A Nasty Trojan named ‘Duqu’ with a Similar Source Code to the “Stuxnet” Trojan Appears to be Preparing to Attack U.S. Powerplants

Security researchers have detected a new Trojan, scarily similar to the infamous Stuxnet worm,which could disrupt computers controlling power plants, oil refineries and other critical infrastructure networks.

Iranian technicians work at the Bushehr nuclear power plant, outside the southern city of Bushehr, Iran.

The Trojan, dubbed “Duqu” by the security firm Symantec, appears, based on its code, to have been written by the same authors as the Stuxnet worm, which last July was used to cripple an Iranian nuclear-fuel processing plant.

“Stuxnet source code is not out there,” wrote F-Secure cybersecurity expert Mikko Hyppönen on his firm’s blog. “Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet.”

The original Stuxnet was specifically designed to compromise an industrial control system by manipulating the supervisory control and data acquisition (SCADA) software on which these facilities rely on for automation. Duqu may have its sights set on the same target, but it approaches from a different angle.

“Duqu shares a great deal of code with Stuxnet; however, the payload is completely different,” researchers for the security firm Symantec wrote on its Security Response blog. Instead of directly targeting the SCADA system, Duqu gathers “intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”

“Duqu is essentially the precursor to a future Stuxnet-like attack,”the researchers added.

Symantec said whoever is behind Duqu rigged the Trojan to install another information-stealing program on targeted computers that could record users’ keystrokes and system information and transmit them, and other harvested data, to a command-and-control (C&C) server. The C&C server is still operational, Symantec said.

McAfee, another prominent security firm, has a different analysis of Duqu. Two of its researchers wrote on McAfee’s blog that Duqu is actually highly sophisticated spyware designed to steal digital certificates, which are encrypted “keys” that websites use to verify their identities. (Stolen certificates, apparently purloined by a lone Iranian hacker, have become a big issue recently.)

Neither Symantec, McAfee nor F-Secure would speculate about who’s behind Duqu, but the conventional wisdom on Stuxnet is that it was created by the intelligence services of the U.S. and Israel to knock out a uranium-refinement plant in Iran.

This new entry into the Stuxnet family comes just after the Department of Homeland Security (DHS) issued a bulletin warning that the notorious hacking group Anonymous may soon start looking to bring down or disrupt industrial control facilities. Posted yesterday (Oct. 18) to publicintelligence.net, the unclassified bulletin assesses Anonymous’ ability to compromise SCADA systems that run power plants, chemical plants, oil refineries and other industrial facilities.

Government officials did not blame Anonymous for any such hacks, and the bulletin says that based on available information, Anonymous has “a limited ability to conduct attacks” on industrial control systems.

The group’s agenda could change, however. The DHS document cites several recent actions, including Anonymous’ cyberattack on the websites and servers of biotech seed company Monsanto, as proof that Anonymous could “develop capabilities to gain access and trespass on control system networks very quickly.”


About GREGinSD

A Generation X|Y'er that resides in beautiful San Diego, Ca.
This entry was posted in Economics, News and politics, Technology & Science and tagged , , , , , , , , , , , , , . Bookmark the permalink.

1 Response to A Nasty Trojan named ‘Duqu’ with a Similar Source Code to the “Stuxnet” Trojan Appears to be Preparing to Attack U.S. Powerplants


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s