The Stuxnet worm, which is on the verge of regeneration via its new form, Duqu, is tagged to be the harbinger of a new era of cyber warfare. Researchers have found new evidence about the regeneration of the malware which put the governments around the world under high alert.
Stuxnet, a very compound piece of malware, which was created to spy on and upset Iran's nuclear programme, is one of the major weaponized viruses that can transform simple computers into deadly weapons with shocking disparaging supremacy.
Although the authors of the worm are yet to be identified, the U.S. and the Israeli governments are the main suspects. The new Duqu worm is now thought to be the forerunner to a future attack similar to that of a Stuxnet.
“Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors (or those that have access to the Stuxnet source code) and appears to have been created since the last Stuxnet file was recovered,” wrote Symantec, the security firm which made the discovery public, in its blog. “Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.”
The security firm said that the new malware program, more or less, uses the same code as that of the Stuxnet virus discovered in 2010, and instead of destroying the systems, Duqu makes a back passage and break in into the system. This process can later be put to use by its creators for destroying the networks at any given time.
“Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat was highly targeted toward a limited number of organizations for their specific assets,” Symantec further wrote, “However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.”
The malware uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The authors are then able to download additional executables through the C&C server, which includes an infostealer, which can perform actions such as itemizing the network, recording keystrokes and gathering system data.
According to Michael Sconzo, a senior security officer at the worldwide computer security company, RSA, the new virus implants itself in computer systems for 36 days and then analyzes and profiles the system's workings before it sends its findings out to a secure server, and later self destructs.
Experts, who have examined the Stuxnet worm, said that the malware has been made to damage motors used in uranium-enrichment centrifuges and putting them out of control. Even Iran later confessed that some of its centrifuges had been disrupted, nonetheless, refusing to believe any part of Stuxnet in that.
Symantec said that the new threat uses a custom C&C protocol that, primarily, downloads or uploads JPG files. In addition to transferring fake JPG files, however, additional data for exfiltration is encrypted and sent. Ultimately, the threat is configured to run for 36 days, after which, the threat will automatically remove itself from the system.
“Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, the payload has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries,” Symantec wrote. “The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.”
The U.S. Department for Homeland Security has now warned that politically-aggravated hackers, like Anonymous, could start targeting industrial control systems, according to a BBC News report.
Stuxnet was first discovered by the security company VirusBlokAda in June 2010. Its name is derived from some keywords discovered in the software. The malware targeted Siemens industrial software and equipment running Microsoft Windows. It was the first time a malware was discovered that spied on and destabilized industrial systems, and the first one to include a programmable logic controller (PLC) rootkit.
According to a previous Telegraph report, a showreel that was played at a retirement party for the head of the Israel Defence Forces (IDF), Gabi Ashkenazi, included references to Stuxnet as one of his operational successes as the IDF chief of staff.