On October 14th, Symantec was sent a sample of a Stuxnet variant from an organization in Europe.
The malware was very similar to Stuxnet, but the payload and purpose makes this a totally new creation.
Parts of the malware is basically Stuxnet, it is so close that a report from f-secure says that their backend systems even thought that it was Stuxnet.
But as researchers dug into it, they found an interesting twist. This version was not created to destroy PLC equipment. This one is an electronic spy.
According to a 42 page analysis of Duqu, Symantec claims that the code was written by the same authors who wrote stuxnet, or at least a group that had access to the source code. But the twist is, this one isn’t made to take out nuclear power plants, this version collects information, possibly for a follow up attack at a later time:
“Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility."
"Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.”
The design also makes it difficult to ascertain the malware’s source nation. It uses a valid digital certificate from a company in Taipai, Taiwan (which has since been revoked). Communicates via HTTP and HTTPS communications to a Command and Control server in India. Encrypts data before transmission, communicates to the C&C server via dummy .jpg picture files and automatically removes itself in 36 days.
As this version seems to be an espionage tool, one has to wonder what is next. The author apparently wants to gather information on a target for what would seem to be future attacks. What could the future attack be?
Well, we may not need to wait long to find out, as Symantec received additional variants of Stuxnet from another European organization. These samples have a compilation date of October 17th. Symantec has not had time to analyze these new samples yet, but this is very interesting indeed.
For more information, check out Symantec’s detailed report.