Why Does Duqu Matter?

The short answer is that if your PC got infected by Stuxnet last year, you were just collateral damage, unless you were operating a very specific set of uranium enrichment centrifuges. If you get Duqu this year, your network is under attack from a CIA/Mossad operation. They might seem a little outrageous, but bear with me while we get into the weeds of what Duqu is all about. I will lay out a set of assertions that lead to the conclusion that Duqu really is the “precursor to the next Stuxnet” as Symantec say in their whitepaper.

1. Stuxnet was created by the CIA and the Mossad

Although no one has officially claimed responsiblity for Stuxnet, both the U.S. and Israeli governments have done everything but take offical responsibility. Neither government has ever denied responsibilty, even when directly asked. In fact, officials in both governments have been reported as breaking out in big smiles when the subject comes up.

2. Duqu is from the same team that created Stuxnet.

The first clue that Duqu is from the Stuxnet team is the similarities between the rootkit components in both pieces of malware. The folks who have studied the two most closely are sure that Duqu is based on the Stuxnet component’s source code. Despite what you may have read on the internet, the actual source code to Stuxnet is not publicly available. Some folks have reverse-engineered some of the Stuxnet source code from the binaries that are available, for various technical reasons, I’m sure that these don’t serve as the basis for Duqu.

Duqu even has a fix for a bug in Stuxnet. Also, the only two pieces of malware in history to install themselves with as Windows device drivers with legitimate, but stolen, digital certificates are Stuxnet and Duqu. Both Stuxnet and Duqu were active in the wild and managed to evade detection for many months. While that’s not unheard of for malware, it is another point of similarity.

Stuxnet targeted a specific industrial control system (ICS) installation (the Siemens PLCs that were used to control the centrifuges at Natanz). Here’s the lastest on what Duqu targets:

Some of the companies affected or targeted by Duqu include the actual equipment that an ICS would control such as motors, pipes, valves and switches. To date, the vendors that make the PLC, controllers and systems/applications found in control centers are not yet affected, although this information could change as more variants are identified and these vendors look more closely at their systems.

There are no other instances of computer malware that target these sorts of installations.

 

3. Stuxnet was a worm, Duqu is not.

Stuxnet was a very aggressive computer worm. It had to be to jump the “air gap” that protects a secure ICS such as the system that ran the Natanz installation. When Stuxnet was discovered, the A-V vendors quickly discovered millions of computers had been (benignly) infected with Stuxnet. Duqu, on the other hand, has been found on only a handful of computers. Interestingly, no one has yet discovered the dropper, that is, the program used to place the Duqu rootkit on the infected machines. This is almost certainly because Duqu is being placed on these machines via a spear phishing attack. In spear phishing, specific targets are chosen and the attack is customized to the target.

4. Duqu is being used to download a RAT (Remote Access Trojan)

The rootkit component was used to download a standalone program designed to steal information from the computer that it has infected (including screenshots, keystrokes, lists of files on all drives, and names of open windows). Duqu is doing computer network reconnaissance. The information gathered by Duqu is very useful for planning future attacks. Before the command and control server was taken off-line, Symantec observed Duqu downloading three additional files to an infected machine.   The first was a module that could be injected into other processes running on the machine to gather some process-specific information as well as the computer’s local and system times (including time zone and daylight savings time bias). Another downloaded module was used to extend the normal 36-day limitation on Duqu installations. The last downloaded module was a stripped down version of the standalone RAT, lacking the key logging and file exploration functionality.

