DUQU – Another Stuxnet in the Making ?

Barely a year into discovering Stuxnet, the world recently saw its powerful variant in the form of Duqu. It is believed that a Hungarian blogger was the first to have a tryst with the virus in early September at an ISP hosting service.

Why it is important: Duqu has gained a lot of attention because of striking similarities with its famous predecessor, Stuxnet. Several Security researchers have concluded that 99 percent of Duqu software rules are same as Stuxnet including source code and keys for encryption. There is reasonable evidence by now that the damage caused by Stuxnet was real. Hence, Duqu is of concern to every security professional at the moment.

How it functions: Duqu camouflages its own data behind normal web traffic to avoid suspicion from network administrators. This information is then sent over to a remote command and control server (CC server) using http request. The server responds with a blank JPG image, in response to which, Duqu sends back an image appended with encrypted stolen information. The IP address of the CC server used for these initial operations was 206.183.111.97 and was tracked to India. The CC server has been deactivated since then.

The Trojan horse, unlike Stuxnet, is able to record keystrokes, collect various details of system which is then encrypted and appended to an image file. The data may simply be configuration and design data from the systems, presumably to allow someone get competitive advantage. The Trojan has been configured to run on the host machine for 36-days, after which the threat vector will automatically destroy itself from the system. However, additional components sent from the CC server can extend the life beyond this time period.

Purpose: Duqu appears to be focusing on data mining right now, scouting host machine to gain information or features about the environment. The real purpose of spreading the Trojan has been obscure and the data collection may just be an initial stage of a larger setup.

Complexity: There is nothing novel about the attack vector and it can be safely assumed that the creator at least had access to Stuxnet code. Once a certain piece is in circulation, others build upon it. And this may be the case with Duqu. Duqu too, like Stuxnet, uses a stolen digital certificate from a Taiwanese company to prove its authenticity. Also, Duqu couldn't have been around for too long since the driver sign date has been recorded to be July 2011. There is also a likelihood of the same team being employed to create the Stuxnet variant. Like the Stuxnet, Duqu too is a State sponsored attack, since no other party would engage in an activity that requires ample technical caliber but brings no obvious monetary benefit.

Other Theories: Various theories are floating around about the motive and origin of Duqu. One of the interesting one is by @reversemode on twitter. According to him, one of the galaxy pictures comes from 66.49.141.227, which suggests Hebrew connection with Duqu. In the past 1 week, a few more variants have been discovered, but not much can be said about them as it too early.

Analysis: Duqu gives the impression of something much bigger coming up than what meets the eye. It is also interesting to note that the techniques used to deploy these attacks are not state of the art. The depth of information that can be extracted using Duqu is no different from what Stuxnet could do. Neither is it any more sophisticated from what we have seen with Aurora. They were intriguing because of the coming together of a possibly destructive operation of their stature. But it's not the same with Duqu. Apart from the complexities it shares with its predecessor, Duqu creators have also used age-old techniques – bad password policy, use of USB drive outside of work and the likes to aid spread the virus. So what is it about this trojan-virus that is catching every eye-ball?

Duqu bears testimony to the beginning of an era where cyber war will grow bigger than nuclear and the likes. It is not that we were caught unaware of nation states espionage programs this time. It is the frequency with which they were discovered corroborates the theory that future will see a steep rise in cybercrime. Dealing with this is going to be a major focus for a majority of us security professionals.