Duqu, Stuxnet and the World of Cyber Espionage
Is Duqu related to Stuxnet? Who is behind cyber espionage and why Adobe Reader is to blame for the whole thing.
In 2010, the Stuxnet malware gained global notoriety as a weapon of cyberwar against Iran. A new derivative of Stuxnet, dubbed "Duqu" is now making the rounds, though its purpose and target are not yet known.
In a keynote session at the SecTOR conference in Toronto this week, F-Secure security researcher Mikko Hypponen detailed his views on Duqu and the world of online espionage noting that it is very clear to him Duqu is not only based on Stuxnet, but was also written by the same people. According to Hypponen, the Stuxnet source code is not floating around the Internet and, as such, for a new piece of malware to be so closely related, it has to come from the same group.
As far as he can tell, Duqu collects information about network topology to help prepare for a future attack of some sort. There was likely a similar information gathering phase prior to the release of Stuxnet, as well.
He also noted that Duqu code is roughly half the size of Stuxnet and the address that an infected Duqu device calls home to is 220.127.116.11, which is an IP address somewhere in India.
"So who wrote Stuxnet and Duqu? We don't know," Hypponen said. "I think that Stuxnet was coming from the U.S. government in cooperation with Israel, but I can't prove that."
Hypponen also said that he was unaware of who the target is for duqu, though he suspects that it is related to a cyberwar activity. In the world of cyberwar and online espionage, China is often blamed when security researchers talk about targeted attacks. China always denies being the aggressor, but Hyponnen just might have a smoking gun. He showed a video from Chinese state television that aired two months ago as a propaganda piece about online espionage. In that report, an attack tool was shown, with a U.S. based IP address as the target.
In recent years, a massive revolution in how nation state espionage occurs has taken place. According to his research, much of that cyber-espionage comes from legitimate looking PDF documents that have been infected. It was an Adobe related exploit that led to the security breach at RSA earlier this year, for example. That attacker was likely going after U.S. defence contractor Lockeed Martin, which uses RSA security tokens. The exploit was a simple email that asked the recipient to open a file for review. The exploit was a Flash exploit inside of an Excel file.
"Why did they have Flash enabled inside of Excel, I don't know," Hypponen said.
Hypponen also specifically pointed out Adobe Reader as being a particularly popular route for cyber-espionage activities. All of the infected documents that he's come across leveraged vulnerabilities in Adobe Reader and not other PDF readers.
"Why is everyone running Adobe Reader?" Hypponen said. "There are many other choices. I don't like Adobe Reader much, I'm not sure if you can tell."
While Hypponen noted that most cyber-espionage type activities aren't likely to be a risk to regular users, he does offer a few simple suggestions for defense.
"Run a system that isn't being targeted and don't run Word, Excel and Powerpoint," Hypponen said. "Make your system different from what the attacker assumes you'll be running."