Government // Cybersecurity
News
10/20/2011
12:42 PM
50%
50%

3 Lessons Learned From Duqu Malware

Emergence of a Trojan based on Stuxnet sourcecode highlights security challenges businesses continue to face.

Why let good malicious code go to waste?

That appears to be the operating ethos of whoever was behind the Stuxnet cyberattack, given the recent appearance of Duqu--aka the Trojan application W32.Duqu--which is based on the Stuxnet source code. "Stuxnet source code is not out in the wild--only the binaries. Only the original authors have the source code. So, this new backdoor was created by the same party that created Stuxnet," said Mikko Hypponen, chief research officer at F-Secure, in a blog post.

"The code similarities between Duqu and Stuxnet are obvious," he said. "Duqu's kernel driver (JMINET7.SYS) is actually so similar to Stuxnet's driver (MRXCLS.SYS) that our back-end systems actually thought it's Stuxnet."

In the history of malicious code, Stuxnet broke new ground on several fronts. First, it showed that many industrial control systems--long known to be poorly secured, if it all--really were vulnerable to malicious code, and furthermore that a digital attack could disable a physical system.

[Could a Stuxnet-type attack Cripple Critical U.S. Infrastructure?]

Stuxnet also highlighted that Middle Eastern countries running uranium-enrichment programs using a few specific makes and models of centrifuges and control systems should be especially alert to malware meant to disable their operations. "What we know about Stuxnet is that it was a very complex delivery mechanism just to get into a control system," said Eric Knapp, director of critical infrastructure markets for security intelligence and event management vendor NitroSecurity, in a recent interview.

Unlike Stuxnet, however, Duqu doesn't target control systems for attack. Instead, security researchers say the malware was designed to collect information for cyberespionage purposes. In addition, while the reappearance of anything Stuxnet-related would seem to be cause for concern, security researchers have said that it's a rare malware developer who doesn't reuse their code.

What did get reused, however, is interesting. "The components that were reused were not the pieces used to target SCADA/industrial control systems, but rather related driver files that provide the malware the ability to download additional components," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

With all of that in mind, what can businesses learn from the emergence of this Stuxnet-derived threat? Duqu highlights three ongoing security challenges:

1. Control systems remain vulnerable. While Duqu hasn't been attacking control systems, it is gathering related information, presumably to put to use in the future. "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," according to a blog post from Symantec. "Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)."

2. Digital certificate authorities can be bypassed. As with Stuxnet, Duqu components were signed using legitimate--but likely stolen--digital certificates, in this case for Taiwanese audio chipset manufacturer C-Media. Likewise, "Stuxnet used digital certificates which had been 'stolen' before," said Martin Kuppinger, principal analyst at identity and information security research firm KuppingerCole, in a blog post. Coming on the heels of this year's attacks against DigiNotar and Comodo, that highlights the need to strengthen current approaches to issuing and validating digital certificates.

3. Stopping one-off attacks remains tough. Many information security defenses rely on signatures, meaning that before an attack can be blocked, security vendors need to have spotted the malware elsewhere, first. Accordingly, attackers continue to refine their ability to generate so-called polymorphic malware, which is able to constantly change, and thus fool many signature-based security tools.

What can businesses that are worried about the consequences of Duqu do? Primarily, anyone using an Internet-connected or network-connected control system should ensure that appropriate security defenses are in place. "If feasible, technical isolation of these networks is a pretty good idea," said Kuppinger. Notably, if they're not online, then attacking them remotely gets more difficult.

But don't expect to spot and stop every attack. "There is no reason to assume that you are safe against attacks, whichever precautions you take," he said. In other words, even if you're not running a control system, Duqu and Stuxnet illustrate that a determined attacker can find a way into almost any network. Be prepared.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Apprentice
10/24/2011 | 10:17:28 PM
re: 3 Lessons Learned From Duqu Malware
There has been a lot of talk about point number two in the past several months, and I would like to think the industry is serious about making some changes to address the challenges facing digital certificates and authentication.
Brian Prince, InformationWeek contributor
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.