Part Two: Duqu: father, son, or unholy ghost of Stuxnet?

Three U.S. Air Force information security experts, independent of their role in the military, studied the Duqu trojan, and you might be surprised by what they found. This is the second article in a two-part series that examines the sophisticated threat that everyone is talking about. (Read the first part).

The Force is strong in Duqu

From an attacker’s standpoint, there was nothing in the Duqu code that indicated a cyberattack payload was meant to cause harm to systems. Conversely, the Stuxnet code was highly targeted toward the centrifuges in the Iranian nuclear facility to change the rate of spin, and achieve some political or military objective of delaying and weakening Iran’s nuclear enrichment program.

Duqu is used for information gathering with its functions of screen capturing, network information capture, keylogger, viewable shares, file explorer, and domain enumeration. This clearly indicates a RAT (remote access trojan) targeted against Windows domains and enterprises.

One of the most interesting parts of Duqu is the fact that it used private certificates to create some of the secure sockets layer (SSL) channels used to communicate with the command-and-control server, as well as exfiltrate data. Given the complexity of obtaining the certificates this could indicate other prior intrusions into the certificate authorities in the form of an insider threat or network compromise. It is safe to assume that there are additional stolen or forged certificates that have yet to be discovered.

It is also possible, given the way that nation-states operate, that Duqu is being used as a show of force for the purpose of cyber deterrence.

One of the most alluring qualities of cyberspace is the non-attribution. To maintain non-attribution, it is important for nation-states to not show off their own capabilities and tactics that may be used to identify them in operations.  However, by launching cyber capabilities and providing no claim for credit, the same level of deterrence is achieved. Nation-states around the world can then see the capabilities that other unknown nation-states possess and are willing to use.

Furthermore, one can look to statements made by U.S. officials that the greatest cyber weapons have yet to be deployed. The unknown potency of these cyber weapons in comparison to Stuxnet and Duqu can create a level of deterrence that is unattainable with conventional weapons.

Something wicked this way comes

Stuxnet changed cyberwarfare by opening up the previously secret operations and capabilities of cyberspace to the world. The control systems community was the community most affected by Stuxnet and it destroyed any doubt that it was a lucrative target for cyberwarfare.

The worm also showed the control systems community how ill-prepared it is to deal with an advanced cyber weapon.

Control systems are created by design to provide availability and ease of use. For years security was an afterthought of the design process, and even with the some of the most intelligent cybersecurity minds out there pushing for change, the issue of time remains.

It takes time to cause substantial changes to any community, let alone a community that operates systems up to 15 years behind current technology, due to long acquisition phases and high financial costs. It does not take much time, though, to create and adapt cyber weapons to target and effectively compromise systems.

The control systems community is working hard to counter cyberthreats at every level, including the government, regulation committees, vendors, and control system owners. However, not enough is being done, and Duqu has raised a warning yet again for the community. Stuxnet was not a one-time threat, and the impending cyberattacks cannot be ignored.

With yet another warning, the control systems community must work together more quickly, and with higher standards and an emphasis on security. The community owns assets that have been identified as critical infrastructure for the United States and as such represent targets that could cripple the U.S. government and military. With these systems at risk it is not purely an issue of potential loss of money and corporate secrets, but the potential loss of human life on a massive scale.

Cyber capabilities and weapons are incredibly powerful and have even been described by one Obama administration official as the “Ferrari you keep in the garage and only take out for the big race.”

This demonstrates, at some level, that there are restraints involved in using cyber weapons. However, not every nation-state and organization have claimed to use such restraint. Without restraint and understanding of second- and third-order effects, cyber weapons can be quickly deployed with deadly and unintended consequences.

Stuxnet was a wake-up call for the control systems community and a look into the capabilities of cyberwarfare. Duqu is a firm statement that nation=states are going to continue launching powerful and anonymous cyber weapons.


Duqu: father, son, or unholy ghost of Stuxnet?

