Displaying items by tag: Stuxnet

There are two things about leaks that always concern me; the content of the leak, who it was leaked to, and … (Ok three things I look at when dealing with leaks) the timing. Now when the leak hit concerning Stuxnet and Duqu we took a look at the information and compared it with some information we were able to dig up including the timing of the attack and a few other factors. The leak seemed to fit the facts. At the time of the leak there was no mention of Flame, any program to gather intelligence, or even hints that there might be more out there.

It would appear that the developers of Stuxnet/Duqu and Flame shared at least some source code during development. At least that is what security research firm Kaspersky seems to think. Kaspersky was the company that found the massive bit of malware that was using a compromised Microsoft Terminal Server licensing model to sign certificates for their code. Flame appears to have been a very coordinated espionage attack on Iran and has been in the news thanks to the complexity and functionality that it has.

In every occasion if you dig deep enough you will find the reasons for someone’s actions, even if they seem completely random. For a while now we have watched as congress has pushed one stupid internet control law after another. For many (us included) we have felt that this was at the request of the MPAA, RIAA and other copyright holders. After all the measures and consequences in the laws were geared toward them and helping them to “prevent piracy”.

An interesting report has popped up about a rather large attack on a group of Middle Eastern countries. The attack (called Flame) appears to be a targeted attack against Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia and Egypt with the most effected being Iran, Palestine, and Israel. The attack was reported by Kaspersky Labs and looks to be intended to collect all kinds of information (not just data on computers). Kaspersky believes that Flame has been operating for at least two years in this region.

Remember when we told you about the SCADA vulnerabilities (here and here)? Well back in August we talked at length about how many of these control systems not only use the default passwords but are connected to the internet. On top of all of these there are a large number that have no high-level security (beyond simple passwords). This puts many of our vital infrastructure services at great risk to compromise from outside parties.

Just in case all of the warnings that we gave you before about SCDA (Supervisory Control and Data Acquisition) devices and how insecure most of them are was not enough. We now find that a new piece of malware that appears to be intended spy on industrial networks as a precursor to a future attack like the Stuxnet malware that hit last year. Dubbed Duqu because of a prefix attached to files the new malware creates this new bit of code is very concerning to security experts.


The code was found on several Windows based systems across multiple companies in Europe. These companies were not directly identified but all appear to have connections to industries that directly interact with basic infrastructure services.  As of right now Duqu appears content to just gather information and report back to its command and control servers (including using an internal key logger).  Duqu also appears to be sending JPG files back and forth between the server and the infected system, but as many found out to their dismay you can embed quite a bit of information in a JPG files so these could be used to send control instructions and responses or could be nothing more than test files right now.

So far researchers are at a loss as to what Duqu is collecting and why this is happening. They do know that the attacks have been going on since at least December 2010 and that the first variant identified used a stolen certificate much like the original Stuxnet did. Researchers at Symantec and McAfee also feel that the creators of this code had access to the source code of Stuxnet as the two pieces of Malware are very similar in the way they operate and the coding used. Both McAfee and Symantec have also stated that Duqu does not spread and that it does not appear to use any known exploits. This would indicate that the malware uses tactics like drive-by, or social engineering based exploits. These rely on human intervention to download and install the malicious code on a system usually via email or web link.

We personally wonder if this is related to some of the rumors about Anonymous stepping up their attacks on Governments and Large Corporations. After all with what they can gather using some fairly simple techniques (and a nice bit of coding) they can put some rather devastating plans into action very quickly. If this is the case (and this is all just speculation) then we might be looking at an attack that no one is really prepared for. Then again this could all be nothing more than a reconnaissance mission, especially considering the fact that the code uninstalls itself after 30 days…

Source Symantec and McAfee
Discuss this in our Forum