Most of us will have missed the third update to the DHS Industrial Control System Cyber Emergency Response Team’s (ICS-CERT) alert for Duqu; it only received limited distribution because it was marked‘FOUO’ and posted on a limited access server. Yesterday, however, a fourth update (this one for general audiences) was published by ICS-CERT. This revision talks about additional variants of the Duqu Trojan that have been found in the wild; variants that may not be detectable by current anti-virus signatures.
There are no new details about targets or authors; and certainly nothing new about the purpose of the Trojan. We are still in the collecting information stage as far as Duqu goes. Still, no one is yet claiming that Duqu has directly targeted industrial control systems, so that is good news of sorts for our community.
The bad news is that Duqu looks more like the flu; it is constantly evolving and changing. That will make it difficult to defend against. With that in mind, this alert provides some ‘new’ ideas for defending against Duqu (page 4):
• Monitor for new and unknown services running on client machines;
• Monitor systems on their network for new files added to system directories such as system32, and system32\drivers; and
• Monitor for network traffic anomalies.
The interesting question that has not been asked is how many control system owners have the time or knowledge base to do this monitoring?