News and analysis started coming out earlier this week about the Duqu
Trojan and the threat which it represents. The two primary sources of
information have been McAfee and Symantec, but Venafi has also
highlighted some of the potential implications.
SYMANTEC
Symantec stated that on October 14, 2011, a research lab with strong international connections alerted the company to a sample that appeared to be very similar to Stuxnet. They named the threat ‘Duqu’ because it creates files with the file name prefix ‘~DQ’. The research lab provided Symantec with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet. Symantec has been able to confirm that ‘parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose’.
Symantec says that Duqu is ‘essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.’
Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate and is highly targeted toward a limited number of organizations for their specific assets. However, says Symantec, ‘it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants’.
MCAFEE
McAfee says that Duqu is based on Stuxnet and is very similar. ‘Only a few sites so far are known to have been attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code, delivered via exploitation, installs drivers and encrypted DLLs that function very similarly to the original Stuxnet code. In fact, the new driver’s code used for the injection attack is very similar to Stuxnet, as are several encryption keys and techniques that were used in Stuxnet.’
Duqu is very time sensitive says McAfee and ‘is controlled by an extended, encrypted configuration file. It communicates with a command server in India. This IP address has since been blacklisted at the ISP and no longer functions. Yet it was specially crafted to execute sophisticated attacks against key targets and has remote control functionality to install new code on the target. These include keyloggers, which can monitor all actions on systems: running processes, window messages, and so on. Furthermore, the keylogger component also contains functionality to hide files with a user-mode rootkit.’
McAfee also says the following: ‘It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack.’
VENAFI
Venafi has been exploring whether Duqu is a private key or a certificate authority compromise. The company warns that since the certificate used in Duqu is used for authentication — much like SSL server - and client-side certificates — either cause should warrant that organizations look closely at their security and operations management processes and response plans. Certificates are used for authentication, in addition to encryption.
Venafi highlights the following:
CA compromise
If the Duqu creator compromised a CA to get their certificate, they could have also fraudulently issued other certificates. The security of that CA could be called into question, as well as all the certificates it issued.
If a CA was compromised, companies with certificates from that CA must replace them and all organizations must ensure they’re not trusting that CA. Going beyond this incident, if Duqu is targeting CAs, that reinforces the importance of preparing for a CA compromise, especially coming on the heels of the DigiNotar CA breach this summer.
Private key compromise
If the Duqu creator stole the private key of C-Media Electronics (the Taiwanese company whose certificate is associated with Duqu), that points to another risk that organizations need to address: providing better protection of private keys.
SYMANTEC
Symantec stated that on October 14, 2011, a research lab with strong international connections alerted the company to a sample that appeared to be very similar to Stuxnet. They named the threat ‘Duqu’ because it creates files with the file name prefix ‘~DQ’. The research lab provided Symantec with samples recovered from computer systems located in Europe, as well as a detailed report with their initial findings, including analysis comparing the threat to Stuxnet. Symantec has been able to confirm that ‘parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose’.
Symantec says that Duqu is ‘essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered. Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.’
Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate and is highly targeted toward a limited number of organizations for their specific assets. However, says Symantec, ‘it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants’.
MCAFEE
McAfee says that Duqu is based on Stuxnet and is very similar. ‘Only a few sites so far are known to have been attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code, delivered via exploitation, installs drivers and encrypted DLLs that function very similarly to the original Stuxnet code. In fact, the new driver’s code used for the injection attack is very similar to Stuxnet, as are several encryption keys and techniques that were used in Stuxnet.’
Duqu is very time sensitive says McAfee and ‘is controlled by an extended, encrypted configuration file. It communicates with a command server in India. This IP address has since been blacklisted at the ISP and no longer functions. Yet it was specially crafted to execute sophisticated attacks against key targets and has remote control functionality to install new code on the target. These include keyloggers, which can monitor all actions on systems: running processes, window messages, and so on. Furthermore, the keylogger component also contains functionality to hide files with a user-mode rootkit.’
McAfee also says the following: ‘It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack.’
VENAFI
Venafi has been exploring whether Duqu is a private key or a certificate authority compromise. The company warns that since the certificate used in Duqu is used for authentication — much like SSL server - and client-side certificates — either cause should warrant that organizations look closely at their security and operations management processes and response plans. Certificates are used for authentication, in addition to encryption.
Venafi highlights the following:
CA compromise
If the Duqu creator compromised a CA to get their certificate, they could have also fraudulently issued other certificates. The security of that CA could be called into question, as well as all the certificates it issued.
If a CA was compromised, companies with certificates from that CA must replace them and all organizations must ensure they’re not trusting that CA. Going beyond this incident, if Duqu is targeting CAs, that reinforces the importance of preparing for a CA compromise, especially coming on the heels of the DigiNotar CA breach this summer.
Private key compromise
If the Duqu creator stole the private key of C-Media Electronics (the Taiwanese company whose certificate is associated with Duqu), that points to another risk that organizations need to address: providing better protection of private keys.
0 comments:
Post a Comment