New variants of Stuxnet—the sophisticated computer virus designed to attack control systems and which was used last year to sabotage the Iranian Bushehr nuclear power plant—has been detected in European computer systems. The malware, dubbed “Duqu” is “essentially the precursor to a future Stuxnet-like attack,” computer security firm Symantec said on Tuesday.
In an official blog entry, Symantec said that Duqu, found by a research lab last week, was so named because it creates files with the file name prefix “~DQ.” Its precise targets were not disclosed, but the firm said it was a “threat written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered.”
Parts of the malware’s code are nearly identical to Stuxnet, but it has a completely different purpose. “Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party,” Symantec said. “The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”
The new malware’s code does not contain any code related to industrial control systems and is primarily a remote access Trojan, the firm said. “The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.”
According to the firm, the attackers were searching for assets that could be used in a future attack. “In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases.”
Symantec has found two variants of the malware, the first recorded on Sept. 1, 2011. Based on file compile times, the attacks may have been conducted as early as December 2010.
“Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational,” the firm said. “The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.”
The threat uses dummy JPG files, which are downloaded or uploaded, to send and receive encrypted files. It is configured to run 36 days, after which it automatically removes itself from the system. The exfiltrated data may be used to enable a future Stuxnet-like attack, Symantec said.
Sources: POWERnews, Symantec