Duqu

Security experts are warning of a new malware threat that it says could be a precursor to the next Stuxnet. 

The new threat, dubbed W32.Duqu, is a remote access Trojan (RAT) that appears to have been written by the authors of Stuxnet, or at least by someone who has access to Stuxnet source code, Symantec said in a report released today.

It was confirmed that Duqu is a threat nearly identical to Stuxnet, but with a completely different purpose. Duqu’s purpose is to steal data from manufactures of industrial control systems that can then be used to craft attacks against entities using such systems.

Analysis shows that the Trojan is “highly targeted” at a limited number of organizations. Though Duqu uses a lot of the same code as Stuxnet, its payload is completely different.

While Stuxnet is designed to sabotage industrial control systems, Duqu is simply a Trojan with remote access capabilities that appears to have been created specifically to gather information about industrial control systems.

News of the new Trojan is sure to reinforce concerns about targeted cyberattacks against the industrial control systems used in critical infrastructures, such as power plants, water treatment facilities and chemical plants.

The Stuxnet worm , which some security researchers call the most sophisticated malware program ever written, has already affected industrial control systems in many countries.

The worm is noteworthy as the first piece of malware known to have morphed into physical destruction of a resource,

Attackers have used Duqu to install keystroke loggers and network enumerators for stealing information that can be used in future attacks. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control system.

Duqu has already been used to carry out attacks against a handful of companies that manufacture industrial control systems.

In at least one case, the attackers were unsuccessful in their attempts to steal such data. But information is not yet available on all cases where Duqu has been used to launch an attack.

Attacks using Duqu and its variants may have been going on since last December 2010 based on a review of file-compilation times. Duqu cannot replicate or propagate on its own, Haley said. It is configured to run for 36 days after which it removes itself from the infected machine.

Note that Duqu’s propagation techniques are still unknown, there is nothing in Duqu that says it comes from USB, or look for a network share and take me there.
It just sits there and works as a remote access tool.

The new malware is named Duqu because it creates files with filenames having the prefix “DQ”.

The Trojan consists of three files — a driver file, a dynamic link library and a configuration file. The files need to be installed by a separate executable which has not yet been recovered.

Besides the link between Duqu and Stuxnet, there is no other information on who might be behind the Trojan.

Duqu uses HTTP and HTTPS to communicate with a command & control server hosted in somewhere in India.

Attackers have been using the C&C server to download key loggers, network enumerators and other information stealing programs. The stolen information is stored on a “lightly encrypted’ file and then uploaded back to the server.

reference : Symantec

That USB Flash Drive

It’s pretty easy for organizations to get so wrapped up about what goes out on USB drives that they forget to protect against what comes in their environments via USB. And with attacks inflicting increasingly greater damage following uncontrolled connection, it’s time that organizations got serious about this threat.

The news today is chock full of stories about sensitive information being carried out the institutional perimeter on ‘simple’ USB devices. These powerful portable drives rightfully worry IT as a means for devastating data loss at the hands of malicious insiders. But it’s
pretty easy for organizations to get so wrapped up about what goes out on USB drives that they forget to protect against what comes in their environments via USB. And with attacks inflicting increasingly greater damage following uncontrolled connection, it’s time
that organizations got serious about this threat.  
After all, according to researchers, as many as one in four malware attacks1 is carried out through a USB device. In the past year, we’ve seen Stuxnet raise its ugly head and Conficker continue to circulate through the USB vector. And yet the proliferation of USB devices only continues to skyrocket by billions each year.

In order to keep organizations secure from threats, IT departments must bring greater scrutiny and control over how the network is exposed to potentially infected portable payloads. But let’s get real: they can’t do so by gluing USB ports shut. Portable devices as  these are business tools that are here to stay. IT leaders who refuse to recognize that fact will be seen throughout their organizations as inhibitors to success. The key to USB security is balancing productivity with protection.

Early on, USB malware was exploratory and experimental. Most of all it was just, well, random. Hackers would find ways to get malware files onto drives–either online or even manually–and cross their fingers in hope that the intended victim clicked the files to initiate infection.

But as USB platforms evolved, so did the attack methods. Functionality enhancements opened up new possibilities for hackers. For example, Windows Autorun made it simpler for users to gain immediate access to the contents of their drives but also enabled hackers to write code that could initiate without user intervention. And now, new attack platforms such as the U3 smartdrive platform made it possible to run applications directly from the drive, giving hackers another potentially untraceable attack vehicle.

This manipulation of Autorun is a common theme with many malware variants that plague IT environments today.  Any USB device connected to an infected machine would become infected and then would infect any other machine to which it was connected;
then that machine would begin infecting other USB devices plugged into it. This is how the malware is able to move from machine to machine via USB devices and this “worm like” malware propagation method copies itself to all available drives, shares, removable media and peer-to-peer software application file folders.

