If you haven’t heard of Duqu (not to be confused with the Count), you’re not paying attention (we forgive you). For those of you who haven’t heard, Duqu is a Stuxnet variant seen in the wild. If you remember, Stuxnet targeted Supervisory Control and Data Acquisition (SCADA) systems – these systems are used for the Industrial Control Systems (ICS) that generally operate our critical infrastructure including, but not limited to: water treatment and distribution, wastewater treatment, oil and gas pipelines, the power grid (further information about Smart Grids and Cyber Security), civil alerting systems, as well as systems found in airports (see the SCADA entry at Wikipedia).
Duqu has been picked up not only by the usual sources (ThreatPost here, here, and here; Dark Reading here and here; McAfee here; Symantec here and here (PDF); F-Secure here; Sophos here), but by mainstream sources as well (Wired here; Fox News here and here; MSNBC here; The Inquirer here). It would seem that there’s a wealth of information on Duqu available.
McAfee claims the Stuxnet team is still active and mentions that they received a kit from an “independent team of researchers.” Symantec received a sample from “a research lab with strong international connections,” and has essentially reached the same conclusion as McAfee with respect to authorship: “The threat was written by the same authors (or those that have access to the Stuxnet source code).” Symantec has indicated that Duqu contains no code related to any Industrial Control System, but that Duqu is simply a Remote Access Trojan (RAT) targeting specific organizations for the purpose of stealing information. This is why multiple sources believe that Duqu is a precursor to a more Stuxnet-like attack.
Other tidbits about Duqu include:
- Uses a custom Command and Control (C&C) protocol
- C&C server (still operational as of October 18th) is located somewhere in India
- Variants of Duqu may have existed since 2010
- It is not self-replicating, and is therefore not a worm
- It runs for 36 days and then removes itself from the system
- The propagation vector has not been identified
- No one really knows its purpose – McAfee has suggested that Duqu targets Certificate Authorities; many others have assumed Duqu’s relationship to Stuxnet to imply that it is ultimately targeting SCADA systems
To besmirch the Internet’s trust infrastructure once again, one Duqu variant was signed with a valid digital certificate (since revoked). Symantec updated their blog on October 18th (probably at the behest of Thawte and/or VerisSign) to draw attention to the fact that the private key associated with the certificate used was likely stolen and not the result of poor Certificate Authority practices. Even if the trust credentials were stolen and not inappropriately granted by a CA, it still represents a failure of our trust model.
And, (finally right?) this is where the story becomes very juicy from a security perspective. There are many reasons (most speculative) Duqu can be viewed as disturbing, but, to me, there’s a much larger story here:
The models we use for distinguishing between malicious and benign behavior are becoming increasingly inadequate.
A brief recap of what Duqu does:
- It installs using valid trust credentials on systems
- It does not self-propagate
- It’s custom C&C protocol uses HTTP and/or HTTPS for transport
- It uninstalls itself after 36 days
That’s really amazing when you think about it. Somehow getting into an enterprise on potentially more than one host, then communicating across the perimeter undetected (HTTP/HTTPS), then loading key loggers, network discovery tools, and other information stealing components, and finally disengaging after a predetermined period of 36 days.
With the exception of Duqu’s activity lasting only 36 days, does it look like anything else that might be familiar to you? It should, because from the perspective of our monitoring tools, it looks an awful lot like you and me. During the course of a month at work I will:
- Install software and/or drivers as needed (many are signed using valid trust credentials)
- The software I install does not (I hope!) self-propagate to other systems – it installs and stays put
- I browse the internet, and some software probably phones home from time to time with usage statistics, which uses HTTP and/or HTTPS as the transport mechanism
- From time to time I discover that I no longer need the software or driver, and I’ll uninstall it.
Regardless of Duqu’s ultimate purpose, the larger problem is that we are increasingly unable to distinguish malicious behavior from benign behavior in our systems. This indicates that the models we use for the purpose of distinguishing between malicious and benign are being defeated.
If our detection models are, in fact, a real problem here, then what are the root causes and subsequent solutions in your opinion?