Hello friends,
Today I am going to continue my observations of and re-look at my conclusions on the DuQu.
DuQu… The Evolution Of ‘Weaponized’ Malware Is Unfolding Right In Front Of Our Eyes!
I realize that ‘Weaponized’ is such a graphic term! Yet, I think that using it to describe the DuQu is no more ‘scaremongering’ than stating Pakistan and India are nuclear powers. As the various unique DuQu infections are slowly being successfully disseminated by the Data Security industry, it is becoming very clear that this is not the work of some cyber-criminal gang or any ‘hacktavist’ group. The DuQu is the first salvo (or pre-salvo if you will) of another operation, or more likely, many seemingly-unrelated operations. Any one of these operations could potentially have a larger visible effect to the world’s population than ANY other malware ever documented before! Or, maybe not. In a flash-back to the CIA’s assassination days, the information gathered by DuQu could (& I wager would) be used to cause a seemingly-isolated ‘incident’ in some critical control system that would result in the death of some ‘High Profile Wanted’ person almost anywhere on the globe (with say, a few days to a week’s notice)! Or realistically it could even easily be all of the above!
Granted the DuQu as we know it now doesn’t appear to be much more than an unbelievably clever spyware, so to deliver on the above statements it would be needing some help. But I would bet the farm ‘that help’ is sitting ready and only waiting on specific parameters to be entered on various blocks of pre-existing code to be ready for compilation right now! Here is some of my reasoning and why I think this…
The first example the world ever saw of any type of ‘weaponized’ code was last year; it was called the Stuxnet. Its target was obviously Iran’s Natanz Nuclear Labs. It was unique in several ways, in that it used an unheard of four different Zero-Day exploits! It was specifically targeted to sabotage the normal operation of Siemens Centrifuge Controllers while simultaneously covering up its activities and presenting a seemingly ‘normal operation’ environment for Iran’s centrifuge operators physically present at those machines! Excuse my language but, that is quite a damn feat! There were a couple of variations of Stuxnet discovered, and the disseminations indicated that the code functions were written in ‘blocks’ (a common practice) and in several different programming languages and the second variation indicated the various ‘blocks’ of code might be interchangeable to add quick customizable functionality! Holy quick versatility, Batman!
November 1, 2011 DuQu is publicly announced by Symantic. Their first impression of the code was it was another variant of the Stuxnet because a percentage of this new code was quickly identified by heuristic scan engines as the Stuxnet. But there were more similarities. Of the six confirmed unique instances of the DuQu, currently being studied by various members of the Data Security industry, evidence exists that every instance was specifically compiled for a specific target. Each one involved in the manufacturing and/or maintenance of industrial control systems. Yes, the types that are commonly used for critical infrastructure control in the developed world. The ‘blocks’ of code seem to indicate that the DuQu’s programing was written in or about Oct ’07 (as did some of the Stuxnet) However, one security company thinks that some of this coding was written as far back as ’04.
The DuQu uses a fresh C&C (Command and Control) Server for every unique instance discovered, which gives DuQu great probabilities of over-all success, as any instance discovered and C&C identified and brought down doesn’t kill any of the yet to be discovered instances still ‘in the wild’. SIDE NOTE: Anonymity could be very fleeting here, as it stands to reason the more C&C Servers identified and studied increases the odds of accurate deduction of the programmer(s) behind these infections.
I find almost all malware’s propagation techniques very interesting reading. My favorite portion of the DuQu’s is its LAN propagation. The initial infection is delivered on to a web facing computer using a malformed .doc file. Where it sits still for 10 minutes or so waiting for computer inactivity. Then it completes its installation and starts sending ‘feelers’ out to find and identify other computers in the LAN neighborhood; specifically, the computers on a non-web facing sub-net. It gathers as much information as it can on this and sends it back to the C&C. Apparently, after human rationalization of the pilfered information, specific attack vectors are settled upon and new a new malware is compiled for the propagation. Then, operators instruct the C&C to send those files needed for the surgical infiltration attempt into the more protected sub-nets. They seem to employ several various tools including key-loggers. If this proves successful the web facing initially infected computer becomes a liaison between the C&C and hopefully the targeted information.
All this doesn’t add up to look like the work of any cyber-criminals or hacktivists that has ever here-to-fore been documented, it’s simply too sophisticated.
Here are some links I read as I formed my conclusions:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit
http://www.computerworld.com/s/article/9221372/Update_Duqu_exploits_zero_day_flaw_in_Windows_kernel?source=CTWNLE_nlt_pm_2011-11-01
http://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter
http://www.securelist.com/en/blog/606/The_Mystery_of_Duqu_Part_Five
http://en.wikipedia.org/wiki/Stuxnet
http://en.wikipedia.org/wiki/Duqu
http://www.bbc.co.uk/news/technology-11388018
http://gcn.com/articles/2011/02/15/stuxnet-targeted-five-iranian-facilities.aspx
Until I sit down to write again, friends please stay safe.
Robert