Stuxnet & Duqu, update on cyber weapons usage

Pierluigi Paganini April 19, 2012

We all know about the malware Stuxnet and Duqu considered unanimously the first examples of cyber weapon developed by a government to silent attacks critical enemy infrastructures. We have written a lot on the topic, we have followed with attention the excellent analysis made by experts of the sector such as Ralph Langner and the researchers of the Kaspersky and Symantec security firms; during last days new updates have been published on the web regarding the two agents trying to explain their status and the mode used to spread them behind the enemy line.

Let’s start with the update on the Stuxnet virus that was implanted to damage Iran’s nuclear program. News of the days is that the operation was conducted by Israeli agents with the collaboration of Iranian spy, who used a corrupt “memory stick.32,” to sabotage the nuclear plant of Natanz infecting machines there according to the declarations of a former and serving U.S. intelligence officials.

In the continuing battle to hold off the Iranian nuclear program, Iranian proxies have also been active in assassinating Iran’s nuclear scientists, these sources said. Key figures of the operations seem to be groups of Iranian dissidents also involved the assassinating of Iran’s nuclear scientists. Of course, the choice to use the human vector to spread the malware is to reach a more efficient diffusion of the virus avoiding it was discovered before to attack the target.

“They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility. ‘Iranian double agents’ would have helped to target the most vulnerable spots in the system.”

Iran’s intelligence suspected the infiltration of spies inside their plants and arrested an unspecified number of a person accused to have supported the operations related to the diffusion of the Stuxnet Virus.

Who are the Iranian spies that have supported the Israeli operations?

Former and senior U.S. officials believe Iranian support belonged to the Mujahedeen-e-Khalq (People’s Mujahedin of Iran, alias MEK, also PMOI, MKO).

The group is an exile-Iranian organization that advocates the overthrow of the Islamic Republic of Iran, founded in September 5, 1965 by a group of leftist Iranian university students as an Islamic and Marxist political mass movement. MEK was originally devoted to armed struggle against the Shah of Iran, capitalism, and Western imperialism, during the Iran-Iraq War, the group was given refuge by Saddam Hussein and mounted attacks on Iran from within Iraqi territory.  MEK is considered as the military wing of the National Council of Resistance of Iran (NCRI) and has targeted Iranian officials and government facilities in Iran and abroad.

The United States, Canada, Iraq and Iran consider the MEK a terrorist organization. On January 26, 2009, the Council of the European Union removed the MEK from the EU list of organizations it designates as terrorist and United States have received support for intelligence operations against the Iran’s nuclear program in 2002 and 2008.

The report of  from says:

Former and senior U.S. officials believe nuclear spies belonged to the Mujahedeen-e-Khalq (MEK), which Israel uses to do targeted killings of Iranian nationals, they said. “The MEK is being used as the assassination arm of Israel’s Mossad intelligence service,” said Vince Cannistraro, former head of the CIA’s Counterterrorism. He said the MEK is in charge of executing “the motor attacks on Iranian targets chosen by Israel. They go to Israel for training, and Israel pays them.” Other former agency officials confirmed this.”

We have always sustained the Israeli has worked close to US government and this is true in the specific campaign against Iranian nuclear program at least for the development of the cyber weapons, but  since 2007, five Iranian nuclear scientists have been killed in Iranian territory and the American forces seem to be extraneous to the facts, Israel has used as killer MEK spies well infiltrated in the foreign social context and with a deep knowledge of the activities performed inside the nuclear plants of Iran.

Stuxnet was discovered for the first time by Ukrainian firms VirusBlokAda based in Minsk, that was contacted by Iranian dealer that was having problem with several computers of its clients. Apparently, the computers were constantly turning off and restarting, but the antivirus was not able to detect the agents because Stuxnet used knowledge on zero-day vulnerabilities. Let’s consider also the source code of the agent was also signed using digital certificates by Realtek Semiconductor and JMicron Technology Corp giving the appearance of legitimate software to Microsoft Windows.

Stuxnet was a perfect example of cyber weapon developed to surgical select its targets remaining uncovered and avoiding to infected not target machines. With Stuxnet was, in fact, introduced a new concept of malware, a broad-spectrum deadly weapon capable of hitting in a silent and surgical mode an high number of objectives located anywhere on the planet.

The researchers of the major antivirus companies have identified Stuxnet as the progenitor of another malware, Duqu, it also classified as a cyber weapon developed by a government commitment. Duqu is quite different from its relative, it has a modular structure like Stuxnet but it isn’t equipped with modules for SCADA systems attack. It is only able to steal information from the host system.

On March 2012 a new instance of Duqu has been isolated in a variant designed to evade detection mechanism of antivirus products and other security systems, its the source code appears to be reshuffled and compiled with a different set of options and it also contains a different subroutine for decrypting the configuration block and loading the malware’s body. A similar operation has been already observed in October 2011. Of course, also the references to C&C server are changed because all old structures were shut down on Oct. 20, 2011.

Duqu is so still operating, in the last week, several instances are creating several in the Philippines where Duqu malware is infecting several computers spreading hidden in documents such as Microsoft Word files. The emergency is high according to Kaspersky Lab because the malware may begin to affect newly industrialized countries in Asia, including the Philippines that is one of the major IT outsourcing service providers.

“The spread of Duqu in the Philippines could have dire effects on its multibillion-dollar outsourcing business,”

Kaspersky Lab said in a statement.

Kaspersky’s director of global research & analysis, Costin Raiu with his team, gathered evidence that shows that behind the Stuxnet and Duqu there is the same development team that has used a common platform to build the malware, but what is really interesting and new is that the researcher is convinced that the same framework has been also used to create at least three other pieces of malware.

We are dealing with an application that consists of several modules each responsible for a specific function to perform. The behavior of the malware to be produced is given by the way in which these modules are made to interact with the same agent. We are facing with a powerful a weapon for the following reasons:

  • Mutable and non-deterministic behavior of the final agent resultant of the module used.
  • Possibility of development of additional modules designed for specific categories of targets .
  • Opportunities for collaboration of multiple groups of developer component of different organizations. Having a common platform it is possible in the future to create a real library of modules, functions that can be called like in any other program to infect specific objectives.

Costin Raiu said

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,”

The statement is the perfect synthesis of the key concept behind the new cyber weapons, just as with Lego you can dial any “shape” of malware assembling the individual components in a manner to be able to attack a specific target. Researchers with Kaspersky have named the platform “Tilded” because many of the files in Duqu and Stuxnet have names beginning with the tilde symbol “~” and the letter “d.”

Let’s also consider that in the past malware have been already used for sabotage purpose and intelligence purposes, in the 1980s, the United States had considerable success installing viruses inside the Soviet military-industrial structure, a process still continuing with China.

“We put in bugs inside the Soviet computers to feedback satellite information that had been ‘leeched’ off hard drives, in the Soviet Defense Ministry and others,” said a former U.S. intelligence official.

Also during Desert Storm, the CIA and the British Government Communication Headquarters (GCHQ) have used malware agents to attack Iraq’s computers deploying a Command & Control server in the enemy infrastructures. CIA operatives, working in Jordan, infiltrated bugs into hardware smuggled across the border and into Baghdad. In that occasion, the compromised devices weren’t used due to the beginning US air strikes that destroyed Saddam’s command and control network, including the buildings where the infected computer hardware was deployed.

What we expect from the future?

For sure we will assist to the born of a new version of the existing agents equipped with more sophisticated modules that include new features and that are also able to avoid antivirus detection.

We will face with also the development of new malware based on the same platform and with the creation of new sophisticated platform used as malware factory.

The war is began!

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Duqu, cyber espionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment