Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published a rather extensive alert concerning the W32.Duqu remote access Trojan (RAT). The relative wealth of detail (for an alert) is possible because of the detailed report published yesterday Symantec. Duqu (‘dyü-kyü’ for the ‘~DQ’ prefix for some of the files in the Trojan) was discovered in the wild by an as yet unnamed ‘research lab with strong international connections’ who reported it to Symantec.
No one is reporting that Duqu is currently targeting industrial control systems, but Symantec (and by extension ICS-CERT) are claiming that it targets ICS manufacturers. McAfee reports, however, that it is targeting Certificate Authorities (CAs). In any case the current versions (at least two versions appear to have been discovered in the wild) appear to be information acquisition malware rather than an actual attack vector.
What has caught the attention of many in the cyber security community (see Dark Reading or SC Magazine for example) is the fact that some of the code in Duqu appears to come from Stuxnet. Symantec bloggers write that this new Trojan “is essentially the precursor to a future Stuxnet-like attack”; explaining that the attackers are “looking for information such as design documents that could help them mount a future attack on an industrial control facility”. If that is true, this ICS-CERT alert could be closing the proverbial ‘barn door’ since variants of this malware appear to have been in circulation since December of last year.
What is certain is that we have not heard the last of Duqu.
No comments:
Post a Comment