Duqu is sending shivers up and down the spine of security experts, not necessarily for what it has done, but more along the lines of fear of the unknown.
As more information comes out, the more fears get set aside and the protection mode kicks in. Along those lines, ICS-CERT, in close coordination with Symantec and the original researchers, has determined after additional analysis neither industrial control systems nor vendors/manufacturers were the target of Duqu. In addition, as of October 21, 2011, there have been very few infections and there is no evidence based on current code analysis that Duqu presents a specific threat to industrial control systems.
Having said that, organizations need to remain vigilant against this and other sophisticated malware.
ICS-CERT will also continue coordination with Symantec, McAfee, the international community, and ICS Stakeholders.
On October 18, Symantec released a Security Response Report saying the original sample of W32.Duqu came from a research organization based in Europe and that additional variants also came from a second organization in Europe.
The attackers, Symantec said, were looking for information, such as design documents, that could see use in a future attack on an industrial control facility.
This threat focused on a limited number of organizations, apparently to exfiltrate data concerning their specific assets; officials do not know the propagation method yet. Symantec said W32.Duqu is not self-replicating.
Symantec reported other attacks could be ongoing using undetected variants of W32.Duqu. Symantec said they are continuing to analyze additional variants of W32.Duqu.
Key points from the report include:
• The executables share some code with the Stuxnet worm, and they came after the recovery of the last Stuxnet sample.
• There is no ICS specific attack code in the Duqu or infostealer.
• No one knows the primary infection vector for Duqu deployment. (Duqu does not self-replicate or spread on its own).
• There seems to be a limit on targeted organizations.
• The malware employed a valid digital certificate (revoked as of October 14, 2011)
• The malware self-deletes after 36 days.
• The Command and Control servers are in India.
McAfee Labs has also published a blog entry on the Duqu malware.
Duqu uses HTTP and HTTPS to communicate with a command and control (C&C) server at 22.214.171.124. This server is in India and the ISP disabled it.
Organizations should check network and proxy logs for any communication with this IP address. If users find any communication, contact ICS-CERT for further guidance.
Symantec provided sample names and hashes for the files identified as part of this threat:
• File name, cmi4432.pnf, MD5 Hash, 0a566b1616c8afeef214372b1a0580c7
• File name, netp192.pnf, MD5 Hash, 94c4ef91dfcd0c53a96fdc387f9f9c35
• File name, cmi4464.PNF, MD5 Hash, e8d6b4dadb96ddb58775e6c85b10b6cc
• File name, netp191.PNF, MD5 Hash, b4ac366e24204d821376653279cbad86
• File name, cmi4432.sys, MD5 Hash, 4541e850a228eb69fd0f0e924624b245
• File name, jminet7.sys, MD5 Hash, 0eecd17c6c215b358b7b872b74bfd800
• File name, Infostealer, MD5 Hash, 9749d38ae9b9ddd81b50aad679ee87ec
The full extent of the threat posed by W32.Duqu is currently under evaluation. At this time, no specific mitigations are available; however, organizations should consider taking defensive measures against this threat. One measure organizations should do is to update antivirus definitions for detection of the Duqu Trojan.