On Tuesday, Symantec said they were alerted to the existence of a new Malware sample that was very similar to the FUD inducing, SCADA targeting, conspiracy spinning Stuxnet Trojan. The lab that discovered the code named it Duqu, and in the 24-hours since the discovery was make public, it would appear the sky has fallen.
Is Duqu a new threat, a weak copy of the original or just evolution? No one knows for sure, but AV vendors are tripping over themselves to examine the code and ensure detection. However, late Tuesday evening, Symantec and McAfee had a bit of a disagreement.
In their review of Duqu’s code, McAfee agreed on the main points released by Symantec. It shares many of the qualities found in the original codebase, but the nearly identical code is about all Duqu shares with Stuxnet, because the main purpose is completely different.
Duqu is a RAT (Remote Access Trojan), or to put it simply, nothing more than a password stealer and keylogger.
“McAfee Labs received a kit from an independent team of researchers that is closely related to the original Stuxnet worm, but with a different goal–to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs),” the company stated.
“The Stuxnet worm utilized two “stolen” digital certificates belonging to two companies from Taiwan that operated in the same business district. Yet, the Stuxnet-related code, named Duqu, which McAfee Labs received as part of an on-going investigation, was signed with yet another key belonging to the company C-Media Electronics, in Taipei. It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack.”
This is interesting, because McAfee’s report was written after Symantec published theirs. The two companies have always been research rivals, and they are the top two security vendors on the market. Seeing research on the same topic from the two, published at almost the same time, is to be expected.
However, claims that the rogue certificates were not stolen, but directly generated as the result of a CA attack, is just a slap to Symantec, because they aqcuired VeriSign's SSL business last year. Yet, it was enough to generate speculation and panic in the media.
“McAfee Labs advises Certificate Authorities to carefully verify if their systems might have been affected by this threat or any variations,” a blog post urged.
Symantec wasted no time and issued an early morning statement on Wednesday, addressing questions concerning VeriSign’s security based on McAfee’s comments.
“Symantec has known that some of the malware files associated with the W32.Duqu threat were signed with private keys associated with a code signing certificate issued to a Symantec customer. Symantec revoked the customer certificate in question on October 14, 2011,” the response starts.
“Our investigation into the key’s usage leads us to the conclusion that the private key used for signing Duqu was stolen, and not fraudulently generated for the purpose of this malware. At no time were Symantec’s roots and intermediate CAs at risk, nor were there any issues with any CA, intermediate, or other VeriSign or Thawte brands of certificates. Our investigation shows zero evidence of any risk to our systems; we used the correct processes to authenticate and issue the certificate in question to a legitimate customer in Taiwan.”
In the meantime, another vendor has done some research of their own. BitDefender said that they don’t thing the team behind Stuxnet can get the credit for Duqu.
“...the core component of the Duqu malware is a rootkit driver - a file that protects other malware against the defense mechanisms of the operating system or even of the antivirus itself...a less known aspect is that the Stuxnet rootkit has been reverse-engineered and posted on the Internet. It’s true that the open-sourced code still needs some tweaking, but an experienced malware writer could use it as inspiration for their own projects. We believe that the team behind the Duqu incident are not related to the ones that released Stuxnet in 2010...”
“The purpose of this new threat is different. While Stuxnet has been used for military sabotage, Duqu is merely gathering information from compromised systems and should be regarded as nothing short of a sophisticated keylogger. Since criminal gangs rarely change their primary specialty, we are inclined to say that a gang focused on military sabotage would not move their focus to civilian enterprises,” explained BitDefender researcher Bogdan Botezatu.
“Code re-use is a bad practice in the industry, especially when this code has been initially seen in legendary e-threats such as Stuxnet. By now, all antivirus vendors have developed strong heuristics and other detection routines against industry heavy-weights such as Stuxnet or Downadup [Conficker]. Any variant of a known e-threat would likely end up caught by generic routines, so the general approach is ‘hit once, then dispose of the code’.”
Earlier this year, Stuxnet appeared online after the HBGary breach. When Anonymous leaked the emails taken from the security contractor, one of them contained a Stuxnet sample sent to HBGary by McAfee. Later the samples were decompiled and posted online.
You can view the code here, just like millions of others have.