ICS Threat Brewing; Target Unclear

Wednesday, October 19, 2011 @ 02:10 PM gHale


Beware, there is an information gathering threat targeting specific organizations, including industrial control system manufacturers, according to a Security Response Report from Symantec describing W32.Duqu.

W32.Duqu does not contain any code related to industrial control systems (ICS) and is primarily a remote access Trojan, Symantec said.

RELATED STORIES
Old Becomes New: DLL Loading is Back
Weak Sites Victimize Visitors
Beware of Printers Spreading Malware
ZeuS Gains More Power
Chrome Update Repairs Microsoft Alert

The original sample of W32.Duqu came from a research organization based in Europe and other variants came from an additional organization in Europe, Symantec said, adding the attackers are looking for information such as design documents that could potentially give more detail for a future attack on an industrial control facility.

This threat is highly targeted toward a limited number of organizations, apparently to exfiltrate data concerning their specific assets; Symantec does not know the propagation method. Symantec did say W32.Duqu is not self-replicating.

Symantec reported other attacks could be ongoing using undetected variants of W32.Duqu. Symantec said they are continuing to analyze additional variants of W32.Duqu.

Key points from the report include:
• The executables share some code with the Stuxnet worm and they came after the last Stuxnet sample was recovered
• There is no ICS specific attack code in the Duqu or infostealer
• It is not clear what the primary infection vector for Duqu deployment is yet (Duqu does not self-replicate or spread on its own)
• There is a limit on the targeted organizations
• The malware employed a valid digital certificate (revoked as of 14 OCT 2011)
• The design of the malware is to self-delete after 36 days
• India is host to the Command and Control servers (Specific IPs unknown at this time)

McAfee Labs also published a blog entry on the Duqu malware.

ICS-CERT reached out to Symantec and McAfee to obtain additional information to assess the threat and identify mitigations that manufacturers and asset owners can employ to reduce their risk to this new threat.

Symantec provided sample names and hashes for the files identified as part of this threat:

  • File name, cmi4432.pnf, MD5 Hash, 0a566b1616c8afeef214372b1a0580c7
  • File name, netp192.pnf, MD5 Hash, 94c4ef91dfcd0c53a96fdc387f9f9c35
  • File name, cmi4464.PNF, MD5 Hash, e8d6b4dadb96ddb58775e6c85b10b6cc
  • File name, netp191.PNF, MD5 Hash, b4ac366e24204d821376653279cbad86
  • File name, cmi4432.sys, MD5 Hash, 4541e850a228eb69fd0f0e924624b245
  • File name, jminet7.sys, MD5 Hash, 0eecd17c6c215b358b7b872b74bfd800
  • File name, Infostealer, MD5 Hash, 9749d38ae9b9ddd81b50aad679ee87ec

Joel Langill, chief technology officer at SCADAhacker, reports Microsoft and others have made available anti-virus signature updates for the W32.Duqu Trojan, covering at least three variants. The links below are to the Microsoft Malware Protection Center, and provide some useful background information:
Variant “A”

Variant “B”

Variant “C”

Interesting enough are the details contained in the Variant “C” summary which identifies the IP addressed used for the C&C server – 206.183.111.97, registered to WebWerks India Pvt. in Mumbai. This should not lead you to believe that the attackers originate within India, but rather this site could be a proxy.

Bob Radvanovsky from the SCADAsec forum also provided a link which highlights the updates of a large number of AV vendors relating to Duqu. Click here for the list.



Leave a Reply

You must be logged in to post a comment.