This can greatly increase the exposure surface of an organization that may otherwise have its network security bases covered. In fact, Microsoft recently announced its findings that Windows XP users were 10 times more likely to get infected when faced with such an attack. In addition to propagating malware, USB drives have also proven to be exceptional hacking platforms for those attackers with physical access to corporate machines. One of the many legitimate useful features of USB drives is their ability to act as a “PC on a stick” through the use of certain platform and virtualization utilities.  But again, this legitimate use can also be used for dark purposes. It also makes it possible for malicious users to replicate their entire Windows hacking lab with a USB device and run it on virtually any PC
with an available USB port. When the malicious user is done, she simply removes the USB device and leaves without a trace.

Balancing USB Usefulness with Protection

It is now difficult to return to the days of yore when IT administrators would simply glue USB ports shut and call their endpoints secure. USB devices are an everyday necessity whether you’re running a mom-and-pop business, a corporate office or a government department.

The truth is that portable devices have done great things for the business world, which leverages these devices for incredible productivity gains. A late 2010 survey found that all of nearly 230 workers surveyed own at least one USB flash drive and more than half own three to six of these devices.

Today’s workers can now use ultra-portable flash drives to easily transfer large amounts of data between locations. They can use these same devices to store important presentation information while on the road at conferences and sales meetings. And large organizations can quickly disseminate information to a large number of customers or employees by uploading data to USB devices and distributing
them to the right people.

USB Security Best Practices
So what exactly does it take to change our trust models? It starts with smart policy development. Some key policies that organizations should consider to reduce their risks right off the bat include:

  • Ensuring common PC and laptop configurations have AutoRun features disabled, limiting the efficacy of USB malware that depends on this feature to run and to propagate.
  • Requiring timely installation of security updates in order to minimize the risk of USB-borne malware taking advantage of unpatched endpoint vulnerabilities.
  • Limiting access of USB and portable devices to registered devices only, enabling better control over who, when and how devices are being utilized.
  • Preventing the initiation of some or all executables from portable devices, blocking malware from running in the first place.
  • Requiring strong passwords (and not allowing the use of default passwords) throughout your infrastructure to prevent worms such as Stuxnet from working their way further into systems.
  • Requiring proper, up-to-date AV and firewall usage to prevent malware from gaining a foothold within the endpoint and spreading to other systems in the network.

While the first battle in the war against mobile malware starts with the development of clear, in-depth policies regarding the use of removable devices and media, the ultimate fight still remains. None of those policies amount to much without solid enforcement. Unfortunately, most organizations havenot yet gotten that message.

Putting Teeth In Policies

By enforcing usage policies for removable devices such as USB flash drives and other removable media such as CDs / DVDs, you can control the flow of inbound and outbound data from your endpoints.

Devices that are not authorized should simply not be allowed to execute. Ideally, organizations should look for tools and develop processes that enable them to quickly establish and enforce device control policies as simply and as methodically as possible. The idea
is to enable users to continue to use approved devices without resorting to an outright blanket ban.

Policies should be manageable by user or user group as well as by computer, and organizations should look for capabilities that enable user groups to be immediately associated with devices “on-the-fly.” The goal is to dramatically simplify the management of endpoint
device resources through improved tracking of who, when and how devices are being used. By validating removable devices as they are used within the enterprise, you can prevent malware from being introduced into the network. This includes assigning permissions
for authorized removable devices and media to individual users or user groups and controlling the uploading of unknown or unwanted files from removable devices.

Organizations should also widen the lens a bit and think about more than just simple device control. Defense-in-depth should play a role in risk mitigation. For example, intelligent whitelisting technology can help prevent the initiation of risky applications running on the endpoints by controlling the trust factors that enable execution, such as code source, who authorized the application, whether it is running on other stable systems within the network and from where the application originated. And the use of encryption
to augment defenses could make network assets less attractive to potential attackers.

Finally, organizations should consider revisiting end user training to ensure they’re covering the risks posed by USB devices. That one-time discussion on the first day at work has likely been long forgotten by most employees and is undoubtedly obsolete anyway.

After all, these workers really are your first, last and best defense against USB attacks. That’s why IT professionals need to remember that in order to win over the hearts and minds of these line-of-business users, they’ll need to institute policies and practices that don’t
adversely affect these workers’ daily productivity. This means taking control of USB device usage without stooping to wholesale purchases of superglue.

By developing policies and implementing solutions that enable a more flexible but easily trackable environment, IT departments become partners in security and business success rather than technology mall cops to be disregarded at all costs. Enterprises with
such forward-looking technology decision-makers will gain a decisive productivity advantage while protecting their organizational endpoints.

While we’ve focused much of our attention on the ubiquitous USB flash drive, organizations need to think about threats that extend from all forms of removable media in use today. These include: CD drives, DVD drives, Blu-ray drives, FireWire, External hard disks, eSATA connected devices and Consumer products such as picture frames, MP3 players, digital cameras, etc.