Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.
Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.
Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.
However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.
Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 126.96.36.199. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.
According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.
Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.
The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.
Stuxnet opened the Pandora’s box and there is no closing it.