Keeping Tabs on Duqu

By now you may have already heard about W32.Duqu (Duqu). If not, W32.Duqu (Duqu) is a family of Remote Access Trojans (RAT) that was first publicly discussed on 9/8/2011 and later publicized by a number of anti-virus vendors on 10/18/2011. Duqu is notable in that it appears to share a substantial amount of code with the Stuxnet worm.

There is much to talk about in regard to Duqu, but for now I’ll leave you with some initial thoughts. If you want to know more, be sure to attend Monday’s (10/24/2011) McAfee and National Electric Sector Cybersecurity Organization Webinar.

By 10/19/2011, at least three variants had been identified. Whether or not Duqu has any relation to Stuxnet is largely irrelevant from an asset owner’s perspective. Additionally, if the targets were Certificate Authorities, there similarly isn’t much to do from an asset owner perspective beyond monitoring for news of certificates to revoke as they become known. If the targets were ICS manufacturers, however, the data stolen from them could possibly include customer design information, application/firmware source code, support staff login credentials, or other information sensitive to asset owner operations. Beyond knowing which vendors were attacked and what data may have been stolen, there is not much to do with regards to specific responses to this incident. That said, it serves as a great example of just how important supply chain security is.

Before you engage in a business relationship with a vendor/manufacturer, make sure your expectations around security related to your systems and data are clearly spelled out in contract language. Additionally, verify and validate vendor commitments in response to those expectations as part of Factory Acceptance Tests (FAT) and/or Site Acceptance Tests (SAT) or other contract audit functions.

References:

Symantec Whitepaper
McAfee Writeup
DHS ICS-CERT Alert

Comments are closed.