Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Stuxnet-Like Trojan, Duqu, Further Undermines Certificate Authorities

This past year or so has been a rough one for certificate authorities. From the attacks on DigiNotar and Comodo to malware such as Stuxnet and Zeus that used signed digital certificates in their assaults on vulnerable systems.

This past year or so has been a rough one for certificate authorities. From the attacks on DigiNotar and Comodo to malware such as Stuxnet and Zeus that used signed digital certificates in their assaults on vulnerable systems.

Now, we can add one more piece of malware to the list. Duqu, which security researchers are saying shares heavy similarities with Stuxnet, is signed with a key belonging to a company in Taipei called C-Media Electronics. The company is in the same business district in Taiwan as the companies whose keys were used by Stuxnet, Dave Marcus, director of security research and communications for McAfee Labs, said today during McAfee’s Focus 2011 conference.

The certificate, which was revoked Oct. 14, was set to expire Aug. 2, 2012. There seems to be some disagreement between McAfee and Symantec as to whether the key was stolen or generated by the attackers, with McAfee contending the latter. Regardless, the end result was the same – malware was installed on a system.

“Why would you want to sign a piece of malware with a valid key – because it avoids detection by AV (antivirus) technologies,” he said.

“You are undermining the entire CA system when you are creating rogue keys…This now the third or fourth time in my recent memory we’ve seen rogue CAs,” he said. “We’re starting to see more and more.”

Much remains unknown about Duqu, though it seems to have been written to gather intelligence from entities such as industrial control system manufacturers for use in future attacks against other organizations. For this reason, along with the fact that roughly 50 percent of Duqu’s code is identical to Stuxnet’s code, Duqu represents a precursor to a Stuxnet-like attack, Vikram Thakur, Principle Security Response Manager at Symantec, told SecurityWeek.

Still, the malware lacks Stuxnet’s worm functionality, and it does not target industrial control systems. Instead, Duqu was used to install another infostealer that records keystrokes and other information, according to Symantec. Based on compile times, the attacks using the variants of Duqu the company analyzed could have been conducted as early as December 2010.

So far, the evidence shows it is focused on just a handful of organizations, Thakur said.

“At this time, we know at least one of these entities in a Europe-based industrial control systems manufacturer,” he said, adding that current analysis shows Duqu affects Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista and Windows XP.

“It is apparent to us that the authors of Duqu had access to the Stuxnet source code, not just Stuxnet binaries,” Thakur said. “This means it is possible that Duqu was created by the same attackers that created Stuxnet. Though the original creators of Stuxnet are not known, the fact (is) that it was obviously very sophisticated and well-funded and is likely to be beyond the capability of most hacking groups. If Duqu was created by the same authors of Stuxnet, it is likely the work of either a well-funded private or government entity.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.