Slashdot Mirror

← Back to Stories (view on slashdot.org)

Expert: Duqu Is a Custom Attack Framework

Posted by Unknown on from the kremlin-denies-involvement dept.

Trailrunner7 writes "All of the hype about Duqu being the next Stuxnet obscured many of the real facts about the new malware. It turns out that Duqu not only is essentially a customizable attack framework with separate modules for each target, but that it has been found on high-value networks in Iran and the Sudan. A detailed analysis of the Duqu malware files by Alex Gostev of Kaspersky Lab shows that the malware uses different drivers and modules for every target. 'It is obvious that every single Duqu incident is unique with its own unique files using different names and checksums. Duqu is used for targeted attacks with carefully selected victims,' Gostev said."

51 comments

  1. Who needs black hats? by Toe,+The · · Score: 1

    We don't need black hat programmers anymore... we have government intelligence agencies to do all the malicious coding work.

    Sounds like now your everyday hacker hardly needs to be more sophisticated than a script kiddie.

    1. Re:Who needs black hats? by derGoldstein · · Score: 1

      You could always (ok, in the past ~10 years) get a more sophisticated tool (that you personally could not have come up with) and customize it to "your needs". Actually, computer viruses are most often described as "derivatives", since there are only so many original ideas that are truly effective. Even the LIOC, which was designed for a benign purpose, is used as a weapon.

      I agree about the intelligence agencies part, but you could always do a lot of damage as a script kiddie if you knew how to use the right tools.

      --
      Entomologically speaking, the spider is not a bug, it's a feature.
    2. Re:Who needs black hats? by EdZ · · Score: 1

      That Duqu is a framework makes it seem to me more likely that it's a for-profit (i.e. criminal in origin) attack rather than a government-produced attack.
      1) because it seems to be a rather popular way to monetise your virus-writing with little effort put into actually conducting attacks, and;
      2) because it would require the hypothetical government program to be doing something in an efficient manner (and not tailor-making a virus to each target)

    3. Re:Who needs black hats? by gstoddart · · Score: 1

      That Duqu is a framework makes it seem to me more likely that it's a for-profit (i.e. criminal in origin) attack rather than a government-produced attack.

      I just find it more amazing that the people writing malware are using good coding practices to create supportable, maintainable code, which can be extended and generalized.

      That implies a really high level or organization, diligence, and use of best practices ... that's hard to do in industry, let alone what one thinks of as your typical black-hat. Though, that probably tells me that what I think makes up your typical black hat is probably completely meaningless.

      --
      Lost at C:>. Found at C.
    4. Re:Who needs black hats? by Anonymous Coward · · Score: 0

      It's not that difficult to come up with an organized open source based malware program. Firefox, Drupal and a number of other open source projects aren't government based and have a high level of organization, diligence and best practices. SCADA systems have been scrutinized publicly for years on their vulnerabilities so it's not like these had to be developed over night; these malware programs could have started up to 10yrs or more ago based on these vulnerabilities. Especially if they are based on Win XP or earlier like Win 98 and 95. A lot of SCADA programs like building HVAC systems run on old Win 95 PC's that have been bridged onto a network for remote management.

    5. Re:Who needs black hats? by theArtificial · · Score: 1

      That implies a really high level or organization, diligence, and use of best practices ... that's hard to do in industry, let alone what one thinks of as your typical black-hat. Though, that probably tells me that what I think makes up your typical black hat is probably completely meaningless.

      You're just coming late to the party. While what you're saying is no doubt true it is nothing new even in the black hat community. Years ago Agobot source was released enabling thousands of variants. This was around the time of the Valve compromise ~2004 era. If you're interested the code is out there...

      --
      Man blir trött av att gå och göra ingenting.
    6. Re:Who needs black hats? by RockDoctor · · Score: 1

      That Duqu is a framework makes it seem to me more likely that it's a for-profit (i.e. criminal in origin) attack rather than a government-produced attack.

      OR, it's a government-produced attack, but they decided that they wanted plausible deniability and so coded it far above their normal standards to deflect attention.

      The question is not, "Am I paranoid?" It is "Am I paranoid enough?"

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  2. Antivirus / security companies by vlm · · Score: 5, Insightful

    How do the big anti-virus / security companies coordinate their work so as not to offend their local government?

