltrate and gather sensitive information–possibly for use in a future attack of another kind.
McAfee, Symantec, and others are aware of the threat and have developed signatures to detect and block Duqu. However variants may still slip through before new signatures can be created, and certificate authorities in particular should be on high alert for any malicious or suspicious activity.