Researchers obtained new type of Stuxnet new virus called "Duqu". This remote acces Trojan (RAT) does not contain any code related to industrail control systems. The threat does not self-replicate.
Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets.Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, which then must be exfiltrated out.
Key points:
• Executables using the Stuxnet source code have been discovered. They appear to have been developed since the last Stuxnet file was recovered.
• The executables are designed to capture information such as keystrokes and system information.
• Current analysis shows no code related to industrial control systems, exploits, or self-replication.
• The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
• The exfiltrated data may be used to enable a future Stuxnet-like attack.
Reference:
W32.Duqu: The Precursor to the Next Stuxnet http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet
McAfee said that the Duqu worm has been identified in "professional, targeted attacks" against CAs in parts of Europe, the Middle East, Asia and Africa. The researchers speculate that a digital certificate belonging to the firm C-Media, based in Taipei, was not stolen, but forged by a compromised CA.
The McAfee analysis fills in some details omitted from a longer analysis released by Symantec Corp on Tuesday. That research declined to name the kind of firm targeted by the worm, but provided a detailed analysis of the Duqu code, which bears a close resemblance to Stuxnet, with shared code used for the injection attack and several encryption keys and techniques that were used in Stuxnet.
Like Symantec's report, the analysis from McAfee says that it knows of only a few infections linked to Duqu, and says the worm doesn't appear to be designed to attack industrial control systems, as Stuxnet was.
Reference:
The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu
https://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-files
Another Cyber Security company, F-Secure Security Labs also posted related "Duqu" on its websites.
Unlike Stuxnet, the new backdoor, known as Duqu, does not target automation or PLC gear. Instead, it's used for reconnaissance. Duqu collects various types of information from infected systems for a future attack. It's possible we'll eventually see a new attack targeting PLC systems, based on the information gathered by Duqu.
The code similarities between Duqu and Stuxnet are obvious. Duqu's kernel driver (JMINET7.SYS) is actually so similar to Stuxnet's driver (MRXCLS.SYS) that our back-end systems actually thought it's Stuxnet:
Reference:
Duqu - Stuxnet 2
http://www.f-secure.com/weblog/archives/00002255.html
Additional Detail about "Duqu" by Symantec can be obtained here [PDF]
0 comments:
Post a Comment