Scary stuff from David Strom
The same Symantec team that cracked Stuxnet has found new variations on the same theme in packet captures from European networks. They published a blog entry and a full report that analyzes what the impacts of the virus would be, since the exploit isn't quite a finished product yet, and not all pieces of the exploit have been recovered. It is well worth careful reading.
The team calls what they found Duqu, and it is quite a vile and complex piece of work, as you can see from just one of its components diagrammed by Symantec. They state that its creators must have had access to the Stuxnet source code, not just the binary files. They theorize that its purpose is to find weaknesses in particular industrial process control equipment, although they have not found any specific code to tie it to a particular piece of hardware. The reason they propose this is because the code has been found in organizations that have been involved in the manufacture of industrial control systems. "The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility," say the report.
Included in the exploit are the following items:
- Keystroke recorder to pick off any passwords,
- remote access Trojan to gain control over any PCs that could be connected to the control equipment,
- Misleading digital signatures: The exploit contains a valid digital signature on one of the driver files, once again calling the need for better signature notaries.