Brace for "son of Stuxnet" -- Duqu spies on SCADA

By Richi Jennings (@richi ) - October 19, 2011.

A supposed "precursor" to the next Stuxnet has been discovered. The Duqu Trojan aims to reconnoiter critical SCADA infrastructure in advance of future attacks. In IT Blogwatch, bloggers watch closely.

Your humble blogwatcher curated these bloggy bits for your entertainment.

    Jaikumar Vijayan reports:

[It] appears to have been written by the authors of Stuxnet, or at least by someone who has access to Stuxnet source code. ... Duqu's purpose is to steal data from manufactures of industrial control systems that can then be used to craft attacks.


[T]he Trojan is "highly targeted" at a limited number of organizations. ... News of the new Trojan is sure to reinforce concerns about...the industrial control systems used in critical infrastructures. ... The Stuxnet worm...has affected industrial control systems in many countries...especially Iran.   

   Dan Goodin adds:

Dubbed Duqu, the remote access trojan has been detected in a handful of organizations, where it...gathered keystrokes and system information that can be used to attack a third party.


[The] sample was recovered from computer systems located in Europe, from a limited number of organizations, including those involved in making...SCADA, or supervisory control and data acquisition systems.   

Darlene Storm reminds us why this is important:

Last year Stuxnet proved the reality of how very vulnerable ...SCADA systems and industrial control software (ICS) systems could be.


Within 30 minutes of the CEO of opening a malicious phishing email [in a DHS training drill]...hackers had pillaged company documents, snuck in to IP-based surveillance cameras and...had taken control and maliciously overrode safety order to turn valves, start pumps and cause a toxic chemical spill. In...the hands of skilled hackers, industrial destruction really is as easy as point, click, destroy.   

And Ted Samson adds his take:

Stuxnet...represented a cyber threat the likes of which the IT security community had never seen...mark[ing] the start of the next security arms race. ... Thus, Duqu warrants close scrutiny and started infecting target organizations in Europe as early as December, 2010.


The malware's purpose, according to Symantec, is to gather data and assets...from ICS (industrial control system) manufacturers. ... [I]t's primarily a non-self-replicating RAT (remote access Trojan)...communicat[ing] with a command-and-control server to download...malware...and swiping other sensitive system information for mounting future attacks. ... Perhaps to hide its tracks, [it] uploads and downloads what appears to be JPG files.   

  Meanwhile, Robert Chesney blogs about hard choices:

It is interesting to think about this story in the context of the...debate within the Obama administration as to whether to conduct a computer network operation (“CNO”) to disrupt Libya’s air defense systems. ... [S]ome opposed conducting that CNO out of concern that this would have revealed our capabilities.


[D]eploying malware as part of a CNO runs at least two risks.  First, you might lose the ability to conduct similar operations in the future. ... Second, you run the risk of having the methods involved turned against you (or at least against others).


Decisionmakers have to make their best guesses in advance, alas, without knowing for sure what benefits and costs will materialize.   

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. He's the creator and main author of Computerworld's IT Blogwatch -- for which he has won American Society of Business Publication Editors and Jesse H. Neal awards on behalf of Computerworld. He also writes The Long View for IDG Enterprise. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: You can also read Richi's full profile and disclosure of his industry affiliations.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Shop Tech Products at Amazon