Three U.S. Air Force information security experts, independent of their role in the military, studied the Duqu trojan, and you might be surprised by what they found. This is the first article in a two-part series that examines the sophisticated threat that everyone is talking about. 


In June 2010, the world learned of the Stuxnet worm.

It was quickly identified for its payload affecting the industrial control systems (ICS) community and was hailed as one of the most advanced cyber weapons ever to be released.

The authors behind Stuxnet were never identified, although many speculated that the United States and Israel were involved. More importantly, though, it was asserted by a few in the industry that a portion of the worm’s code, referred to as the weapon system, would be used in the future with modified code, referred to as the payload, to attack different targets.

Fast forward to Oct. 18, when Symantec published its dossier n the Duqu trojan. Duqu uses the weapon system part of the Stuxnet code, but does not utilize the Stuxnet payload, which targeted programmable logic controllers (PLCs).

Duqu was also designed to be much stealthier than Stuxnet. Stuxnet self-replicated and infected all available systems while only initiating its payload on specific targets. Instead, Duqu does not self-replicate after being injected onto a target system and only has a 36-day operation window before it deletes itself.

During these 36 days, the Duqu trojan attempts to exfiltrate information from the targeted systems and networks back to its command-and-control server (C&C) in India.  The malware uses .JPG images to send and receive its encrypted files to its C&C server using both HTTP and HTTPS connections.

While Stuxnet did not use image files to steal data it did steal information from the Iranian nuclear centrifuges and sent its data to C&C servers in Malaysia and Denmark.
With all the similarities between Stuxnet and Duqu, the interesting part lies with the order of their release.

Duqu in its design and intended purpose, as we understand it currently, is the type of remote access trojan (RAT) that would have been used to create Stuxnet. Stolen schematics, design documents, and stolen or forged certificates would have all been used in creating Stuxnet.

Duqu has been hailed as the “son of Stuxnet” but it is possible that it is instead the “father of Stuxnet.” The compiling times of Duqu indicate that it was released after Stuxnet. However, there are most likely many variants of Duqu that have yet to be identified, including those that could have compile times before Stuxnet’s release.

However, the focus should not be on whether Duqu or Stuxnet came first, but instead in identifying that the weapon system part of the code is now a template of choice for an advanced adversary.

The source code doesn’t Lie

RATs are commonly used for computer network exploitation and cybercrime. The targets associated with Duqu, including industrial manufacturers and a university, indicate that the cybercrime angle is less likely. Cybercrime syndicates are not sophisticated enough or willing to pull off a multiyear operation, like Stuxnet or Duqu. A cybercrime syndicate would also have to either produce its own ICS equipment or blackmail a vendor to properly utilize the information obtained from Duqu.

The Duqu variants discovered so far also indicate that the authors learned lessons from Stuxnet. For example, each variant of Duqu could have used different injection methods which may never be fully identified. One method that was identified was a Windows kernel level zero-day hidden in a Microsoft Word document. It is likely that there are multiple droppers for Duqu that may include multiple types of 0-days. The injection methods not discovered are thus valuable resources to Duqu’s creators that can be reutilized.

There have been assessments made that Duqu and Stuxnet may not be related because some of the functions and techniques, including kernel driver injection points, are used in other unrelated malware. That does not serve as a strong argument to unlink Stuxnet and Duqu.

The fact is that there are so many similarities between the two pieces of malware that any individual link to other malware is insignificant. Duqu’s use of a kernel-level 0-day makes the malware highly sophisticated and consistent with the level of Stuxnet.  Duqu has also been identified as attempting to exploit the MS08-067 vulnerability, one of the exploits used in Stuxnet, on two Iranian networks, which, among the other evidence, is a very strong connection.

In regard to the source code, examinations of both binaries expose an obvious relationship. Some of the files created by Duqu are functionally identical, as well as nearly perfect binary matches.

According to Symantec, there is a 50 percent similarity between Stuxnet’s code and Duqu. As a matter of perspective, non-related malware samples may have less than a 25 precent code match. Considering the changed payload, the 50-percent match between Stuxnet and Duqu is substantial. This is nearly impossible to achieve without having a common heritage in the original source code.