    Or, as the conspiracy theorists have long claimed, are the virus writers and anti-virus writers merely different departments of the same company, which makes coordination inside at least one company pretty easy?

    I would imagine anti-virus / security companies based in the US and Israel are probably not getting "attaboys" from their government for figuring out the latest Duqu thing.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:Antivirus / security companies by Baloroth · · Score: 2

      The companies are in several different countries, so even if one doesn't want to look at malwarea virus (because they suspect it has government connections) someone else can and there is nothing local government can do. Diplomatic channels are right out, it would require semi-official acknowledgement of creating it. Even backroom channels would be dangerous.

      Probably the people involved wouldn't even try to interfere, even with a local company. Too much possibility of it getting out. Keeping the malware low-key seems to be the preferred route, as it is for most competent intelligence operations. And it seems to be working.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    2. Re:Antivirus / security companies by derGoldstein · · Score: 1

      Or, as the conspiracy theorists have long claimed, are the virus writers and anti-virus writers merely different departments of the same company

      For the life of me I can't find a direct reference right now, but this was proven to be true in the 90's. Some researchers found that code in an antivirus software was designed to look for patterns that only appeared months after its release (very specific patterns, not just behaviors). Maybe someone more versed in the field can point to the example, my Googling skills are failing me at the moment.

      --
      Entomologically speaking, the spider is not a bug, it's a feature.
    3. Re:Antivirus / security companies by elsurexiste · · Score: 1

      Although anti-virus companies naturally have the talents to develop those viruses, they don't need to: there are plenty of less scrupulous people out there giving them work to do. Regarding your other point, the security crowd is quite cosmopolitan, so it shouldn't be surprising that foreigners figure it out before locals.

      --
      I rarely respond to comments. Also, don't ask for clarifications: a brain and Google are faster, believe me!
    4. Re:Antivirus / security companies by Anonymous Coward · · Score: 1

      I'm 99% certain this story is apocryphal. I've been hearing it for years now but I've never seen even a shred of evidence. Generally it comes out exactly like this, where whoever is telling it is certain it's true but they can't remember the name of the product, the vendor or the virus.

    5. Re:Antivirus / security companies by jesseck · · Score: 1

      Or, as the conspiracy theorists have long claimed, are the virus writers and anti-virus writers merely different departments of the same company, which makes coordination inside at least one company pretty easy?

      You're right! The summary mentions Kaspersky... but not Symantec.

    6. Re:Antivirus / security companies by hjf · · Score: 2

      In the early 90s, in the small city where I live, there was an "outbreak" of 3 (three) viruses, and every computer was infected. Then some local guy "came up" with an antivirus that only worked against those 3 viruses... and was extremely overpriced. Like $100. And no other antivirus could clean those because the virus was unheard of in other places (the infection didn't make it to F-Prot, Norton, etc). Small city, no internet... Makes one think.

    7. Re:Antivirus / security companies by Darinbob · · Score: 1

      It's a bit like with spies and other clandestine operatives. The government doesn't acknowledge them if they're caught in the act. Ie, police may notice a break in at a hotel and arrest someone. Some governments may just have a guy in a black hat pay a visit to the prison and the arrested person walks free, other governments just sit back and let the trial play out, if the arrest is in a foreign countries there may be some diplomatic actions taken to get the person back (ie, spy exchange).

      With Stuxnet no government has acknowledged that they created it although there are two extremely likely candidates. Telling malware researchers to look the other way is tantamount to admitting creation of the malware.

    8. Re:Antivirus / security companies by Anonymous Coward · · Score: 0

      How do the big anti-virus / security companies coordinate their work so as not to offend their local government?

      Or, as the conspiracy theorists have long claimed, are the virus writers and anti-virus writers merely different departments of the same company, which makes coordination inside at least one company pretty easy?

      I would imagine anti-virus / security companies based in the US and Israel are probably not getting "attaboys" from their government for figuring out the latest Duqu thing.

      Paranoid much? If it worked the way you suggest then it wouldn't have been revealed. Given the way things leak it's pretty unlikely there is that tuype of collusion.

