classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2017


What you need to know about the Duqu threat
November 2011, Security Services & Risk Management, Cyber Security

According to researchers at Symantec Security Response, this new malicious program has been developed to steal the kind of information needed to mount another Stuxnet-like attack. Here are the latest details.

On 19 October 19, Symantec released its analysis of a new threat, called Duqu, that appears to be the precursor to a future, Stuxnet-like attack. Parts of Duqu are nearly identical to the Stuxnet worm, but its sole purpose is to gather intelligence that could be used to give attackers the insight they need to mount future attacks. Duqu is not widespread, but it is highly targeted at suppliers to industrial facilities.

In at least one targeted organisation, Symantec has confirmed that the installer file was a Microsoft Word document, which exploited a previously unknown kernel vulnerability that allows code execution. When the document was opened, malicious code executed and installed the main Duqu binaries. Microsoft is aware of the vulnerability, and is working on issuing a patch and an advisory.

Duqu was recovered from a limited group of organisations based in Europe and first analysed by the Laboratory of Cryptography and System Security in Budapest.

How it works

Where Stuxnet was designed to reprogram industrial control systems (hardware used to manage industrial environments such as power plants and oil refineries), attackers have used Duqu to install keystroke loggers to gather information from the infected computers.

Although Duqu uses some of the same source code as Stuxnet, its payload is not destructive. It is primarily a remote access Trojan that does not self-replicate in order to spread itself, which means it is not a worm. Two variants of the threat were initially recovered, although Symantec has since discovered additional variants.

Duqu consists of an installer, a driver file, a main DLL, and a configuration file. Like Stuxnet, Duqu masks itself as legitimate code using a driver file signed with a valid digital certificate. The certificate, which belongs to a company headquartered in Taipei, was revoked on 14 October.

Attacks using Duqu and its variants may have been going on since last December based on a review of file-compilation times, according to Symantec.

Duqu uses HTTP and HTTPS to communicate with two known command-and-control (C&C) servers that are both now inactive. Attackers were able to download additional executables through the C&C servers, including an infostealer that can perform actions such as enumerating the network, recording keystrokes and gathering system information. The information is logged to a lightly encrypted and compressed local file, which is then exported.

The threat uses a custom C&C protocol, primarily downloading or uploading what appear to be JPG files. However, in addition to transferring JPG files, other data is encrypted and sent out. Duqu is configured to run for 30 or 36 days, at which point it will automatically remove itself from a system.

So far, Duqu infections have been confirmed in at least six organisations in eight countries (France, the Netherlands, Switzerland, the Ukraine, India, Iran, Sudan, and Vietnam).

Protect your private keys

The investigation by Symantec researchers concluded that some of the files associated with Duqu were signed with a private key stolen from an organisation, whose systems appear to have been compromised. The private key was associated with the code-signing certificate issued to that customer.

While it is not known how this particular key was compromised, Symantec offers the following recommendations to better protect private keys:

Separate test signing and release signing. It is a best practice to set up a parallel code-signing infrastructure using test certificates generated by an internal test root certificate authority. This ensures that business-critical private certificates used to sign officially released software are not stored on insecure build systems used for routine R&D software development tasks, reducing the likelihood that they will be compromised.

Cryptographic hardware modules. Keys stored in software on general-purpose computers are susceptible to compromise. It is more secure, and a best practice, to store keys in secure, tamper-proof, cryptographic hardware devices.

Physical security. There is no security without physical security. If it is possible for an outsider, or a malicious insider, to gain access to code-signing keys, then all cryptography measures are for naught. Cameras, guards, fingerprint scanners, and additional measures are all appropriate to protect critical assets and should be taken seriously.

Stuxnet opened the door to malware having profound political and social ramifications. While there is still much to be learned from the complexity of this threat, Stuxnet has already changed the way researchers approach malware and view the security threat landscape. The story continues now with Duqu, a new threat whose goal is to gather the intelligence that attackers need to mount a future, Stuxnet-like attack.

For a comprehensive technical analysis of this latest threat, download the Symantec Security Response White Paper: W32.Duqu: The precursor to the next Stuxnet


  Share via Twitter   Share via LinkedIn      

Further reading:

  • Combating the evolving threat of fraud
    May 2018, Technews Publishing, This Week's Editor's Pick, Security Services & Risk Management
    It is impossible to pin an exact number on how much fraud costs the South African economy, but analysis of leading research reports on the subject puts it easily in the billions of Rands per year.
  • Making cents out of the security mix
    May 2018, Cathexis Technologies, Panasonic South Africa, Xone Integrated Security, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions, Financial (Industry)
    Hi-Tech Security Solutions chats to industry specialists about the security mix, cybercrime and the onslaught of artificial intelligence in the financial sector.
  • More of the same, but more sophisticated
    May 2018, Duxbury Networking, This Week's Editor's Pick, Cyber Security, Integrated Solutions, IT infrastructure
    We’ve been protecting networks from criminals for many years, but as soon as the defences improve, the attacks get more sophisticated.
  • Make sure the channels are safe
    May 2018, This Week's Editor's Pick, Cyber Security, IT infrastructure
    Companies should be aware of how many possible data leakage sources they have: e-mail, phone calls, instant messengers and social networks, cloud storage, external storage devices – to name a few.
  • Trust, but verify
    May 2018, iFacts, LexisNexis, Managed Integrity Evaluation, This Week's Editor's Pick, Security Services & Risk Management
    Employee screening is not a new discipline, but the options have grown to assist HR in making the right hiring decision.
  • Do more with security
    May 2018, Johnson Controls, This Week's Editor's Pick, Integrated Solutions, Security Services & Risk Management
    Current trends predict that companies do more with their security solutions than just secure their people, assets or data in the near future.
  • Active Track
    Securex 2018 Preview, Active Track, Asset Management, EAS, RFID, Security Services & Risk Management
    Active Track is a workforce management and reduction of payroll specialist. Its products optimise clients’ security services by ensuring that patrols and duties are carried out on time, every time. The ...
  • Martin Electronics
    Securex 2018 Preview, CCTV, Surveillance & Remote Monitoring, Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management
    Martin Electronics will be showcasing a number of new products and solutions under the Sentry brand at Securex 2018. The company will also have some value-added additions and integrations on display, ...
  • HISSCO International
    Securex 2018 Preview, Hissco, Access Control & Identity Management, Asset Management, EAS, RFID, Security Services & Risk Management
    HISSCO International will be showcasing its range of security X-ray and detection systems at this year’s Securex. The company is currently seeking potential partners, distributors and representatives ...
  • Turnstar
    Securex 2018 Preview, Turnstar Systems, Perimeter Security, Alarms & Intruder Detection, Access Control & Identity Management, Security Services & Risk Management
    Africa’s largest manufacturer of physical access control products, Turnstar, is excited about its return to Securex this year. Craig Sacks, MD of Turnstar, says that the company will use the Securex platform ...
  • Tagtron Solutions
    Securex 2018 Preview, Quality Label Solutions t/a TagTron Solutions, Asset Management, EAS, RFID, Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management
    Tagtron Solutions will showcase a number of systems and innovations at Securex 2018. As specialists in display security, Tagtron supplies anti-theft products for protecting goods on open display. The ...
  • ZKTeco South Africa
    Securex 2018 Preview, ZKTeco, Access Control & Identity Management, Perimeter Security, Alarms & Intruder Detection, Security Services & Risk Management, Products
    Solutions is what ZKTeco is all about for Securex 2018. ZKTeco South Africa will be offering clients an insight into how its products can be integrated into any platform and provide them with a solution ...

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.