Hard to fully assess Duqu threat yet, researchers say

Early indications are that fears of Stuxnet follow-on are exaggerated

As new information about Duqu continues to come out, some experts are starting to question whether the danger posed by the trojan has been exaggerated.

The questions stem mainly from the fact that so far, there has been very little information about Duqu's true purpose.

Symantec, which released a report on Duqu earlier this week, has said the Trojan was created to steal information from industrial control system (ICS) vendors.

The security vendor said its analysis found that the malware was likely created by the authors of the Stuxnet worm that disrupted operations at Iran's nuclear facility in Natanz last year.

Symantec said it believes Duqu is being used to steal ICS data that can be used to create another Stuxnet-like trojan to attack critical infrastructure targets.

Symantec has yet to disclose what it may know about Duqu's potential targets.

After first claiming it knew of a "handful of instances" where ICS systems in Europe were infected with Duqu, it now only says "at least one" case has been confirmed.

The data from Symantec is simply not enough to determine the seriousness of the threat posed by Duqu, said Richard Bejtlich, chief security officer at security vendor Mandiant.

"If there were no explicit linkages to Stuxnet this wouldn't be a story at all," he said. "Similar code that does similar activity would not leap off the pages."

While many security pros have called Duqu the 'Son of Stuxnet,' the only known linkage is the shared code, Bejtlich said.

"I think it is a little bit sensational," Bejtlich said. "To me the fact that someone may have copied or reused parts of Stuxnet code is interesting," but experts need more information to determine iDuqu's true capabilities.

Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book Protecting Industrial Control Systems from Electronic Threat, said that any information gained by Duqu was likely already obtained using the Stuxnet trojan.

"They did all the data exfiltration with Stuxnet. Why would they do it again? It doesn't make sense," he said.

Also, because security experts are publicly on the lookout for Stuxnet-like threats, it's unlikely that attackers would use the same kind of code or methods, he said.

"I would be a lot more concerned if someone came with a different approach," he said. "It's like after 9/11 when everybody was looking for planes hitting buildings. Nobody was looking for a shoe bomber."

Dale Peterson, CEO of Digital Bond, a consulting firm specializing in control system security, said that the fact that Duqu may have been found in a system belonging to an ICS vendor is not significant by itself.

ICS vendors such as Siemens and Hitachi have myriad different operations and the fact that a Trojan program was found on one of their many systems may be insignificant, he said.

The real threat would be if Duqu was being used to go after specific customer implementation information from these vendors, he said.

For instance companies like GE often require that ICS customers maintain remote connectivity for support purposes, he said. It would be a "huge deal" If Duqu was used to go after information related to the remote support, Peterson said. "But at this point we have absolutely no evidence of who it targeting or what it is targeting.

"Right now I am skeptical it has anything to do with control system," but that could change if enough information becomes available, he added.

Meanwhile, a little known Hungarian lab called the Laboratory of Cryptography and System Security claimed to be the first to discover Duqu and that it provided information to Symantec and others.

In its original report Symantec had merely said that initial information abut Duqu had been supplied by an European research lab.

Several new drivers that are used as part of the installation process for Duqu have also been found in the days following Symantec's original report.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

FREE Computerworld Insider Guide: IT Certification Study Tips
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies