Duqu, son of Stuxnet raises questions of origin and intent

Filed Under: Featured, Malware, Vulnerability

Laptop spyEarly today Symantec published an inside look at a new targeted malware attack called Duqu. This might not be important news if it weren't for its ties to Stuxnet.

Early analysis of Duqu shows it has evolved from the Stuxnet codebase. We shouldn't jump to conclusions that it was developed by the same authors, but whoever created this malware likely had access to the original source code used to compile Stuxnet.

The components that were reused were not the pieces used to target SCADA/industrial control systems, but rather related driver files that provide the malware the ability to download additional components.

Symantec reports that after it retrieves the additional malicious files it is focused on gathering information rather than industrial sabotage.

SophosLabs confirms that the driver files are signed, similar to the drivers used by Stuxnet. In this case the certificate purports to belong to C-Media, a Taiwanese firm known for their embedded audio chipsets.

Signature of driver file:

SHA1 hash of file: A5190A8E01978C903BF1FABCFCBA40D75996D8B9
Signing Certificate Chain:
Issued to: Class 3 Public Primary Certification Authority
Issued by: Class 3 Public Primary Certification Authority
Expires: 3/08/2028 12:59:59 AM
SHA1 hash: A1DB6393916F17E4185509400415C70240B0AE6B

Issued to: VeriSign Class 3 Code Signing 2009-2 CA
Issued by: Class 3 Public Primary Certification Authority
Expires: 21/05/2019 12:59:59 AM
SHA1 hash: 12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3

Issued to: C-Media Electronics Incorporation
Issued by: VeriSign Class 3 Code Signing 2009-2 CA
Expires: 3/08/2012 12:59:59 AM
SHA1 hash: 83F430C7297FBF6C1D910B73414132DB48DBDE9C

This may not be a coincidence, as Stuxnet used certificates that appeared to belong to RealTek and JMicron, two other embedded chip manufacturers in the same neighbourhood.

The mystery remains, however. Were these certificates stolen, or simply generated through compromised certificates to appear to belong to these organizations?

As with Stuxnet, it is too early to determine anything definitive about the who, why or what this malware was designed to do. I can assure you that the security industry will be analyzing these samples diligently to determine their intent.

Sophos customers are protected against the primary sample of this malware as Troj/Bdoor-BDA and the malicious driver files as W32/Duqu-A.

, , , , , ,

You might like

2 Responses to Duqu, son of Stuxnet raises questions of origin and intent

  1. "whoever created this malware likely had access to the original source code used to compile Stuxnet"

    Is there more than supposition to this likelihood or is it based solely on the fallacy that code cannot be further developed without the source?

    • Mark · 1016 days ago

      Anyone can download Stuxnet - the source code is out there so it's a natural assumption - if the source code matches large parts - that the creators of Duqu had access to it and used it.

      I've no idea what your "the fallacy that code cannot be further developed without the source" means.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.