The Stuxnet cyberworm could soon be modified to attack vital industrial facilities in the US and abroad, cybersecurity experts warned Wednesday at a Senate hearing.
From what researchers can tell, Duqu's mission is to gather intelligence data and assets from entities like industrial control system manufacturers, to more easily conduct a future attack against another third party.According to Symantec, the next threat, dubbed “DuQu” because the code has the code string ~DQ within it, is a surveillance-based Trojan horse, designed to relay information back to a command and control center. DuQu uses mock .jpg files along with other dummy files, all encrypted, to exfiltrate data. Unlike Stuxnet, which specifically damaged Siemens PCS 7 systems, DuQu appears to be only collecting information about the design of other industrial control systems. DuQu only has an active lifetime of about 36 days, but this is probably to limit its discovery.The Symantec report states “the threat was written by the same authors, or those that have access to the Stuxnet source code, and appears to have been created after the last Stuxnet file we recovered.” F-Secure’s Mikko Hypponen tweeted “Duqu’s kernel driver (JMINET7.SYS) is so similar to Stuxnet’s driver (MRXCLS.SYS) that our back-end systems actually thought it’s Stuxnet.”At this time DuQu does not propagate and has been released only within targeted industries, although Symantec admits it may also be elsewhere and not yet discovered. The original compile dates on some of the variants of DuQu so far analyzed suggest it may have existed as far back as November 3, 2010. Stuxnet compile dates were between June 2009 and March 2010 and therefore pre-date DuQu.More from the Symantec Security Response blog:Key points are:• Executables developed after Stuxnet using the Stuxnet source code have been discovered.• The executables are designed to capture information such as keystrokes and system information.• Current analysis shows no code related to industrial control systems, exploits, or self-replication.• The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.• The exfiltrated data may be used to enable a future Stuxnet-like attack.Clues to DuQu’s origin do exist. For example, it uses a digital certificate set to expire August 2, 2012, issued from a company in Taipei, Taiwan. F-Secure’s Hypponen thinks the certificate was stolen from C-Media in Taiwan. Symantec says that certificate was revoked on October 14, 2011.
0 comments:
Post a Comment