    9. Re:Antivirus / security companies by Gyorg_Lavode · · Score: 1

      This made me think of Charlie Miller's Talk at Defcon 18. Basically, he sends out lots of remote access tools, but ensures redundance because he expects an amount of his code to get caught. I assume the Duqu writers did the same thing. So what if 1 RAT gets caught. Your sister malware lived on.

      --
      I do security
    10. Re:Antivirus / security companies by Anonymous Coward · · Score: 0

      More proof Iran needs Nukes.

    11. Re:Antivirus / security companies by Maow · · Score: 2

      Wired had a great write up about Stuxnet (soon to be a book), in which this was written:

      The sophistication of the code, plus the fraudulent certificates, and now Iran at the center of the fallout made it look like Stuxnet could be the work of a government cyberarmy -- maybe even a United States cyberarmy.

      This made Symantec's sinkhole an audacious move. In intercepting data the attackers were expecting to receive, the researchers risked tampering with a covert U.S. government operation. Asked recently if they were concerned about this, Chien replied, "For us there's no good guys or bad guys." Then he paused to reconsider. "Well, bad guys are people who are writing malicious code that infects systems that can cause unintended consequences or intended consequences."

      Whether the "bad guy" was the United States or one of its allies, the attack was causing collateral damage to thousands of systems, and Symantec felt no patriotic duty to preserve its activity. "We're not beholden to a nation," Chien said. "We're a multinational, private company protecting customers."

      It earned a fair bit of respect for Symantec from me...

  3. Foreign policy request... by fuzzyfuzzyfungus · · Score: 1

    In order to Support Our Troops, could we try to have a few more sinister foreign policy developments in places with nice, temperate climates?

    1. Re:Foreign policy request... by pspahn · · Score: 1

      in places with nice, temperate climates?

      Our current understanding of global climate is too inadequate to make this practical.

      By the time troops are ordered, deployed, and stationed, the local climate would have already changed leaving our troops with inappropriate supplies.

      Instead, I suggest that we simply choose a few places that appear desirable and invade. That way we can set up proper infrastructure and build more permanent housing to accommodate the influx of population.

      --
      Someone flopped a steamer in the gene pool.
    2. Re:Foreign policy request... by Baloroth · · Score: 1

      Sounds great! Maybe, I don't know, Cuba?

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    3. Re:Foreign policy request... by couchslug · · Score: 1

      "In order to Support Our Troops, could we try to have a few more sinister foreign policy developments in places with nice, temperate climates?"

      Cultures and people worth defending would be a plus too. One pleasant aspect of the Cold War for both the US and Soviets was that it was common to be deployed to defend places where the locals drank booze, smoked weed, liked to party and fuck, and favored secular governments.

      It was a pleasure to defend NATO. Even the protesters who picketed my base were polite, though there was the odd bombing now and then. (My congrats to the Libyans who killed Qaddafi. They did in a much nicer way what the El Dorado Canyon mission wasn't able to accomplish.)

      Now there isn't much difference between the supposed good guys and the bad ones. They are all religious fanatic lunatics I'd cheerfully hose with nerve agent, and most of that loathing is based visiting more advanced Muslim societies. Those societies are without virtue, theocratic and tribal and beastly with only a veneer of refinement provided by the modern objects they purchase. I would that Islam had but one throat, and my hands were on it.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    4. Re:Foreign policy request... by The_Steel_General · · Score: 1

      Hellenikon?

  4. Count Duqu by camperdave · · Score: 1

    Duqu not only is essentially a customizable attack framework with separate modules for each target, but it can penetrate high-value networks. You can use different names and checksums for targeted attacks on carefully selected victims. So remember, if you need to crack a network, you can count on Duqu.

    --
    When our name is on the back of your car, we're behind you all the way!
  5. oblig. sw ref. by torgis · · Score: 1

    count - Duku: 1, Centrifuges: 0.

    1. Re:oblig. sw ref. by derGoldstein · · Score: 0

      count - Duku: 1, Centrifuges: 0.

      You mean Count Dooku? That guy whot fought Yoda?

      --
      Entomologically speaking, the spider is not a bug, it's a feature.
    2. Re:oblig. sw ref. by Anonymous Coward · · Score: 0

      Did you read his/her subject line?