In fact, the code is so similar that some anti-virus engines actually confused the two pieces of malware as being the same.

Although some Stuxnet binaries and associated research data were released by Anonymous following its infiltration of HBGary, one cannot say hackers used this code to create Duqu. While it is true that reverse-compiling techniques exist, they are often unreliable and usually only work well with very simple programs.

Stuxnet binaries were large, 1 MB in size, and complex compared to most malware in existence. Stuxnet would not reverse-compile well regardless of the resources invested in the task.  Even with a large team of highly skilled reverse engineers, it would take a considerable amount of time to produce even a section of the original Stuxnet source code. If that was possible the next task would be overcoming the difficulties of finding and using a signed digital driver.

Based on these factors, it can be stated with a high level of confidence that the authors of Stuxnet and Duqu are the same.

Coming next week: The authors take a closer look at Duqu to determine its motives.

Jeremy Sparks, Robert M. Lee, and Paul Brandau are cyberspace officers in the U.S. Air Force; however this paper and their views do not represent the Air Force, Department of Defense, or any agency within the U.S. government. The opinions held in this paper are theirs alone, and this paper was written outside of a military capacity.

Email Lee at or follow him on Twitter.

Mobile Malware Madness: The Changing Mobile Threat Landscape

In an effort to help users dodge mobile malware targeting the iPhones, BlackBerrys and Android devices, McAfee this week shared some tips and strategies on the subject of mobile threats. But just what are those threats, and how are attackers using them to make money?

Mobile Malware TrendsAccording to Tim Armstrong, malware researcher at Kaspersky Lab, the king of the mobile malware world is the SMS Trojan. SMS Trojan operations start with the establishment of a premium rate number with a short code of four or five digits. Once the malicious app is on the phone, the app dials out to the premium rate number in the background, with message rates standing between $5 and $10 each. Each time an SMS message is sent, the criminal racks up more profit, he said.

“While almost non-existent in the US, it represents the largest threat worldwide by far…Also incredibly common is malware that steals data,” he continued. “This includes everything from contact lists to IMEI (International Mobile Equipment Identity) and IMSI (International Mobile Subscriber Identity) numbers, as well as User IDs. The latter are able to uniquely identify the phone to a carrier. With the stolen data phones can be cloned giving access to user data such as SMS messages.”

The most dangerous malware, he added, is botnet malware such as Zitmo (the mobile version of the Zeus malware). In its threat report for the first half of 2011, security firm Damballa reported that the number of Android devices engaging in live communications with a command-and-control server reached nearly 40,000 at one point. McAfee’s Threats Report for the second quarter of 2011 also underscored the attention attackers are paying to Google Android, as it was by far the most targeted platform.

With the amount of malware continuing to grow, McAfee offers some familiar advice to users – check applications’ permissions, research apps before downloading them and make sure applications are coming from a reputable market. Of course, Trojanized versions of otherwise legitimate applications are attackers’ main means of getting their hands on user data and raking in the cash.

With all this in mind, vendors such as M86 Security Labs are predicting a surge in malware targeting mobile devices in 2012. Still, it is worth noting that the amount of mobile malware is currently minuscule next to the amount aimed at PCs. With that in mind, here are some of the most dangerous pieces mobile malware security researchers have seen in the wild, in no particular order.

GG Tracker: According to Lookout Mobile Security, this Trojan has had the largest impact on users in the United States in recent months. The Trojan works by subscribing the user to one or several premium rate SMS subscription services. According to the company, Android users are directed to install the Trojan after clicking on a malicious in-app advertisement.

Android.Rootcager, AKA Droid Dream: Droid Dream was significant because the attacker infected and redistributed more than 58 legitimate applications on Google’s App Market, explained Vikram Thakur, principle security response manager at Symantec. “Once installed by the user, the threat attempted to exploit two different vulnerabilities in Android to obtain administrator-level control of the device,” he said. “The threat then installed additional software on the device, without the user’s consent. The software exfiltrates a number of confi¬dential items, including: device ID/serial numbers, device model information, carrier information, and has the ability to download and install future malware packages without the user’s knowledge, this was possible because the threat exploited a vulnerability to bypass Android’s isolation model.”

