Iran under attack by son of Stuxnet?

[longbrained]

The same people who had made Stuxnet virus and attacked Iranian industry with it in the process destroying the Iranian nuclear infrastructure are back in the game. This time they are surveying for another sophisticated attack as per Symantec and F-secure security firms. The firms are tight lips when it comes to what this latest Stuxnet is upto. Iran should brace itself for stuff blowing up this winter.

A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe, according to researchers at security firm Symantec.
The new malware, dubbed “Duqu” [dü-kyü], contains parts that are nearly identical to Stuxnet and appears to have been written by the same authors behind Stuxnet, or at least by someone who had direct access to the Stuxnet source code, says Liam O Murchu. He’s one of the leading experts on Stuxnet who produced extensive analysis of that worm with two of his Symantec colleagues last year and has posted a paper detailing the Duqu analysis to date.

Duqu, like Stuxnet, masks itself as legitimate code using a driver file signed with a valid digital certificate. The certificate belongs to a company headquartered in Taipei, Taiwan, which Symantec has declined to identify. F-Secure, a security firm based in Finland, has identified the Taipei company as C-Media Electronics Incorporation. The certificate was set to expire on August 2, 2012, but authorities revoked it on Oct. 14, shortly after Symantec began examining the malware.

The new code does not self-replicate in order to spread itself — and is therefore not a worm. Nor does it contain a destructive payload to damage hardware in the way that Stuxnet did. Instead, it appears to be a precursor to a Stuxnet-like attack, designed to conduct reconnaissance on an unknown industrial control system and gather intelligence that can later be used to conduct a targeted attack.

“When we talked about Stuxnet before, we expected there was another component of Stuxnet we didn’t see that was gathering information about how a plant was laid out,” O Murchu says. “But we had never seen a component like that [in Stuxnet]. This may be that component.”


Although Duqu was created some time after Stuxnet, a component similar to it could have been used by Stuxnet’s attackers to gather intelligence for their payload.

Duqu appears to have been operative for at least a year. Based on the dates the binary files were compiled, Symantec says attacks using the malware may have been conducted as early as December 2010, about five months after Stuxnet was discovered, and about 18 months after Stuxnet was believed to have first been launched on computers in Iran.

“The real surprising thing for us is that these guys are still operating,” O Murchu says. “We thought these guys would be gone after all the publicity around Stuxnet. That’s clearly not the case. They’ve clearly been operating over the last year. It’s quite likely that the information they are gathering is going to be used for a new attack. We were just utterly shocked when we found this.”

Symantec received two variants of the malware on Oct. 14 from an unidentified research lab “with strong international connections.”

“Obviously this is a sensitive topic, and for whatever reason, they’ve decided at this point they don’t want to be identified,” O Murchu says, referring to earlier beliefs about Stuxnet had been created by a nation state with the aim of sabotaging Iran’s nuclear program.

Symantec received two variants of the malware, both of which had infected the same machine. Since then, O Murchu and his colleagues have found other samples on about 10 machines. The researchers found, after searching their own malware archive for similar files, that one of the variants was first captured by Symantec’s threat detection system on Sept. 1, 2011. Symantec has declined to name the countries where the malware was found, or to identify the specific industries infected, other than to say they are in the manufacturing and critical infrastructure sectors.

Although the vast majority of Stuxnet infections were based in Iran, O Murchu says the Duqu infections that have been discovered so far are not grouped in any geographical region. He said, however, that this could change if new infections are discovered.

The name given to the malware is based on a prefix “~DQ” that the malware uses in the names of files that it creates on an infected system. O Murchu says the malware uses five files. These include a dropper file that drops all of the components onto an infected system that the malware will need to do its work; a loader that places the files into memory when the computer starts; a remote access Trojan that serves as a backdoor on infected systems to siphon data from it; another loader that executes the Trojan; and a keystroke logger.

Like Stuxnet, Duqu uses a sophisticated and unique technique to hide its components in the memory of a machine, rather than on the hard drive, to avoid detection by anti-virus engines, and also tricks the system into loading files from memory instead of from hard disk. This technique was one of the first red flags Symantec had found in Stuxnet that indicated it was doing something beyond other types of malware they had seen before.