    3. Re:oblig. sw ref. by Nanosphere · · Score: 1

      I see your Duku and raise you 1 Magneto (waved over Dukus harddrive)

    4. Re:oblig. sw ref. by derGoldstein · · Score: 1

      Aw crap.

      Wait, "sw" could mean anything! Yeah, I'm going with that defense.

      --
      Entomologically speaking, the spider is not a bug, it's a feature.
    5. Re:oblig. sw ref. by torgis · · Score: 1

      I was curious about your reference to a Count Dooku fighting Yoda, so I watched all three Star Wars movies and never once did Yoda even pick up a weapon. So, sorry, I'm not sure what you're talking about.

      Ah, ignorance is bliss. :-)

    6. Re:oblig. sw ref. by Oswald+McWeany · · Score: 1

      Obama One-Time Kenobe- waves hand:

      "Iran, these are not the viruses you are looking for"

      --
      "That's the way to do it" - Punch
  6. Doo-koo? Meh... by Anonymous Coward · · Score: 0

    I'm waiting for the successor, Duqi =P

  7. The real problem by JoshuaZ · · Score: 4, Insightful

    The real problem with this sort of thing is the arms race that it inspires. Sure, one might not mind this sort of attack on Iran. But what happens in the next stage when China or Iran tries to do this to some other country? The problem with making new weapons is that the advantage they give only lasts until someone else has it. The collateral damage they do lasts indefinitely. This sort of lesson is especially true for something like this that can most easily target civillian assets.

    1. Re:The real problem by Anonymous Coward · · Score: 0

      Do you think this arms race isn't occurring right now? Reference: TFA

    2. Re:The real problem by Anonymous Coward · · Score: 0

      How is this insightful? This has been the argument FOR openness in the past (the more open, the faster things progress)...especially in the security and digital rights arena. Now, suddenly, it's bad? What's bad here are the actors, not the actions.

    3. Re:The real problem by Anonymous Coward · · Score: 0

      If I cared to ever register on Slashdot over the past 15 years I'd give you some karma/stars/common sense points...

    4. Re:The real problem by Anonymous Coward · · Score: 0

      Civilian assets? Do you know any civilians with PCUs ? I don't. Did you mean to refer to the military industrial complex as being a civilian operation? Because that would be misguided.
       
      Stuxnet and this Duqu don't target civilians, so much as non-military. That's not exactly the same thing. Targeting Boeing might be called civilian targeting, but it's ignorant at best to assume that boeing doesn't have government contracts. Skunk works ? Hello?
       
      In much the same way that targeting nuclear material centrifuges is not targeting civilians...

    5. Re:The real problem by Anonymous Coward · · Score: 1

      In the same way bombing a school is also not targeting civilians?

    6. Re:The real problem by downhole · · Score: 1

      Who says that these things (Stuxnet and Duqu) are inspiring the arms race? Like China or Iran or whoever else are only capable of copying what the US (or whoever it was) does? The technology is out there, and it's going to be picked up eventually by every country that cares enough to influence world affairs. China sure looks to be more than capable of figuring out how to hack things regardless of what we or anyone else does. If these things were infact made by us - that looks like the way to bet, though it's far from proven - we might as well be happy that we're getting a few knocks in early in the game, because "the next stage" will probably happen no matter what we do.

      --
      I don't reply to ACs
    7. Re:The real problem by jon3k · · Score: 1

      But what happens in the next stage when China or Iran tries to do this to some other country?

      Are you joking or is this your first day on slashdot? China has been on full scale assault mode for the last half a decade and that's being conservative. Put an IDS on the Internet sometime and just watch what happens.

  8. How many instances? by jamiesan · · Score: 1

    We need to..... Count Duqu

  9. Weaponized Malware by chiph · · Score: 1

    This is a pretty good indication that Duqu is weaponized malware -- being able to load modules specific to each target, where the target is (as far as anyone knows) foreign governments.

