Duqu - Stuxnet 2.0
19 Oct 2011 06:10 PM
The security industry is buzzing today after Symantec released a whitepaper on a threat known as Duqu.
What's interesting about Duqu is that it's heavily based on the Stuxnet
source code, a worm that targets industrial control systems (ICS). The
Stuxnet source code has never been made available publicly; it's only
available to the original attackers. Therefore it's reasonable to assume
that Duqu is written by the same people.
Duqu is not designed to attack Programmable Logic Controllers (PLCs)
or any type of automation equipment, which was the ultimate purpose of
Stuxnet. Instead, it acts as a reconnaissance tool that is designed to
steal private information about these systems. With the information it
obtains, further targeted attacks similar to Stuxnet can be executed.
One of the DLL drivers used in the Duqu attack is signed with a
certificate issued to C-Media Electronics Corporation, a technology
company in Taiwan. The certificate was revoked on 14th October, 2011:
While information about the Command & Control servers are still
being researched, all known URLs are categorized as security risks
(including a Dynamic DNS domain, a new category we released a few weeks
ago for this specific purpose). Websense customers are protected against
this family of malware and Advanced Persistent Threats (APT) attacks
with ACE, our Advanced Classification Engine.
Symantec curently has the most information available about this
threat as they were the ones to first receive the sample. Their
whitepaper can be found here.