Iran has detected Duqu computer virus

November 14, 2011
TEHRAN (Reuters) – Iran said on Sunday it had detected the Duqu computer virus that experts say is based on Stuxnet, the so-called “cyber-weapon” discovered last year and believed to be aimed at sabotaging the Islamic Republic’s nuclear sites.

The head of Iran’s civil defense organization told the official IRNA news agency that computers at all main sites at risk were being checked and that Iran had developed software to combat the virus.

“We are in the initial phase of fighting the Duqu virus,” Gholamreza Jalali, was quoted as saying. “The final report which says which organizations the virus has spread to and what its impacts are has not been completed yet.

“All the organizations and centers that could be susceptible to being contaminated are being controlled,” he said.

News of Duqu surfaced in October when security software maker Symantec Corp said it had found a mysterious virus that contained code similar to Stuxnet.

While Stuxnet was aimed at crippling industrial control systems and may have destroyed some of the centrifuges Iran uses to enrich uranium, experts say Duqu appeared designed to gather data to make it easier to launch future cyber attacks.

Symantec said: “Duqu is essentially the precursor to a future Stuxnet-like attack.” Instead of being designed to sabotage an industrial control system, the new virus is designed to gain remote access capabilities, it said in a report issued last month.

Iran said in April it had been targeted by a second computer virus which it identified as “Stars.” It was not immediately clear if Stars and Duqu were related but Jalali described Duqu as the third virus to hit Iran.

Tehran said Stuxnet had not inflicted serious damage before it was detected and blamed the United States and Israel for the virus which appeared to be aimed at crippling the nuclear program they say is aimed at making atomic weapons, a charge Iran denies.

The International Atomic Energy Agency issued a report last week that contained what it called credible evidence pointing to military dimensions to Iran’s atomic activities, fueling demands in Washington and Europe for further sanctions.

Iran dismissed the report as politicized and full of “lousy” and unreliable intelligence work. The speaker of Iran’s parliament said on Sunday the assembly would “review” relations with the U.N. nuclear watchdog.


New variant of Stuxnet discovered

October 19, 2011

(EOZ h/t CHA, Zach) From eWeek:
A new worm targeting industrial control system manufacturers has a strong resemblance to Stuxnet, leading researchers to dub it “Son of Stuxnet”
Symantec researchers have discovered a new worm in the wild that has the potential to attack and cripple industrial control systems, much like Stuxnet did.
The new worm, dubbed Duqu, shares a lot of the code with Stuxnet, leading Symantec researchers to believe it was either created by the same team or by another group with access to the Stuxnet source code, Symantec researchers said in a 46-page whitepaper released Oct. 18. Unlike Stuxnet, which was designed to attack a very specific type of computer system, Duqu does not have appear to have a clear target.
Discovered a little over a year ago, Stuxnet is considered one of the most sophisticated pieces of malware ever developed. It compromised several industrial control systems at Iran’s Natanz nuclear facility. Observers believe Iran’s nuclear program had been set back years by the malware. Despite the fact that researchers around the world have analyzed Stuxnet, the source code is “not out there,” according to Mikko Hypponen, chief research officer of F-Secure, noting that “only the original authors have it.”
“Duqu is essentially the precursor to a future Stuxnet-like attack,” Symantec Security Response researchers wrote on the Symantec Connect blog. The researchers did not speculate on its origins.
Considering the time and resources required to develop tools like this, Lookingglass’ CTO Jason Lewis told eWEEK that a nation state was the likely author.
Duqu’s primary purpose at the moment appears to be intelligence-gathering from industrial control system manufacturers, according to Symantec. …
“The key thing missing here, unlike Stuxnet, is we don’t know what they are looking for,” Symantec said.
At the moment, Duqu only creates a back door on infected systems and connects with a command-and-control server somewhere in India, according to Symantec. The backdoor is open precisely for 36 days, after which the malware self-destructs.
The C&C server appears to not have sent any instructions yet, Symantec said. The short 36 day lifecycle implies there is a specific target, according to Lewis.
According to McAfee’s analysis of the worm, the malware installs drivers and encrypted DLLS that can act as keyloggers on the system to monitor all processes and messages. It also has no mechanism to replicate itself.
McAfee researchers Guilherme Venere and Peter Szor are fairly confident that Duqu was created by the same developers responsible for Stuxnet. They based their conclusions on the fact that both viruses utilize similar encryption keys and techniques, injection code and fraudulent digital certificates which had been issued to companies in Taiwan. The digital certificate keys appear to be real, which also make the programs look legitimate.
I don’t know how difficult it is to modify Stuxnet to do other things, but the description here isn’t making much sense to me. I cannot see the value of using already-known exploits to try to gather new infomation when everyone with any concept of computer security would have already put up defenses against it.
On the other hand, Symantec says that this code uses a new stolen digital certificate from Taiwan that had not been breached before, and that the code seems to have been written in December 2010. A normal hacker is not usually able to steal digital certificates – that requires real-world espionage.