(EOZ h/t CHA, Zach) From eWeek:
A new worm targeting industrial control system manufacturers has a strong resemblance to Stuxnet, leading researchers to dub it “Son of Stuxnet”
Symantec researchers have discovered a new worm in the wild that has the potential to attack and cripple industrial control systems, much like Stuxnet did.
The new worm, dubbed Duqu, shares a lot of the code with Stuxnet, leading Symantec researchers to believe it was either created by the same team or by another group with access to the Stuxnet source code, Symantec researchers said in a 46-page whitepaper released Oct. 18. Unlike Stuxnet, which was designed to attack a very specific type of computer system, Duqu does not have appear to have a clear target.
Discovered a little over a year ago, Stuxnet is considered one of the most sophisticated pieces of malware ever developed. It compromised several industrial control systems at Iran’s Natanz nuclear facility. Observers believe Iran’s nuclear program had been set back years by the malware. Despite the fact that researchers around the world have analyzed Stuxnet, the source code is “not out there,” according to Mikko Hypponen, chief research officer of F-Secure, noting that “only the original authors have it.”
“Duqu is essentially the precursor to a future Stuxnet-like attack,” Symantec Security Response researchers wrote on the Symantec Connect blog. The researchers did not speculate on its origins.
Considering the time and resources required to develop tools like this, Lookingglass’ CTO Jason Lewis told eWEEK that a nation state was the likely author.
Duqu’s primary purpose at the moment appears to be intelligence-gathering from industrial control system manufacturers, according to Symantec. …
“The key thing missing here, unlike Stuxnet, is we don’t know what they are looking for,” Symantec said.
At the moment, Duqu only creates a back door on infected systems and connects with a command-and-control server somewhere in India, according to Symantec. The backdoor is open precisely for 36 days, after which the malware self-destructs.
The C&C server appears to not have sent any instructions yet, Symantec said. The short 36 day lifecycle implies there is a specific target, according to Lewis.
According to McAfee’s analysis of the worm, the malware installs drivers and encrypted DLLS that can act as keyloggers on the system to monitor all processes and messages. It also has no mechanism to replicate itself.
McAfee researchers Guilherme Venere and Peter Szor are fairly confident that Duqu was created by the same developers responsible for Stuxnet. They based their conclusions on the fact that both viruses utilize similar encryption keys and techniques, injection code and fraudulent digital certificates which had been issued to companies in Taiwan. The digital certificate keys appear to be real, which also make the programs look legitimate.
I don’t know how difficult it is to modify Stuxnet to do other things, but the description here isn’t making much sense to me. I cannot see the value of using already-known exploits to try to gather new infomation when everyone with any concept of computer security would have already put up defenses against it.
On the other hand, Symantec says that this code uses a new stolen digital certificate from Taiwan that had not been breached before, and that the code seems to have been written in December 2010. A normal hacker is not usually able to steal digital certificates – that requires real-world espionage.
We now remove our shoes at the airport because terrorist Richard Reed smuggled a shoe bomb onto a jetliner shortly after 9/11. We are also forbidden to bring certain amounts of liquids with us in response to the 2006 “liquid bomb” plot against at least 10 airliners traveling from the UK to the US and Canada. And now Americans are forced to deal with invasive pat downs and full body scans in response to Umar Farouk Abdulmutallab’s attempt to bring down Northwest Airline flight 253 on Christmas day in 2009, by hiding a bomb in his underwear.
Yet what if terrorists emulate Abdullah Asieri, who attempted to assassinate Saudi Prince Mohammed Bin Nayef, head of Saudi Arabia’s counter terrorism operations, with a bomb that reportedly evaded airport security because it was planted in the terorrist’s rectum? Subsequent forensics revealed that the bomb was not a rectal device but the same bomb used by Abdulmutallab. Drug smugglers frequently attempt to hide contraband in body cavities. Does anyone seriously think a suicide bomber would hesitate to do the same thing? One thing is certain: the same public that is outraged over full-body scans and pat-downs will never submit to a “routine” body cavity search. More importantly, if these types of bombs are virtually undetectable, doesn’t that make a complete mockery of the current procedures?
The second issue is our apparent determination to ignore the most successful airport security strategy currently in use. Israelis have a far more effective and far less invasive and time-consuming system. Why? Because it is the exact opposite of ours: in America the focus is on finding an explosive device. In Israel, the focus is on finding the person carrying the explosive device. Each passenger passes through several layers of security, and each layer is manned by people looking for unusual behavior. Lines are staggered to prevent creating large bunches of people who might be targeted by a terrorist who has gotten into the terminal. In addition, each airport is equipped with a blast-proof luggage screening area, complete with “bomb boxes” which can be used by screeners if they encounter a suspicious piece of luggage.
These bomb-proof areas serve another purpose as well. By isolating luggage in such an area, it no longer becomes necessary to evacuate an entire terminal if something proves suspicious, something which could take several hours. Only the people in the screening area need to move — and only a few meters away.
But the most important part of the equation is summed up by Rafi Sela, the president of AR Challenges, a global transportation security consultancy:
They’re not looking for everything they look for in North America. They just look at you. Even today with the heightened security in North America, they will check your items to death. But they will never look at you, at how you behave. They will never look into your eyes … and that’s how you figure out the bad guys from the good guys.
The third issue is the insistence that the federal government control airport security. It may seem like an odd question to ask with regard to airport security, but why is the federal government thirteen trillion dollars in debt? Because there are few direct consequences for government officials behaving irresponsibly. If a TSA agent allows a terrorist on a plane and that plane blows up, maybe the agent will be fired and most likely the government — meaning taxpayers — will be sued for damages. If airlines themselves are responsible for security, they would be incentivized to provide the best security available for a simple reason: failure on their part could bankrupt the company. Airlines would also likely compete with each other to provide the best combination of security coupled with minimal intrusion and inconvenience in order to maximize their market share. And the cost of that security would be borne by the people it is keeping secure, instead of taxpayers.
Barney Frank Picture via israelmatzav.blogspot.com
As columnist Charles Krauthammer pointed out, Americans have taken to a new slogan which neatly encapsulates their consternation regarding airport security. It was inadvertently coined by John Tyner, a 31-year-old software programmer from Oceanside, California. When he refused to allow a Transportation Security Administration official to administer a pat-down near his private area, he uttered a phrase which has resonated nationwide: ”You touch my junk, and I’m going to have you arrested.” Yet as a Senate hearing on Wednesday indicated, the TSA is not backing down. TSA administrator John Pistole says he is sensitive to privacy concerns but insists that “government must provide the best possible security for air travelers.” Thus, the inevitable question: is this the best possible security government can provide? It is hard to reach that conclusion when one considers the salient issues surrounding the controversy.
The first issue would be terrorist creativity and determination.