Stuxnet to Duqu: The Waiting Begins

Wednesday, December 14, 2011 @ 12:12 PM gHale

By Gregory Hale
Duqu’s botnet shut down its reconnaissance mission.

That means the first part of its mission is now complete and the next act in this real life drama is ready for deployment. The timeframe? That is anybody’s guess as the industry learned from Stuxnet, the worm silently sat for a period of time gathering information and waiting for the right moment to pounce. And, did it pounce. Centrifuges at Iran’s Natanz nuclear enrichment plant took a huge hit.

The clock’s timer is set.

Attackers Clean Out Duqu Servers
Duqu and Rumors of War
A New and Frightening Stuxnet
Stuxnet: A Chief Executive Plan
U.S. to Israel: Don’t Hit Iran Nuclear Sites Alone
Stuxnet Report IV: Worm Slithers In
Stuxnet Report V: Security Culture Needs Work

One of the main differences between Stuxnet and Duqu is we were completely ignorant of what Stuxnet was up to. That means industrial control systems lived in blissful ignorance while the worm slithered in and stalked its targeted system. Security professionals had no inkling of where or when the worm found its nesting place. In reality, manufacturers were sitting ducks.

Now, security professionals are staying on top of their game; they know Duqu is out there. ISSSource reported in November Duqu is a perfected version of Stuxnet and American and Israeli officials are heading a team effort to bring down Iran’s entire software networks if the Iranian regime’s nuclear program gains too much traction, U.S. intelligence sources said.

Stuxnet is gone, but hardly forgotten. Its creators learned quite a bit from their first foray into industrial control systems.

“Stuxnet has not become useless in the least,” said one serving U.S. intelligence official. “It has all sorts of untapped potential.”

Another intelligence official said, “The cyber warfare potential of Stuxnet has by no means been exhausted. It hasn’t demonstrated the full damage it could cause if deployed.”

Sources in the U.S. that requested anonymity said Duqu has two parts, the first of which does reconnaissance of the target, assessing vulnerabilities. That part seems to be over. The next part, the sources said, is delivery.

Can you hear the clock ticking?

All files on the 12 known command-and-control (C&C) servers for Duqu are gone, according to Moscow-based Kaspersky Lab.

All 12 of the Duqu variants used a different compromised server to manage the PCs infected with that specific version of the malware, Kaspersky researchers said. Those servers were in Belgium, India, the Netherlands and Vietnam, among other countries.

The attackers wiped every single server they had used as far back as 2009, Kaspersky researchers said, referring to the Oct. 20 cleaning job.

The clock is ticking.

Does this mean Duqu is going after the Iranian nuclear program? Maybe. Quite of bit of evidence points that way. But it could also mean the goal of the recon mission was to look at other types of industrial control systems. One unnamed source told ISSSource Duqu code showed up at their facility not too long ago.

It would be easy to be overly dramatic and overreact. But one thing is for sure: The situation means security professionals on the plant floor or over in the IT department had better stay on top of their game and know what is coming in and going out of their systems.

If Duqu is as strong as Stuxnet – and all reports say it is even stronger and smarter – then everyone has to stay alert and ready to take action. Dust off those security plans and make sure everyone is aware of what they should and should not do. No one should just wait and see; manufacturers should forge ahead with a proactive defense. You just never know when the next attack will occur.

Tick, Tick, Tick, Tick, Tick….

Talk to me:

One Response to “Stuxnet to Duqu: The Waiting Begins”

  1. […] Stuxnet to Duqu: The wait begins! (Greg Hale, ISS Source 14/12/2011) […]

Leave a Reply

You must be logged in to post a comment.