Android.Bgserv: When Google released a tool to clean up devices infected with Android.Rootcager threat, malware authors capitalized on the hype and released a fake version of the cleanup tool that sent user data – such as the device IMEI number – to a server in China, Thakur noted.

ZitMo: The first mobile version of Zeus was found in September 2010 targeting Symbian devices to steal the mobile transaction authentication numbers (mTANs) used by online banking services. In the months since, versions of ZitMo have been seen targeting a variety of platforms, including Windows Mobile, BlackBerry and Android.

Legacy and LeNa: These two pieces of malware have become some of the most widely seeded malicious programs in third-party markets, and the most widely detected. Legacy, which is also known as DroidKungFu, was seen in multiple alternative app stores and forums based in China targeting Chinese Android users. The next generation of Legacy is LeNa, which was detected in October affecting both alternative app stores and a handful of applications in the Android Market, with the latter being removed by Google. Once on the phone, LeNa begins communicating with a command and control server, and has been seen downloading the DroidDream Light malware to devices as well.

“Mobile malware solutions are in their infancies, so their capabilities to protect users and networks are very limited,” Brad Anstis, vice president of technical strategy at M86 Security, said in a statement announcing the company’s 2012 threat predictions. “To help defend from an influx of mobile malware, organizations will need to extend their security policies to mobile devices. It will be critical to ensure that all personal devices that access an organization’s Wi-Fi and networks are covered.”

Google Music goes live in U.S. with Google+ integration


google music
google music

Google Music, the company’s cloud-based online music service, is now available to all users in the U.S. and includes song and album sales, as well as an integration with the Google+ social networking site.

Introduced in test form and by invitation only in May as a cloud-based song storage and playback service, Google Music will also let users buy albums and songs from all major music labels, except Warner.

Google Music users will be able to share the songs and albums they purchase with their friends on Google+, and those friends will in turn be able to listen to those songs and albums in their entirety, not just to samples, one time.

The songs and albums will be for sale in the Android Market, which is accessible via Android devices and Web browsers. Google Music is compatible with Android and Apple iOS devices, and can also be accessed from PC browsers.

“Google Music is about discovering, purchasing, sharing and enjoying digital music through integrated and personalized ways. It’s about the cloud, the Web and mobile. It’s about better connecting you with the music you own and introducing you to new music,” said Google official Jamie Rosenberg at an event in Los Angeles on Wednesday that was webcast. .

“Last but certainly not least, Google Music is about artists and their music, and about new ways to connect artists with their fans,” he added.

With this launch, Google becomes a direct competitor in online music to Apple, Amazon and others, joining a highly competitive and mature market years after other rivals.

Google Music looks solid as it prepares to face formidable competitors Apple iTunes and Amazon MP3, which are entrenched in the market with big user bases, said Michael McGuire, research vice president for media at Gartner.

“Google Music has the foundation of a nice store and service,” he said.

Now, Google must find a way to attract online music buyers and convince them to make purchases in its store as well, and that’s where the Google+ integration could be a big help, McGuire said.

“The barrier to entry is how many consumers will put their credit card in another store,” he said. “If Google can leverage Google+ to drive people to its store, that could be an interesting differentiation for them.”

There are currently about 8 million songs available for purchase through Google Music, a figure that will grow to about 13 million in the coming months. In addition to EMI, Universal and Sony, Google Music is partnering with more than 1,000 smaller labels.

It’s hard to tell why Google hasn’t been able to cut a deal with Warner, but the music label traditionally hasn’t been quick to join online music initiatives, McGuire said.

About 1 million people participated in the service’s trial, listening to about two-and-a-half hours of music on average every day, officials said. Users can store up to 20,000 songs in Google Music. The cloud storage and playback portion of the service is free.

Google Music also features exclusive content, including a live album from a 1973 Rolling Stones concert, several tracks from Coldplay and Shakira, the first single from Busta Rhymes’ new album, and a live Pearl Jam album, among others.

At Google Music, artists who have the required rights to their music will be able to create their own pages, upload tracks and make them available for sale.

One element not included in Google Music is a subscription service like the ones offered by Spotify, Rhapsody and others, where people pay a monthly fee that lets them stream millions of songs in the service’s music collection.

While Google could consider adding such a component to Google Music in the future, it’s smart to start with the model of purchasing songs and albums “a la carte,” McGuire said.

“As interesting as music subscription services are, they are complex to run,” he said. “There are a variety of different licensing requirements you have to deal with. It’s a very different kind of beast.”

Facebook confirms nasty porn storm

Facebook users have been bombarded with explicit and violent images in the latest malware campaign aimed at the giant social networking site, a security researcher said today.

The company confirmed the attack and said it had “dramatically limited the damage” and was on the trail of those responsible.

“For the last 24 hours, many people have reported seeing highly-offensive images on their Facebook news feeds,” said Graham Cluley, a senior technology consultant at antivirus vendor Sophos, in an interview early Tuesday.

“But exactly how those images got there and what cause them to appear, is still somewhat of a mystery,” Cluley added.

Cluley speculated that the attack may have been based on “clickjacking,” which describes a type of attack where hackers plant invisible “buttons” on a website page. When a user clicks on the overlaying page component, they actually execute malicious code or script that can hijack their browser or personal computer.

Cluley also said it was possible that previous-planted malware conducted the Facebook spam campaign.

Later on Tuesday, Facebook filled in some of the blanks.

“We experienced a coordinated spam attack that exploited a browser vulnerability,” a Facebook spokeswoman said in an email. “Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible. ”

The Facebook spokeswoman said the attack was based on a “self-XSS vulnerability in the browser,” but did not identify which browser or browsers contained the bug.

While XSS stands for “cross-site scripting,” the Facebook description reads more like clickjacking, the term coined by researchers Robert Hanson and Jeremiah Grossman in 2008 to describe a variant of cross-site scripting.

“Users were tricked into pasting and executing malicious JavaScript in their browser URL bar causing them to unknowingly share this offensive content,” Facebook said.

People took to Twitter to express their outrage over the images, which Sophos said ranged from modified celebrity photos to pictures of extreme violence and animal abuse.

“Has anyone been on Facebook lately? My newsfeed looks like a porn site,” said someone identified as Jay Ciroc on Twitter late Monday.

Earlier in the day, other researchers had pointed to a specific piece of malware that may have been responsible.

According to Romanian security vendor BitDefender, the hacker collective known as “Anonymous” crafted a classic Facebook worm, codenamed “Fawkes Virus” last July, and had pledged to use it to celebrate Guy Fawkes Day, Nov. 5, a promise that was unfulfilled.

Guy Fawkes was arrested Nov. 5, 1605, for his part in the Gunpowder Plot to assassinate King James I of England. Anonymous has often used a mask of Fawkes as a logo for its disruptive hacking campaigns.

Facebook did not respond to questions about whether the porn spam was launched by the Fawkes malware.

“The reaction has been very strong from Facebook users,” said Cluley, who cited users who said it was the final straw, and that they would abandon Facebook until it got its security house in order.

That may be a while.

“Facebook has made improvements, but the scale of the problem they face is enormous, what with its 800 million members and the target that makes them,” said Cluley. “I really, really hope Facebook can get a handle on spam and scams, but the spammers, the bad guys, are making just as much progress.”

Meanwhile, Facebook outlined the steps it had taken today to combat the pornography.

“We’ve built enforcement mechanisms to quickly shut down the malicious pages and accounts that attempt to exploit it,” the company spokeswoman said. “We have also been putting those affected through educational checkpoints so they know how to protect themselves [and] we’ve put in place backend measures to reduce the rate of these attacks.”

Information Security Evangelist

%d bloggers like this: