Security Experts:

Pinpointing Duqu's Origin and Intended Targets: The Debate Continues...

Last week, Duqu, the next-step toward the next-generation Stuxnet, was revealed by researchers, although its pedigree and the intended target remains the subject of much debate.

Information on Duqu TrojanStuxnet, if you've been in a cave for the last year, is a game-changing malware that first attacked Windows systems through a then-zero day DLL vulnerability, then once a system was infected, went on to infect a Programable Logic Controller found on Siemens PCS 7 systems. That was novel. PCL systems are specific and, in this case, used by nuclear power systems in Iran. The idea of targeted industries continues to send shock waves through the Industrial Control Systems community.

So Duqu, dubbed “son of Stuxnet”, is interesting. According to Symantec, Duqu uses parts of the Stuxnet source code. In order to do that, the authors would need access to the source code. Samples of Duqu suggest the trojan may have existed as far back as November 3, 2010, shortly after the Stuxnet outbreak. On first blush that would suggest that the author of Stuxnet was the author of Duqu, but that may not be the case.

Other researchers have noted that the code in Duqu is not exactly the original source code, but a close approximation of that in Stuxnet. F-Secure’s Mikko Hypponen tweeted "Duqu’s kernel driver (JMINET7.SYS) is so similar to Stuxnet’s driver (MRXCLS.SYS) that our back-end systems actually thought it’s Stuxnet." If the authors of Duqu are not the original Stuxnet authors, then how did they get the code?

Watch the On Demand Webcast: "Duqu- Precursor to the Next Stuxnet," Presented by Symantec

Writing on SCADAhacker, researcher John Langill makes a case that de-compilation tools, which decompile executable code, certainly do exist. Langill further suggests in his blog that the de-compiled Stuxnet code in question may have been leaked by the group known as Anonymous after the HB Gary Federal attack last February. No matter how it got there, Langill says it is now available on the Internet.

Meanwhile researchers at Kaspersky argue that while Duqu is similar, also it is very different from Stuxnet. And Dell SecureWorks further argues in a Wednesday blog that similarities in the Windows DLL used and the commonality of software signing certificates are "insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources." They further state that much of the code contains malware previously seen in the wild.

Setting aside questions of its pedigree, what might be Duqu's intended target? Researchers at Symantec coyly suggested it is targeting different industries than Stuxnet, but didn't name any. Researchers at Kaspersky say the attacks they have seen have been mostly aimed at Iran and Sudan. In response, on Wednesday, F-Secure's Hypponen tweeted that US State Department's list of countries sponsoring terrorism include Iran, Sudan, Syria and Cuba. The Kaspersky researchers did not comment on Duqu reported seen in UK, USA, Austria, and Indonesia. In its initial phase, Stuxnet affected several countries, but it was the high infection rate in Iran that proved it to be the ultimate target, so may be only time will tell with Duqu.

The most outlandish mystery (no pun intended), though, is the choice of the JPG image used to hide the transport of collected information. The picture is of two galaxies known as National General Catalog (NGC) 6745 colliding as taken by the Hubble Space Telescope. Several high-resolution images are available from the web. And F-Secure says Duqu is sending the information within the image to a server 206.183.111.97 also known as canoyragomez.rapidns.com, which has some connection to India.

Clues to Duqu’s true origin might exist elsewhere. For example, some of the Duqu variants use a digital certificate set to expire August 2, 2012, issued from a company in Taipei, Taiwan. McAfee says the certificate was stolen from C-Media in Taiwan. Symantec says that certificate was revoked on October 14, 2011. Other variants of Duqu use other certificates.

All of which may be Red Herrings.

Even with as many people looking at Duqu, with as many fingerprints, it may still not be possible to pinpoint who did what when. But we've been given ample warning that code like this will be more common in the future. And evidence that someone can replicate Stuxnet-like qualities. Hopefully we'll adopt a security environment that keeps these new infections from being commonplace soon enough.

Subscribe to the SecurityWeek Email Briefing
view counter
Robert Vamosi, CISSP, an award-winning journalist and analyst who has been covering digital security issues for more than a decade, is a senior analyst for Mocana, a device security start up. He is also the author of When Gadgets Betray Us and a contributing editor at PCWorld, a blogger at Forbes.com, and a former Senior Editor at CNET. He lives in Northern California.