Duqu, son of Stuxnet, a pre-cursor to another cyber-weapon

Over the summer, the threat of cyberwar thundered from the front pages of newspapers across the world. Most of the threats weren’t war, just sophisticated espionage, apart from one attack, Stuxnet, and computer security experts believe that the recent Duqu threat might be a pre-cursor to another Stuxnet attack. Most of the malware floating around steals information or turns your computer into a tool of the hacker. It doesn’t physically affect your computer or anything else in the physical world. Stuxnet was dramatically different. It was an extremely sophisticated, extremely targeted attack that was aimed at delaying the Iranian nuclear programme by causing the centrifuges that enriched uranium to spin out of control. Also most malware is a blunt instrument. Distributed denial of service (DOS) attack trade in networks of compromised computers, botnets, to take websites down. Phishing scams send out millions of malware-laden messages because it costs nothing and the gullible will still number in the thousands. Some phishing scams are targeted, and security researchers refer to them as spear phishing. Spear phishing attacks are often used in state and corporate espionage. It’s so common the Lotta Danielsson-Murphy, the vice president of the US-Taiwan Business Council, has created a Tumblr blog collecting all of the spear phishing emails targeting “China/Taiwan analyst community in Washington, DC." [caption id=“attachment_130456” align=“alignleft” width=“380” caption=“Stuxnet’s dark activities from beginning to dramatic end were cleverly masked. AFP”]  [/caption] Stuxnet used sophisticated ways to spread via infected USB sticks and shared printers on a network, and after some analysis by security firm Symantec, it was found that computers in Iran were overwhelmingly infected. The creators of Stuxnet targeted five Iranian organisations that they thought would deliver the malware to its target. The target was an industrial controller built by German industrial giant Siemens, and Siemens warned that its supervisory control and data acquisition” (SCADA) management systems were vulnerable to the worm, The Economist reported. Cybersecurity have long been worried about SCADA attacks because the systems control all manner of industrial systems. However, they are not usually connected to the internet due to the critical nature of their operations. Stuxnet found a way to infect them via a Windows programme that wrote code for the controllers. The very sophisticated code was targeted controllers used on the centrifuges that Iran was using to enrich uranium. Centrifuges run by the infected controllers would literally spin themselves apart. However, Stuxnet’s dark activities from beginning to dramatic end were cleverly masked. Stuxnet has often been described as the world’s sophisticated cyberweapon. It was so complex and targeted that it was almost definitely written by a state security organisation, although which organisation is still a mystery. Most of the fingers point to Israel, possibly with US help. The New York Times reported that the Israelis tested Stuxnet at its Dimona nuclear complex. Duqu, a pre-cursor to another attack? The Stuxnet attack was years in the making, and security researchers think that Duqu is a sign that the writers of Stuxnet are building another weapon. Both Stuxnet and Duqu are zero-day exploits. Most malware is based on existing known exploits, but zero-day exploits are threats unknown to software and security makers. As Kim Zetter of Wired says, zero-day exploits are extremely rare. When analysing Stuxnet, she said, “Out of more than 12 million pieces of malware that antivirus researchers discover each year, fewer than a dozen use a zero-day exploit.” This is quite literally the secret weapon in a hacker’s arsenal. Both Stuxnet and Duqu have used stolen security certificates so that they pass initial checks. The first phase of Stuxnet stole industrial information that could later be used to attack Siemens’ SCADA systems. It is worried that Duqu is just the precursor to another attack, collecting the information needed to create another cyberweapon. Researchers at Symantec say: “Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.” Symantec researchers say that Duqu shares a great deal of code with Stuxnet and add, “The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries.” The real mystery is who the son of Stuxnet might be targeting. Will the next worm strike another blow against Iran, or do the writers have a new target in mind? At the moment, the malware has just been discovered on computers in Europe, and it’s unclear what information has been passed back to its creators. Duqu tried to export compromised data via dummy jpeg image files, but what those files contained remains a mystery.