Researchers found an alarm for a new piece of malware with “striking similarities” to Stuxnet, the mysterious computer worm that targeted nuclear facilities in Iran. The new malware, identified as Duqu, is a highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.
“The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility,” according to Symantec’s security response team.
Symantec said it got a copy of the in-the-wild malware from an unnamed research lab with strong international connections. The company found that parts of Duqu are “nearly identical to Stuxnet” but noted that the malware has a completely different goal.
Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created after the last recovered Stuxnet file. Duqu’s purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
The company said Stuxnet and Duqu shared the same modular structure, injection mechanisms, and a driver that is digitally signed with a compromised key. Unlike Stuxnet, Symanted said the new malware does not contain any code related to industrial control systems. It was built to be a remote access Trojan (RAT) that does not self-replicate.
“The threat was highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants,” Symantec warned.
The attackers used Duqu to install another infostealer that could record keystrokes and gain other system information. The attackers were searching for assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available in all cases. Two variants were recovered and, in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file compile times, attacks using these variants may have been conducted as early as December 2010.
Noted that Duqu uses HTTP and HTTPS to communicate to a command and control server which is currently operational.
To know more about Duqu and to see the similarities between Stuxnet and Duqu Click Here
-News Source (ZD net, Yahoo, Symantec)
LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info.
Thank You !
-Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You!
-Team VOGH
Categories:
cyber-crime
,
security-news
,
vulnerablity