The malware is configured to run for 36 days, after which it automatically removes itself from an infected system.

O Murchu says they still have no idea how Duqu was delivered to infected systems. Stuxnet primarily used a zero-day vulnerability that allowed it to spread to systems via an infected USB stick.

“There’s an installer component [to Duqu] we haven’t seen,” O Murchu saus. “We don’t know if the installer is self-replicating. That’s a piece of the jigsaw that we’re missing right now.”

The variants are about 300 kilobytes in size — compared to Stuxnet’s 500 kb — and use a custom protocol to communicate between an infected system and a command-and-control server to siphon data from an infected machine and load new components onto it. According to O Murchu, the malware tries to disguise its malicious communication by appending it to a 100 x 100 pixel jpeg file. The appended data is encrypted, and the researchers are still analyzing the code to determine what the communication contains.

Son of Stuxnet Found in the Wild on Systems in Europe | Threat Level | Wired.com

 

[Safriz]

solaris sun java?linux?
stick to windows and you get viruses

 

[longbrained]

solaris sun java?linux?
stick to windows and you get viruses

None of those. The virus is for Siemens critical system controllers with its own environment. These are used to control complex machines, power lines, robots etc. etc. For example it is possible to have a virus which infects the computer system running a gas pipeline to increase the pressure in the pipeline till it explodes. Or a virus which infects power line distribution control and increases the voltage in the system so much that it blows up grid stations and transformers and home appliances. Stuff like that. Basically it is just like bombs but they come through your flash memory.

Now Iran does not have even a single anti-virus company so they will get hit again and again until their economy collapses. It is only understandable that American and European anti-virus companies are not going to save Iran by keeping their systems clean or offering patches.

 

[roadrunner]

your title says Iran under attack by stuxnet variant.

the text says Europe under attack or recon by stuxnet variant.

iran can get someone else to write the anti virus so it wouldnt be a problem for them.

 

[Safriz]

yes for seimens automation under windows.

pakistan telecom operators use same software under solaris and no stuxnet here.

 

[longbrained]

I also have to say that this is the new form of warfare. Very sophisticated. It is almost like when Europeans came with Gatling guns in 1800's and the local population of Asia and Africa were dazzled as they had never seen or even imagined such a thing could exists. Then came the nuclear bomb. Now it is cyber war as everything from your cell phone to cardiac pacemaker, to cell phones, planes autopilot and even car's engine control units use software to run. So it is now the age of cyber war and Iran is the first victim of it. Just like red Indians were first victims of Gatling guns.

---------- Post added at 05:02 AM ---------- Previous post was at 05:00 AM ----------

yes for seimens automation under windows.

pakistan telecom operators use same software under solaris and no stuxnet here.

Yes, that is because the guys who have made Stuxnet have not yet attacked it. Stuxnet was a precision guided bomb. It was designed to attack only Iranian system. It infected more machines around the world but caused no harm. It just blew thousands of ultra-expensive Iranian centrifuges to hell.

 

[longbrained]

iran can get someone else to write the anti virus so it wouldnt be a problem for them.

No it does not say that. It says it was found there on some machines. Stuxnet was also found in Europe and other four continents. But all experts agree its target was in Iran. As the article says, the same people have written this one too. So it is in all probablity Iran again but ofcourse the virus will go global but only attacks and disables systems in Iran. That is how it is. For instance if the virus infects a system in Japan it will just remove itslef after a few days. But if it infects an Iranians system then it is going to blow it up. That is how stuxnet was working. So will his son.

Anti-viruses are not "written". They are not exactly like comments on forum. For that you must have a huge company which is all the time doing research and finds the threat first and then neutralists it. Iran does not have such capability. As with Stuxnet, Norton only announced its analysis of the virus after it had already blown and destroyed Iran's infrastructure. Of course Iran would be able to reboot the systems after every attack and start from the beginning but the damage has already been done. And that is the point here. Even Symentac here says that they have found a prototype now, but the actual attack might be already underway. Has anything blown up recently in Iran? Any one on that one?

 

[roadrunner]

No it does not say that. It says it was found there on some machines. Stuxnet was also found in Europe and other four continents. But all experts agree its target was in Iran. As the article says, the same people have written this one too. So it is in all probablity Iran again but ofcourse the virus will go global but only attacks and disables systems in Iran. That is how it is. For instance if the virus infects a system in Japan it will just remove itslef after a few days. But if it infects an Iranians system then it is going to blow it up. That is how stuxnet was working. So will his son.

Anti-viruses are not "written". They are not exactly like comments on forum. For that you must have a huge company which is all the time doing research and finds the threat first and then neutralists it. Iran does not have such capability. As with Stuxnet, Norton only announced its analysis of the virus after it had already blown and destroyed Iran's infrastructure. Of course Iran would be able to reboot the systems after every attack and start from the beginning but the damage has already been done. And that is the point here. Even Symentac here says that they have found a prototype now, but the actual attack might be already underway. Has anything blown up recently in Iran? Any one on that one?

the duqu malware didnt have anything to do with Iran. read your article.

A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe, according to researchers at security firm Symantec.
The new malware, dubbed “Duqu” [dü-kyü], contains parts that are nearly identical to Stuxnet and appears to have been written by the same authors behind Stuxnet, or at least by someone who had direct access to the Stuxnet source code, says Liam O Murchu.

The stuxnet virus was launched on iran, duqu was launched on europe. it didnt have anything to do with iran (at least as a target).

 

[longbrained]

I love technology, specially new ones. Here is the picture for my above post about a technological society with Gatling guns and the society without technology. One is the victor and the other will be condemned to be dissolved.

With respect to this new cyber warfare, Iran and US are like these pictures:

Iran:

United States:

It is clear who would win. The one with bow and arrow stands no chance against the Gatling gun. Same as today, a country without modern IT infrastructure capable of making its own softwares and anti-viruses stands no chance.

---------- Post added at 05:25 AM ---------- Previous post was at 05:23 AM ----------

the duqu malware didnt have anything to do with Iran. read your article.

A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe, according to researchers at security firm Symantec.
The new malware, dubbed “Duqu” [dü-kyü], contains parts that are nearly identical to Stuxnet and appears to have been written by the same authors behind Stuxnet, or at least by someone who had direct access to the Stuxnet source code, says Liam O Murchu.

The stuxnet virus was launched on iran, duqu was launched on europe. it didnt have anything to do with iran (at least as a target).

Exactly it says, a country declared a cyber war last year on Iran and is still at works and is continuing its attack. Read the article. What do you think, genius, they are attacking Japan or your home computer? Of course it is Iran.

 

[westtowel]

Stuxnet 2 has been in the wild already.


One of the great technical blockbusters in malware history.

—Vanity Fair, April 2011

http://www.pcworld.com/businesscenter/article/242114/duqu_new_malware_is_stuxnet_20.html

 

[Safriz]

sometimes its better to throw automation out of the window and do things manually.

 

[Quasar]

the source is wikipedia but guess it may still give us a picture

Comparison (June 2011)
Country Number of super computers

United States 256
Japan 26
China 62
Germany 30
France 25
United Kingdom 27
Russia 12

TOP500 - Wikipedia, the free encyclopedia

 

[Safriz]

^^^how is the supercomputer list related to this thread?

 

[Quasar]

^^^how is the supercomputer list related to this thread?

it too late here kindly trolling

 

[roadrunner]

Exactly it says, a country declared a cyber war last year on Iran and is still at works and is continuing its attack. Read the article. What do you think, genius, they are attacking Japan or your home computer? Of course it is Iran.

Goodness me. Can't you read? YOUR ARTICLE SAYS THIS

A little more than one year after the infrastructure-destroying Stuxnet worm was discovered on computer systems in Iran, a new piece of malware using some of the same techniques has been found infecting systems in Europe

Duqu has not been sent to Iran. Iran is totally irrelevant with Duqu.

The title of your article doesnt even mention Iran, it mentions Europe. That would usually give it away.

It is good to have an interest in technology, but first you need to be able to read.