Son of Stuxnet Found in the Wild on Systems in Europe

Diagram of the Duqu malware, courtesy of Symantec.

A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe, according to researchers at security firm Symantec.

The new malware, dubbed “Duqu” [dü-kyü], contains parts that are nearly identical to Stuxnet and appears to have been written by the same authors behind Stuxnet, or at least by someone who had direct access to the Stuxnet source code, says Liam O Murchu. He’s one of the leading experts on Stuxnet who produced extensive analysis of that worm with two of his Symantec colleagues last year and has posted a paper detailing the Duqu analysis to date.

Duqu, like Stuxnet, masks itself as legitimate code using a driver file signed with a valid digital certificate. The certificate belongs to a company headquartered in Taipei, Taiwan, which Symantec has declined to identify. F-Secure, a security firm based in Finland, has identified the Taipei company as C-Media Electronics Incorporation. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14, shortly after Symantec began examining the malware.

The new code does not self-replicate in order to spread itself — and is therefore not a worm. Nor does it contain a destructive payload to damage hardware in the way that Stuxnet did. Instead, it appears to be a precursor to a Stuxnet-like attack, designed to conduct reconnaissance on an unknown industrial control system and gather intelligence that can later be used to conduct a targeted attack.

“When we talked about Stuxnet before, we expected there was another component of Stuxnet we didn’t see that was gathering information about how a plant was laid out,” O Murchu says. “But we had never seen a component like that [in Stuxnet]. This may be that component.”

Although Duqu was created some time after Stuxnet, a component similar to it could have been used by Stuxnet’s attackers to gather intelligence for their payload.

Duqu appears to have been operative for at least a year. Based on the dates the binary files were compiled, Symantec says attacks using the malware may have been conducted as early as December 2010, about five months after Stuxnet was discovered, and about 18 months after Stuxnet was believed to have first been launched on computers in Iran.

“The real surprising thing for us is that these guys are still operating,” O Murchu says. “We thought these guys would be gone after all the publicity around Stuxnet. That’s clearly not the case. They’ve clearly been operating over the last year. It’s quite likely that the information they are gathering is going to be used for a new attack. We were just utterly shocked when we found this.”

Symantec received two variants of the malware on Oct. 14 from an unidentified research lab “with strong international connections.”

“Obviously this is a sensitive topic, and for whatever reason, they’ve decided at this point they don’t want to be identified,” O Murchu says, referring to earlier beliefs about Stuxnet had been created by a nation state with the aim of sabotaging Iran’s nuclear program.

Symantec received two variants of the malware, both of which had infected the same machine. Since then, O Murchu and his colleagues have found other samples on about 10 machines. The researchers found, after searching their own malware archive for similar files, that one of the variants was first captured by Symantec’s threat detection system on Sept. 1, 2011. Symantec has declined to name the countries where the malware was found, or to identify the specific industries infected, other than to say they are in the manufacturing and critical infrastructure sectors.

Although the vast majority of Stuxnet infections were based in Iran, O Murchu says the Duqu infections that have been discovered so far are not grouped in any geographical region. He said, however, that this could change if new infections are discovered.

The name given to the malware is based on a prefix “~DQ” that the malware uses in the names of files that it creates on an infected system. O Murchu says the malware uses five files. These include a dropper file that drops all of the components onto an infected system that the malware will need to do its work; a loader that places the files into memory when the computer starts; a remote access Trojan that serves as a backdoor on infected systems to siphon data from it; another loader that executes the Trojan; and a keystroke logger.

Like Stuxnet, Duqu uses a sophisticated and unique technique to hide its components in the memory of a machine, rather than on the hard drive, to avoid detection by anti-virus engines, and also tricks the system into loading files from memory instead of from hard disk. This technique was one of the first red flags Symantec had found in Stuxnet that indicated it was doing something beyond other types of malware they had seen before.

The malware is configured to run for 36 days, after which it automatically removes itself from an infected system.

O Murchu says they still have no idea how Duqu was delivered to infected systems. Stuxnet primarily used a zero-day vulnerability that allowed it to spread to systems via an infected USB stick.

“There’s an installer component [to Duqu] we haven’t seen,” O Murchu saus. “We don’t know if the installer is self-replicating. That’s a piece of the jigsaw that we’re missing right now.”

The variants are about 300 kilobytes in size — compared to Stuxnet’s 500 kb — and use a custom protocol to communicate between an infected system and a command-and-control server to siphon data from an infected machine and load new components onto it. According to O Murchu, the malware tries to disguise its malicious communication by appending it to a 54 x 54 pixel jpeg file. The appended data is encrypted, and the researchers are still analyzing the code to determine what the communication contains.

Update: This post was updated to correct the size of the jpeg file the malware sends to the command-and-control server.