SCADA Security

<Embarrassing Update: Duqu not Duku, no excuse, corrected throughout blog>

The newly discovered Duqu malware and its relationship with Stuxnet and ICS was the big news yesterday. The ICS-CERT Alert is actually concise and informative. It points out that the Duqu does not attack and ICS components or processes, but it also repeats Symantec’s claim that Duqu is “an information gathering threat targeting specific organizations, including industrial control system manufacturers”.

I’m wary about the relevance of this claim but not the accuracy. If Duqu generically targeted GE, Siemens and Hitachi, it would be a leap to say they wanted ICS information. Also given the vulnerabilities in so many of the systems an attacker would be much better off targeting ICS users to gain their credentials that would allow access from the corporate network to the ICS, a la what the Social Engineering ICS S4 presentation is doing.

If Duqu is trying to exploit customer support systems at a place like GE, who requires a remote monitoring connection to their systems in plants, then it would be highly relevant. So the claim may have merit, but we need more info.

The coverage and analysis of Duqu also points out how complex Stuxnet was. To an anti-malware organization like Symantec, Duqu appears like Stuxnet because the way it infects the PC is similar.

We have confirmed Duqu is a threat nearly identical to Stuxnet, but with a completely different purpose.

To most in the ICS community it appears nothing like Stuxnet because it is not attacking a PLC or process in any way. It is another remote access trojan that is a concern, like many other attack vectors, for an adversary trying to find a way into a SCADA or DCS control center through the corporate network.

The most interesting part of the Symantec document is “the analysis report from the research lab that first discovered the W32.Duqu samples”. They have a chart that compares the PC malware in Stuxnet and Duqu, and the following in the introduction:

we reveal the existence of and report about a malware found in the wild
that shows striking similarities to Stuxnet, including its modular structure, injection mechanisms, and a driver that is digitally signed with a compromised key. We named the malware “Duqu” as it’s key logger creates temporary files with names starting with “~DQ…”.

I have some feelers out with malware guru’s asking for an analysis of this chart. Back when Stuxnet was being analyzed many malware analysts were underwhelmed by the PC portion of Stuxnet. It lacked both common and sophisticated features of high end malware.

So is PC malware that looks like Stuxnet really a concern? If the author is the same as Stuxnet as Symantec contends, then it is likely this is highly targeted and aimed at something a large percentage of the world would want dealt with.

Ralph Langner has been leading the charge, and many including me are following, of emphasizing the danger of an attacker learning from or copying the PLC attacks and methodology from Stuxnet. Duqu is not this. Pending more information, I’m a skeptic on whether this is an ICS story in even a small way.

Duqu is another perfect opportunity for ICS-CERT to finally shine. They should get their hands on Duqu, analyze it, and tell the community what, if any, impact Duqu could have on ICS. What ICS vendors is it targeting? Is it targeting specific information at those ICS vendors? How would this information put an owner/operator at risk? What is their assessment of Symantec’s claim that the author had Stuxnet source code? This is a much better use of their ICS security expertise than rewriting already public information on freeware HMI exploits.

Image by goosmurf