5. Put it all together and it adds up to a well-executed, highly targeted covert operation

For the last ten months, Duqu has been quietly stalking a small number of industrial manufacturers. No one even noticed before early September and it wasn’t until last week that the nature of the threat was clear to anyone. Duqu is spying on a handful of companies, gathering data that will be used for the design and development of the true Stuxnet 2.0. One thing we don’t know is who the target of Stuxnet 2.0 will be. But I have a suspicion. Nothing indicates that the ultimate target (i.e., Iran) of the Stuxnet team has changed. In August of this year, Iran announced that it had activated its first pre-production set of his newer IR-2m and IR-4 centrifuges. These are the successors to the centrifuges that Stuxnet attacked. If you wanted to do these centrifuges what Stuxnet did to the earlier IR-1 centrifuges, you would need a lot of specific data about the safe operating specs of the various components that go into making advanced centrifuges. If you knew or suspected who was supplying Iran with these components, you might want to gather some data from the internal networks of those suppliers. That’s what I think the point of Duqu really is.

image_print
19 replies
  1. lysias says:

    I assume by this point Iran is intelligent enough to cut off its computers in this program from the Internet. Does that mean these bugs have to be transmitted to their computers by insiders/double agents?

  2. Mary says:

    I’m way too ill informed to even post a comment, but I wanted to let you know that I have been really interested in and enjoyed reading your posts on this – it’s been a real education for someone non-tech like me.

    I never had that much grasp of what went on with the Iranian stuxnet problems, but I’m getting a little better understanding of it now, along with a hint of the importance of duqu.

  3. Jim White says:

    I can only imagine the amount of merriment that would ensue should the Stuxnet/Duqu team inside CIA wind up outing a previously secret team within CIA responsible for selling the IR-2m and IR-4 centrifuges to Iran.

  4. WilliamOckham says:

    @lysias: No computer is an island entire of itself; every computer is a part of a larger network, a part of the main; if a single process be infected with Duqu, the internet is the less, as well as if an entire subnet were, as well as my home network or yours were; any computer’s infection diminishes me, because I am involved in the internet. And therefore never send to know for whom the bell tolls; it tolls for thee.

    (With apologies to John Donne, but I suspect he would understand…)

  5. emptywheel says:

    Thanks for this, WO.

    What is the relationship between Symantec and the govt? (And, for that matter, McAfee?)

    That is, would they hold off reporting something like this for the govt’s sake?

  6. Ken Muldrew says:

    As you note in point 5, both Stuxnet and Duqu seem to be prelude. One must remember that PLCs live very close to the hardware, and the hardware usually consists of big machines. For example, with Stuxnet, it is certain that within a few tens of minutes or less, someone would hear the change in centrifuge speed. That person would call an electrician who would quickly and easily determine that the PLC was telling the centrifuge to change speed. Fixing the PLC program would also be fast and easy. These aren’t like systems programs that we’re used to on PCs. Ladder logic programs are really just electrical diagrams and they are pretty simple to follow. The authors of Stuxnet would have needed to be very familiar with the day-to-day operation of the plant that they intended to sabotage in order to actually cause irreparable harm. It’s almost as if they were setting up a shakedown with the centrifuge pokery rather than trying to cause real harm. But every day industrial control gets more sophisticated and eventually this sort of malicious automation will be all too common.

  7. WilliamOckham says:

    @emptywheel: Both are government contractors in multiple countries, but that’s a fairly small portion of their revenue. In this case, I think the fact that these are multinationals with no real allegiance to a particular country or government works in the public interest. Weird, huh?

    I think the bigger concern is that the A-V vendors aren’t really able to grok the context for what’s happening with Stuxnet/Duqu. Symantec is much further along than any of the companies on “getting it”. MacAfee has really been pathetic in response to Duqu. They saw a chance to get a jab in at Symantec and their corporate lizard-brain just took over.

  8. WilliamOckham says:

    @Ken Muldrew: I don’t really know anything at all about the physical layout of the Natanz facility, but the Stuxnet code went to great lengths to hide the readouts from the PLCs, so I doubt anyone could hear the difference between the correct speed and the slightly faster speed that Stuxnet used to cause excessive wear and tear. If you spend some quality time with the IAEA reports and the ISIS analysis of Iranian production numbers, you will find that something caused real problems for the Natanz facility at the same time that Stuxnet was operating undercover.

    In the facilities I’m most familiar with that depend on PLCs (oil refineries, chemical plants, hydrocarbon pipelines, … did I mention I’m from Houston, Texas) the HMI stations (er, Human Machine Interaction, that is the the PCs that show people what’s going on) are pretty far away from the actual machinery.

  9. Ken Muldrew says:

    @WilliamOckham: Sure, the HMIs are always well removed from the machinery, but there are people working in the plants. Though it’s not their job to monitor processes, they get a pretty good feel for what should be making noise and how much noise it should be making. I just don’t buy the centrifuge story: those things are too big and loud for destructive changes to go unnoticed. Someone will ask the operator why they are suddenly changing things and then the whole scheme unravels pretty quickly.

  10. pdaly says:

    @WilliamOckham:

    I wonder where Russian and Chinese computer hackers are during all this computer hacking?

    And our nuclear facilities are safe from mutations of Stuxnet and Duqu redirected at us? or new original hacks?

  11. JohnLopresti says:

    Arms control wonk J Lewis has hosted some divergent thread comments regarding what was apparently an Iran booth at a recent IAEA converence, whereat evidently Iran provided souvenir slideshow laser pointing device trinkets cast in the form of fuges. One of the posts, the first abovelinked, has a brief mention of OS flavors vis-a-vis stux. I found the symantec whitepaper 2+MB had defects at a few download attempts. I thought McAfee went thru an acquisition recently; and, If I recall, historically, one of the early principals at Wordstar software was the founder of semantic symantec.

  12. WilliamOckham says:

    @pdaly: I’m not particular worried about our nuclear facilities. I’m much more concerned about the types of facilities I mentioned above (natural gas pipelines, oil refineries, chemical plants) and the electrical grid (transmission, distribution, and generation). These are all soft targets for anyone with a modicum of computer skills and a big enough grudge.

    As for the Chinese, they seem mostly interested in good old-fashioned economic espionage, which makes perfect strategic sense for them. As to the Russians, well, I’m not sure that the Russian government is really in control there, it’s mostly just typical organized crime, as far as I can tell. If they have any covert operations going on, I don’t know about it. They certainly have the capability (lots of really sharp, highly trained systems programmers).

  13. deja vu says:

    @lysias: The target computers are not connected to the Internet. “Spear Phishing” means people who have legitimate access to the systems in question are tricked into unwittingly performing the desired action. No “agent” is required. An (admittedly simplistic) example would be someone who convincingly impersonates a senior sysadmin emailing a junior sysadmin and saying, “Here is a system patch, please install it.” but attaching an infected file to perform the “patch” to the email.

  14. JThomason says:

    This story sent me back into the achives to look at your previous work on this story. I had missed this piece of news until now. Its fascinating and you do a good job and shining some light on these matters that are pretty dense to someone like me who is lucky to download an anti-virus program from my internet provider. Or maybe its within me where the density lies.

    Thanks for following and clarifying Stuxnet and progeny.

  15. Ken Muldrew says:

    @WilliamOckham: Thanks for that. I’m still having a hard time with the idea that a centrifuge could be cycled from 1400hz to 2hz repeatedly without anyone noticing. Even more unlikely is that the motors wouldn’t overload very quickly when being driven at 2hz. It’s usually chancy to drive big motors below 45hz for any length of time.

    Anyway, it’s a devilishly clever enterprise. I think I’m going to have to keep a super-clean laptop around for PLC troubleshooting. It’s a bad business when you can’t even trust a DLL to tell the truth about what’s in the PLCs memory. There used to be an axiom that you should never trust a programmer who carries a screwdriver, but in this new environment, your meter is the only thing you can trust.

  16. Bay State Librul says:

    OT,

    I usually root for the AL team but since Bush is forever connected with
    the Rangers, here’s a tug for a St Looie comeback.

    Sparky Anderson bestows the “Captain Hook” Medal of Honor to Tony Larussa. – 10/24/11. He brought in a relief pitcher for an intentional
    walk?

Comments are closed.