Οι δημιουργοί του Stuxnet επέστρεψαν με ένα καινούριο είδος malware, το οποίο μπορεί να είναι ο προάγγελος ενός Stuxnet-like attack.
 

Παρακάτω σας παραθέτω αυτούσιο στην Αγγλική γλώσσα το άρθρο του Tom Brewster, το οποίο δημοσιεύθηκε στις 19 Οκτωβρίου 2011 στις 14:42 στην ιστοσελίδα www.itpro.co.uk.

The team behind the most sophisticated piece of malware ever seen has returned with some fresh malicious software.

Stuxnet
creators have used much of the same code for their new creation, known
as Duqu, which has grabbed the attention of security researchers after
an unnamed independent team detected it.

However, Duqu is not as sophisticated as Stuxnet and is not targeting the same SCADA systems used in power plants.

Instead, Duqu has been used to acquire information in the lead-up to
another Stuxnet-esque attack in the future, researchers have suggested.

A small number of organisations have been hit, including some in the manufacturing of industrial control systems.

“The attackers are looking for information such as design documents
that could help them mount a future attack on an industrial control
facility,” a blog post from Symantec read.

“Our telemetry shows the threat was highly targeted toward a limited
number of organisations for their specific assets. However, it’s
possible that other attacks are being conducted against other
organisations in a similar manner with currently undetected variants.”

Attacks using Duqu could stretch back as far as December 2010. The
malware has been used to download a separate information stealer onto
systems. That info-stealer was able to pilfer data in a variety of ways,
including keystroke logging, before sending it off to a command and
control centre in India inside an encrypted file.

The malware was programmed to run for 36 days before removing itself from systems.

Stuxnet similarities

Security researchers across the board have been fairly certain Duqu
was created by the same team behind Stuxnet, even though there is no
direct proof.

“They had to have access to the original source code, which only the
creators of Stuxnet have. There are various decompilations available
online. Those would not do,” Mikko Hypponen, chief research officer at
F-Secure, told IT Pro.

“It's perfectly possible they [the team behind Stuxnet] did a similar
information-cathering phase in 2008 or 2009 for the original Stuxnet
and we just missed it.”

Aside from the code similarities, Duqu's driver files are signed with
certificates apparently stolen from a Taiwanese company, as were
Stuxnet’s.

Certificates were stolen from RealTek and JMicron in the case of
Stuxnet, whereas in Duqu only one was compromised - C-Media Electronics
Incorporation.

In recent cases, certificate authorities have been compromised so
hackers could issue fraudulent certificates, as was seen with the now-defunct CA DigiNotar.
However, the certificate used to sign Duqu appears to have been stolen
somehow, even though McAfee’s analysis suggested otherwise.

“Symantec has known that some of the malware files associated with
the W32.Duqu threat were signed with private keys associated with a code
signing certificate issued to a Symantec customer,” the security giant
said today.

“Symantec revoked the customer certificate in question on 14 October
2011. Our investigation into the key’s usage leads us to the conclusion
that the private key used for signing Duqu was stolen, and not
fraudulently generated for the purpose of this malware.”

McAfee said Duqu was being used in areas occupied by “Canis Aureus,”
the Golden Jackal. See below for a map outlining where these areas are:

(Source: Wikipedia)