McAfee Says Duqu No Threat To Utilities

In a conference call Monday, David Hatchell, utilities account manager for McAfee, said there was “nothing to worry about at this point.”

“It (Duqu) is not targeting industrial control systems that we know of, and it’s not targeting any energy (companies) as far as we know,” Hatchell said.

While some security experts believe the creators of Duqu and Stuxnet were the same, Duqu is incapable of causing system disruptions. Duqu is capable of capturing data and transmitting it over the Internet to a command-and-control server somewhere in India. Symantec, which reported the discovery of Duqu last week, believes the Trojan was targeted at a “limited number” of ICS manufacturers, possibly to steal design documents for a Stuxnet-like attack in the future. Nevertheless, Duqu’s purpose remains a mystery.

“We can clearly see that this is used for espionage,” Peter Szor, senior director of research at McAfee Labs, said during the conference call. Very different industries have been targeted, including a hotel chain. While there was no confirmation from Iran, military industries in the country also could have been targeted. “Basically the goal of the malware is speculation at this point,” he said.

Szor said the company believes the drivers for Duqu were compiled in November 2010. The keylogger portion of Duqu, which records keyboard strokes, was compiled three months earlier. Szor believes earlier variants of Duqu may have been used to steal data in preparation for the Stuxnet attack. “That’s why I think personally that Duqu was a bit earlier than Stuxnet,” he said.

Variations of Duqu have been confirmed in England, Iran and the U.S., with reports of the Trojan in Austria, Hungary and Indonesia, McAfee said. Similarities to Stuxnet include the same malware-hiding rootkit, use of a stolen certificate authority from Taiwan to enable installation and a set timeframe for operation. Duqu was timed to delete itself after 36 days and the certificate was stolen from C-Media Electronics, according to McAfee.

Another mystery is how Duqu is installed in systems. The malware’s driver needs an installation application to be deployed. Whether, the package was delivered over the Web or through e-mail is not known. “There’s no signs of exploitation of vulnerabilities (within computer systems),” Szor said.

Andrew Plato, president of Beaverton, Ore.-based reseller Anitian Enterprise Security, said Duqu had not affected his customers. “It isn’t creating a big problem among my customers, but then again that doesn’t necessarily mean it’s not serious or important,” he said.

Symantec received a sample of Duqu Oct. 14 from a research lab that received the malware from computers systems located in Europe. Symantec reported the finding four days later. Symantec and McAfee claim their security software is capable of preventing Duqu from being installed.

Stuxnet, first discovered in June 2010, targeted Siemens industrial equipment running Microsoft Windows. Symantec estimated that that almost 60 percent of the infected systems worldwide were in Iran. While no confirmation came from Iran, experts believe control systems in the country’s nuclear facility were damaged.