Son of Stuxnet
November 13th, 2014Via: Firstlook:
As he drove to work, he tried to wrap his mind around what he’d just seen, and couldn’t believe the Stuxnet gang was still active. After all the media attention and finger-pointing at Israel and the United States, he thought for sure the attackers would have laid low for a while to let things cool off. At the very least he thought they would have altered their methods and code a little to make sure that any attack they unleashed hereafter couldn’t be traced back to them if found. But judging by the report from Hungary, it appeared they hadn’t bothered to alter their signature moves at all. They really had balls, he thought. They were determined to do whatever they had to do to conduct their attack and didn’t care who knew it was them. Either that, or they were already so invested in using the Duqu code that they were loath to replace it even after Stuxnet had been caught.
Duqu was essentially a remote-access Trojan, or RAT, which operated as a simple back door to give the attackers a persistent foothold on infected machines. Once the back door was installed, however, Duqu contacted a command-and-control server, from which the attackers could download additional modules to give their attack code more functionality, such as the keystroke logger/infostealer the Hungarians had found on one of their systems.
As for Duqu’s intent, it was pretty clear it wasn’t a saboteur like Stuxnet, but an espionage tool. Whereas Stuxnet was a black ops mission bent on destruction, Duqu appeared to be the forward scout, sent out to collect intelligence for future assaults. Symantec suspected it was the precursor to another Stuxnet-like attack. Duqu’s life-span was limited, however; a kill date in the code forced it to self-destruct after thirty-six days, deleting all traces of itself from an infected machine.
