Powered by WebAds

Friday, October 21, 2011

Meet Duqu, the new computer worm

There have been a number of reports in the media about a new computer worm known as Duqu. Duqu is apparently a precursor to a new Stuxnet-type worm. Duqu gathers the data necessary to interrupt operation of industrial control mechanisms like those manufactured by Siemens. Stuxnet disrupted the operation of Iran's nuclear facilities by gaining access to the Siemens industrial control mechanisms. Duqu apparently comes from the same source as Stuxnet.
On Tuesday, security software firm Symantec said in a report that a new virus was alerted by a research lab with international connections to a malicious code that "appeared to be very similar to Stuxnet." It was named Duqu because it creates files with "DQ" in the prefix.

The U.S. Department of Homeland Security said it was aware of the reports and was taking action.

"DHS' Industrial Control Systems Cyber Emergency Response Team has issued a public alert and will continue working with the cybersecurity research community to gather and analyze data and disseminate further information to our critical infrastructure partners as it becomes available," a DHS official said.

Symantec said samples recovered from computer systems in Europe and a detailed report from the unnamed research lab confirmed the new threat was similar to Stuxnet.

"Parts of Duqu are nearly identical to Stuxnet, but with a completely different purpose," Symantec said. "Duqu is essentially the precursor to a future Stuxnet-like attack."

...

The new Duqu computer virus is designed to gather data from industrial control system manufacturers to make it easier to launch an attack in the future by capturing information including keystrokes.

"The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," Symantec said.

"Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT)," Symantec said. "The threat does not self-replicate."

Duqu shares "a great deal of code with Stuxnet" but instead of being designed to sabotage an industrial control system, the new virus is designed to gain remote access capabilities.

"The creators of Duqu had access to the source code of Stuxnet," Symantec said.
IEEE Spectrum, a blog about software security systems, reports that the official name is W32.Duqu (Hat Tip: Sunlight). Spectrum reports that in its security response note, Symantec regards W32.Duqu as much less of a threat than Stuxnet was.
In addition, Symantec reports that W32.Duqu is highly targeted toward specific organizations that possessed particular IT systems, and is designed to stay active for only 36 days and then remove itself.

Symantec also reports that W32.Duqu, which it rates as a very low risk, may have been active as early as December of last year, although it was discovered only recently.

The New York Times article says that W32.Duqu "... could not have been written without having access to the original [Stuxnet] programmer’s instructions" since the original Stuxnet code was never made public.

Vikram Thakur, principle security response manager at Symantec, is quoted in the Times as saying in regard to W32.Duqu:
"This is extremely sophisticated, this is cutting edge."
However, after reading an article published about a week ago in PC World, one cannot help wonder why the programmers behind Stuxnet and W32.Duqu needed to resort to any level of sophistication.

According to the PC World article, industrial control systems seem to be chock-full of IT security holes of varying degrees of operational consequence. In fact, the discovery of Stuxnet last year seems to have sparked major interest in the IT security community to find security holes in various manufacturers' industrial control systems, which the PC World article says, number possibly in the hundreds.

Given the general speculation that the creators of Stuxnet and W32.Duqu are a national security service - those of the US and Israel are frequently mentioned - a conspiracy theorist might think that one purpose of the worm is to highlight the poor-level of IT security in industrial control systems.
None of this, however, is cause for rejoicing. J.E. Dyer points out that Iran continues to produce low-enriched uranium (of which it now has a sufficient supply for four nuclear warheads) and medium-enriched uranium from which it is a small step to develop nuclear weapons. Dyer points to these two paragraphs in the recently released September 2011 IAEA report on Iran's nuclear activities (emphasis is J.E.'s).
50. While the Agency continues to conduct verification activities under Iran’s Safeguards Agreement, Iran is not implementing a number of its obligations, including: implementation of the provisions of its Additional Protocol; implementation of the modified Code 3.1 of the subsidiary Arrangements General Part to its Safeguards Agreement; suspension of enrichment related activities; suspension of heavy water related activities; and addressing the Agency’s concerns about possible military dimensions to Iran’s nuclear programme.

51. While the Agency continues to verify the non-diversion of declared nuclear material at the nuclear facilities and LOFs declared by Iran under its Safeguards Agreement, as Iran is not providing the necessary cooperation, including by not implementing its Additional Protocol, the Agency is unable to provide credible assurance about the absence of undeclared nuclear material and activities in Iran, and therefore to conclude that all nuclear material in Iran is in peaceful activities.
Read it all.

And just to complete the picture JPost reports on Friday that the IAEA reports that Iran will soon move its nuclear material to an underground bunker, making it much harder to attack.
Iran plans to soon start moving nuclear material to an underground site for the pursuit of sensitive atomic activities, diplomatic sources say, a move likely to add to Western fears about Tehran's intentions.

They said a first batch of uranium hexafluoride gas (UF6) -- material which is fed into machines used to refine uranium -- would be transferred to the Fordow site near the holy city of Qom in preparation for launching enrichment work there.

Enriched uranium can be used to fuel nuclear power plants, Iran's stated aim, or provide material for bombs if processed to a higher degree, which the West suspects is its ultimate goal.
After all of that, W32.Duqu seems like a tiny worm indeed.

Labels: , , , ,

3 Comments:

At 4:43 PM, Blogger Juniper in the Desert said...

Bunker busters from US plus tectonic danger zone equals...

 
At 12:49 AM, Anonymous Anonymous said...

If the purpose of the worm is as the article states, it is huge. If an outside agency is able to take control of Irans nuclear facilities their are untold many things that can be accomplished to slow and even stop certain projects without anyone knowing who did it or even what went wrong. Also on this point in the article, Dyer points to these two paragraphs in the recently released September 2011 IAEA report on Iran's nuclear activities. --- he IAEA was saying back in 2000, that if Iran had any secret nuclear programs that were unknown to the IAEA [ I think at least 3 secret programs have been found out about since then.] that Iran could build a nuclear weapon in as little as a few months [see link to article below]. It is about 1/3 of the way down the page, here is the quote from ELBARADEI: "Sure. And if they have the nuclear material and they have a parallel weaponization program along the way, they are really not very far - a few months - from a weapon." http://www.iaea.org/newscenter/transcripts/2006/newsweek12012006.html

 
At 12:52 AM, Anonymous Anonymous said...

Correction to the above post. It was Jan. 2006 not 2000 as I stated above.

 

Post a Comment

<< Home

Google