Pierluigi Paganini December 04, 2011

Cyber warfare expert John Bumgarner claims that the Stuxnet and Duqu virus have been active for much longer than previously suspected, he says that they are active in different variant since 2006.

Precisely he claims that the Stuxnet computer virus is linked to Conficker, a mysterious “worm” that surfaced in late 2008 and infected millions of PCs.

Conficker was used to open back doors into computers in Iran, then infect them with Stuxnet … “Conficker was a door kicker,”

Let remind that StuxNet has been discovered in 2010 and has been developed to attack Siemens PLCs whose use is widespread in the control systems of centrifuges for uranium enrichment.

Iran is still confronting the virus and the consequences of his attacks on the country’s critical infrastructures.  However Duqu has been more recent discovery and it apparently seems to share the genesis of Stuxnet, and it seems to be created for a different purpose, information steal. At least that would seem to be the main feature of Duqu observed in isolated instances of malware.

That said, the most alarming Duqu feature is its modularity, which would indicate that the malware has been designed with the intent to be scalable in its offensive possibilities. Today identity theft, tomorrow … unpredictable behaviour and targets?.

We are facing a new malware generation, modular and polymorphic, two features that make it particularly dangerous.

According Vitaly Kamluk, malware expert at Kaspersky Lab, his team found more than a dozen command-and-control servers operating during the past three years.  This demonstrate that more than a dozen different Duqu varients have been identified.  Many different servers were hacked all around the world (e.g.  in Vietnam, Germany, Singapore, Switzerland, India and UK). Most of the infected machines were running CentOS Linux and seems have been hacked by brute forcing attack to the root password. OpenSSH 4.3 0-day theory has been excluded.

Server ‘A’  was located in Vietnam and was used to control Duqu deployed in Iran. This was a Linux server running CentOS 5.5. Actually, all the Duqu C&C servers we have found so far run CentOS – version 5.4, 5.5 or 5.2. It is not known if this is just a coincidence or if the attackers have an affinity (exploit?) for CentOS 5.x.

The  attackers replace the stock OpenSSH 4.3 with version 5.8, and it has been possible to demonstrate it, but we don’t know real reason.

Server ‘B’ was located at a data center in Germany that belongs to a Bulgarian hosting company. It was used by the attackers to log in to the Vietnamese C&C. Evidence also seems to indicate it was used as a Duqu C&C in the distant past, although we couldn’t determine the exact Duqu variant which did so.

The Linux choice for the attacked system is quite strange.

A global cleanup operation took place on 20 October 2011 but the attackers wiped every single server which was used even in the distant past but unfortunately, the most interesting server, the C&C proxy in India, was cleaned only hours before the hosting company agreed to make an image.  The “real” Duqu mothership C&C server remains a mystery just like the attackers’ identities.

Here you are the principal milestones related to the agent history:

• May 2006 – Engineers compile code for a component of Stuxnet that will allow them to attack programmable logic controllers, or PLCs, manufactured by Siemens of Germany. Iran’s nuclear program uses Siemens PLCs to control the gas centrifuges in its uranium enrichment facilities.
• 2007 – Duqu, a data-stealing piece of malware, is deployed at targeted sites in Iran and some of its allies, including Sudan.
• Late 2007 – Engineers write the code for the “digital bomb” component of Stuxnet, allowing those behind the attack to force the gas centrifuges to rotate at faster-than-normal speeds, which is what damaged the sensitive equipment when the cyber weapon was eventually deployed.
• November 2008 – Conficker appears, starts to spread rapidly.
• December 2008 – Actors behind Stuxnet start running www.mypremierfutbol.com, a website appealing to soccer fans that will eventually be used to cloak traffic traveling between machines infected with Stuxnet and the server controlling them.
• January 2009 – They start running www.todaysfutbol.com, which will be used for the same purpose.
• January 2009 – Spread of Conficker peaks and engineers continue writing code for key components of Stuxnet.
• March 2009 – Conficker Variant C is deployed. This version will be used to deliver Stuxnet to Iran.
• April 1, 2009 – Attackers begin to deploy Stuxnet to Iran on the 30th anniversary of the declaration of an Islamic republic in Iran.
• January 2010 – Operators of Stuxnet accelerate program by adding new malware components that make it spread faster and also make it more dangerous.
• March 2010 – Stuxnet operators add additional components to the malware to make it even more powerful.
• June 2010 – Computer security firm VirusBlokAda identifies Stuxnet as a piece of malware after reviewing a sample that was found in Iran.
• July 2010 – Cyber security blogger Brian Krebs breaks news of Stuxnet on his website.
• November 2010 – Iran President Mahmoud Ahmadinejad discloses that a cyber weapon had damaged gas centrifuges at his nation’s uranium enrichment facility. “They did a bad thing. Fortunately our experts discovered that,” he said.

Conclusion

More I read of the results obtained by the research groups  more I am convinced that behind the development of such malware there is a government sponsorship.

We are facing with a new generation of weapons, real cyber weapons, silent and really offensive. -They are the result of the growing attention of many governments in cyberwarfare. Viruses are designed by teams of experts and their architecture are so complex that suggests a structured project aimed to surgery offensive.

Frankly speaking I do not understand why nobody have an idea about the possible paternity of the virus, whose genesis I think it is now well known to leading research groups. Probably the main reason is the important role of the Government who has created this virus and the political and economic power it has.

Nobody sees, nobody hears, nobody talks about it!

Pierluigi Paganini

References

http://www.reuters.com/article/2011/12/02/us-cybersecurity-iran-idUSTRE7B10AP20111202

https://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers

http://www.reuters.com/article/2011/12/02/us-cyberattack-iran-idUSTRE7B10AV20111202

https://infosecisland.com/blogview/18229-Duqu-May-Actually-Be-An-Advanced-Cyber-Weapon.html

http://searchsecurity.techtarget.com/news/2240111909/Trojan-attackers-cleaned-their-tracks-well-analysis-finds