  10. The Penaltimate Virus by Anonymous Coward · · Score: 2, Interesting

    About 8 years ago I predicted that virus development would accelerate to the ultimate virus, namely:

    - it would be incredibly stealthy
    - it would use a modular framework of attack methods to breach systems
    - it would be self-organizing, i.e. P2P style networking
    - it would use heavily encrypted traffic

    And now, we hear that it has come to pass. The penultimate virus, the 2nd to the last, is now here with us. Only minor refinements remain:

    - it would self-probe defenses using a modular system. A wide variety of known vulnerabilities could then easily be matched to a specific module for attack. In essence, it no longer matters about attacking a single point. Instead, multiple points would be probed, and possibly attacked, at once.
    - it would be able to use its P2P network setup to pull probes and attacks that are not at the breached machine, allowing modules to be spread out thinly across the entire network of peers. This has several advantages in that it hides all of the known attack vectors, while reducing the footprint of the actual virus itself.
    - it would extend the P2P system by implementing a set of proxies. The idea is that the virus would eventually breach a border device, and noting that it was such, it would then enable a form of proxy back to the outside. This would allow for external penetration of a DMZ, and eventually, the interior network. Once inside the interior, it could use the proxies as a "lifeline" to go back and connect to the P2P network, allowing probes and attacks that were not carried by the originating virus to be available.

    There are a few more points that I will not publicly discuss, or include here, because I don't want to provide even more bad ideas to the public. Despite that, it should be pretty clear that when these key points are implemented, we will have reached the end-game of worm/virus/malware security: a self-replicating, self-defending, self-organizing attack vector. It is just a matter of time before all un-patched systems can be compromised, regardless of vendor, platform, or implementation. Years of security neglect (in the form of labor and capital expenditures) by large businesses in their quests to secure "eternal profits with no losses" will come back some day to be repaid to them...in the form of complete destruction and/or compromise of their data.

    It is time to withdraw some of our public Internet activity from view, and stand far back, away from what will eventually be a smoking crater. It is time for darknets to rise, for a gradual Exodus of those in-the-know, while the public stands around like sheep, waiting to be slaughtered by this chain of events. Get your data out of public systems, and start shielding yourself now.

    The Internet in the United States, Europe, and most of Asia, as we know it, is fundamentally broken. We have broken it ourselves, and willingly did so for the sake of our current and only god, Money. Everyone that was online 20 years ago knew this would be the result, warned against it, and for their efforts, were ridiculed and mocked. And now...now Facebook knows more about you than your parents, the US Govt. is more than happy to secretly probe you via Google warrants, and your credit rating is soon going to join that smoking crater when your credit card is eventually stolen from the likes of Sony.

    We warned you. You made the choice, you get to pay the price. KMFDM indeed.

  11. "The Sudan" by Anonymous Coward · · Score: 0

    like The Canada ?

  12. Sudan? by fnj · · Score: 2

    There are high value "networks" in Sudan? Seriously? High value anything?

    1. Re:Sudan? by Anonymous Coward · · Score: 0

      Thats what they want you to think muwhahahaah

      I for one welcome our Sudanese Reactor Blowing Overlords ! Hail !

    2. Re:Sudan? by Anonymous Coward · · Score: 0

      > There are high value "networks" in Sudan? Seriously? High value anything?

      The US government actually bombed a veterinary vaccine factory in Sudan on accusation of bio-weapons fabrication. It was a on-of-a-kind facility in the whole of Africa and the resulting shortage of vaccines ended in massive cattle epidemics in the following years, that brought on famine for several pastoral tribes, who then turned against each other in bloody tribal warfare.

      Thank you damn zionists who control America and the world. We know non-jewish "goyim" people are worth less than dirt in your eyes. You kill people left and right and turn their spilled blood and souls into gold via kabbalistic alchemy. Gold and Power are your true Lords, not YHWH, neither Jesus and the Holy Gospel!

    3. Re:Sudan? by Anonymous Coward · · Score: 0

      Whatever. Down boy. Did you take your meds? Keep your fucking religious nuttery to yourself.

  13. Echo Papa 607 by Anonymous Coward · · Score: 0

    SALESMAN [on viewscreen]: Whoever you are, wherever you're from, greetings. Welcome to Minos, the arsenal of freedom.
    PICARD: I am Captain Jean-Luc Picard of the USS
    SALESMAN [on viewscreen]: If you need a little something special, be it for one target or multiple targets, we got it. You'll see it here on Minos, where we live by the motto 'peace through superior firepower'.
    PICARD: To whom am I speaking?
    SALESMAN [on viewscreen]: To be totally armed is to be totally secure. Remember, the early bird that hesitates gets wormed.

  14. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion