Venafi says ‘Son of Stuxnet’ Duqu Trojan should act as an alarm for IT security professionals
October 2011 by Venafi
Reports that the ‘Son of Stuxnet’ malware – dubbed Duqu – has been spotted in the wild represents yet another significant security threat, says Venafi. The code for this malware appears to be written by an organisation with access to the original Stuxnet source code. Since Stuxnet is estimated to have taken ten man-years to develop, and has an extremely sophisticated code base, this new development should be a major worry for all organisations, big or small.
“2011 is the year of third-party compromises,” according to Calum MacLeod, Director of Venafi EMEA, the enterprise key and certificate management (EKCM) security specialist, “We have seen five significant compromises in the last year that have targeted the highest-value attack targets: third-party trust providers, including Stuxnet, Comodo, StartSSL, Diginotar and now DuQu.”
Early analysis of the Duqu malware suggests that it is a refined version of the original Stuxnet. However the difference is that it is fitted with a remote access trojan. “Duqu is the embodiment of pre-attack strategies leveraged in militaries all around the world: send in reconnaissance agents, gather intelligence and report back,” said MacLeod. “This is what this new malware does on an automated basis: gathering intelligence data and other digital assets from systems that use industrial control technologies, and then relaying that information back to base,” he said.
The initial Stuxnet malware incident offers a clarion wakeup call to IT security, as it intentionally exploited the poor management practices that exist in many organisations today. The first consideration is how a compromised digital certificate was leveraged in the attack. The signed certificate was used to authenticate itself within the environment, thereby allowing the malware to act as a trusted application to communicate with other devices. This was the first reported incident of a digital certificate being deployed in this type of attack, and must be viewed as an ominous sign of things to come.
Organisations often don’t know where their digital certificates—commonly issued for securing communications, protecting sensitive data and/or for mutual authentication between devices—have been deployed and are in use. This is an unacceptable situation to anyone who takes security seriously. Allowing unknown and undiscovered encryption assets to exist within a closed IT environment represents an unquantified risk. A failure to manage this kind of risk exposes organisations to increased vulnerabilities such as the Stuxnet attack.
MacLeod says that the discovery of the Duqu malware should act as a major wakeup call to the IT security industry to be prepared to repel the threat that Duqu and its variants undeniably poses – and to do so immediately.
“I think the fact that Duqu has used a rogue digital certificate to fool IT users into thinking that it represents trusted code is highly significant. Organisations must have a complete inventory of all the certificates from their certificate authority - monitor them and know which ones are within policy - in order to revoke and remove those that are not or they are facing unquantifiable risk,” he said.
“It is notable that this is second reported incident of a digital certificate being deployed in this type of attack, and must be viewed as an ominous sign of things to come, both in terms of cyberwarfare and the hijacking of digital certificates as a subversion and infection methodology,” he added