Stuxnet II: Electric Duqu
October 18, 2011 1:14 PM   Subscribe

> Instead, it appears to be a precursor to a Stuxnet-like attack, designed to conduct reconnaissance on an unknown industrial control system and gather intelligence that can later be used to conduct a targeted attack.

I hear this spoken by the plumbing guy in Gilliam's Brazil. Then it makes sense.
posted by stonepharisee at 1:27 PM on October 18, 2011 [7 favorites]

loquacious, please come and help me understand this.
posted by theodolite at 1:31 PM on October 18, 2011 [1 favorite]

I have always found it fascinating that STUK happens to be the initials of Finland's Radiation adn Nuclear Safety Authority - and so always tending to read the name stuxnet as something related somehow.
posted by infini at 1:38 PM on October 18, 2011

How do we know it was the Stuxnet team? To start with, the attacks are targeting CAs in regions occupied by “Canis Aureus”, the Golden Jackal,

So we've moved from living in a Gibson-esq cyberpunk world to a Tom Clancy styled spy thriller? I'm oddly okay with that.
posted by quin at 1:44 PM on October 18, 2011 [2 favorites]

Stuxnet and this Duqu are the first pieces of malware that evoke the same feeling in me as real life biological viruses. Other malware that erases drives, or mucks up your browser, or ropes your computer into a botnet... suddenly all that just seems like petty vandalism. But this is a whole new level of malware. Maybe it's because I work in a lab that studies influenza, but there are so many viruses out there that are so incredibly elegant in their design that you can't help but marvel at them, even if they are incredibly pathogenic. (Gratuitous example: measles virus contains a stretch of its genome that, depending on if the ribosome slips one nucleotide or not, two entirely different proteins can be made from the same RNA. That's analogous to starting reading this sentence as "Hat's..." instead of "That's..." and having it mean something completely intelligible and different!) Stuxnet seems like it's marked the maturing of "cyberwar" into a real division of war. And while that's a Bad Thing, I can't help but admire the design of these things.
posted by Osrinith at 1:44 PM on October 18, 2011 [13 favorites]

So we've moved from living in a Gibson-esq cyberpunk world to a Tom Clancy styled spy thriller? I'm oddly okay with that.

Call me when we get to Blandings.
posted by villanelles at dawn at 1:46 PM on October 18, 2011

Well, I'm not loquacious, but stuxnet was especially notable because it had used a bunch of programming tricks that had never been seen before in malware. It used several (3, IIRC) vulnerabilities that were unknown before its release, and it hid itself in memory rather than the hard drive using some fairly sophisticated tricks to help evade virus scanner software.

Symantec researchers theorized that stuxnet was designed to foil Iran's nuclear weapon's program by causing machinery in the facility to break down (it ingeniously looked for the hardware signature of the specific centrifuges that Iran had purchased and then altered their code so they would spin at improper frequencies, causing them to fail prematurely). A lot of people have theorized that stuxnet was written by a State wanting to stop Iran's enrichment program.

So, duqu, the new virus, is using a lot of the same tricks stuxnet uses, but it doesn't appear to be doing anything other than gathering information on... something in Europe. Presumably, the writers will use the gathered information to launch another stuxnet-like attack on their targets.

Pretty cool stuff.
posted by zug at 1:47 PM on October 18, 2011

I'm not sure that sabotaging uranium centrifuges for a nuclear weapons program really counts as "infrastructure attacking".
posted by happyroach at 1:51 PM on October 18, 2011

To start with, the attacks are targeting CAs in regions occupied by “Canis Aureus”, the Golden Jackal

I don't get the reference; do the McAfee authors think that this is an inside joke by the virus authors? Or are they just being clever because they've been up all night studying this thing?
posted by RobotVoodooPower at 1:51 PM on October 18, 2011

To start with, the attacks are targeting CAs in regions occupied by “Canis Aureus”, the Golden Jackal

a kind of Roman coin, featuring a dog
posted by Chrischris at 2:03 PM on October 18, 2011 [1 favorite]

F-Secure seems to think that Duqu must have been authored by the Stuxnet team because the Stuxnet source code has never been released. This is probably showing my ignorance, but is the source code of a virus, even one as complex of a virus as Stuxnet, impossible to back into?
posted by rtimmel at 2:09 PM on October 18, 2011

This story is fascinating. And important. See also: U.S. Debated Cyberwarfare in Attack Plan on Libya.

I've skimmed the original Symantec Duqu paper and I'm still missing something. How do they know this was written by someone with access to the Stuxnet source code and not merely a modified version of the Stuxnet binary? I'm guessing it has something to do with Stuxnet being self-signed, but I'm not sure.
posted by Nelson at 2:11 PM on October 18, 2011

Blandings? Ballard.
posted by seanmpuckett at 2:12 PM on October 18, 2011

I'm not sure that sabotaging uranium centrifuges for a nuclear weapons program really counts as "infrastructure attacking".

It was actually a bit broader than that, in that it targeted Siemens industrial software used to control manufacturing infrastructure - things like motors, conveyor belts, pumps, alarm systems, and door access controls in factories.

One of the oddest things about the Duqu malware is that it is configured to run for 36 days, then it removes itself from the infected machine. Nobody seems to know the significance of the 36 days, which just makes it kind of weird.

("Golden Jackal" might be a McAfee name for a specific geographic region, given the map at the end of the article.)
posted by gemmy at 2:17 PM on October 18, 2011

It'd pretty ironic if the iranians modified Stuxnet into Duqu to return the favor.
posted by c13 at 2:31 PM on October 18, 2011

happyroach: I'm not sure that sabotaging uranium centrifuges for a nuclear weapons program really counts as "infrastructure attacking".

How so? This is an exploit of core industrial production, not your typical exploit of intelligence systems, consumer or "back office" business systems... I'm not sure I follow your logic.
posted by Lleyam at 2:37 PM on October 18, 2011

Call me when we get to Blandings.

Lord Ahmadinejad has a prize winning uranium purification plant and is paranoid that his neighbour, Sir Gregory Netanyahu, is plotting to sabotage it before the next county fair. Meanwhile Hashemi 'Raffish' Rafsanjani is writing his memoirs, to the dismay of the now respectable people that he ran with as a young rake decades ago.

Barack Obama arrives, disguised as an expert on memorial brasses, hoping to convince his old chums Hamid and Asif to bury the proverbial hatchet. When Asif's estranged cousin Indira shows up, he's sure that she's after Hamid and plots to foil her.

Barack has a plan to solve it all that's just crazy enough to work, all he needs to do is get the co-operation of County social terror, crazy old Lord Saud. Unfortunately the plan goes awry...
posted by atrazine at 2:40 PM on October 18, 2011 [8 favorites]

Why couldn't china have engineered a virus to shut down Iran's nuclear capabilities? They don't want a nuclear Iran, either, i don't think.
posted by empath at 2:58 PM on October 18, 2011

empath wrote: Why couldn't china have engineered a virus to shut down Iran's nuclear capabilities? They don't want a nuclear Iran, either, i don't think

Or India, for that matter. The list isn't that short, although it would have to be someone who could have discovered what particular equipment Iran was using, so some sort of intelligence apparatus would be necessary.
posted by wierdo at 3:23 PM on October 18, 2011

I'm not sure that sabotaging uranium centrifuges for a nuclear weapons program really counts as "infrastructure attacking".

It was for a nuclear power plant program. Electricity is as ” infrastructure” as it gets. The dual-purpose theory may have motivated the attack, and may or may not hold water, but it can't be said that those centrifuges were not being used to produce fuel for the nation.
posted by -harlequin- at 3:36 PM on October 18, 2011 [3 favorites]

yeah, seconding the paging of loquacious.
posted by lazaruslong at 3:36 PM on October 18, 2011

Or India, for that matter.

You really think that India has:
1) A black-hat technical team capable of pulling this shit out
2) Have a political/ executive leadership that has enough strategic imagination to develop such a team
3) Any inclination whatsoever to attack _Iran's_ centrifuges by stealth

... when we couldn't even prevent a black-hat intrusion by the Chinese for months? Let me put it this way: to imagine how we can pull this off is currently beyond the ability of even our dystopian cyberpunk authors. I really wish it weren't so, but it's important to acknowledge facts: we're currently being walloped and our asses turned into skimmed milk as far as information security is concerned.

I don't know who wrote this, but I'm fairly certain it isn't India.
posted by the cydonian at 4:01 PM on October 18, 2011 [1 favorite]

This is probably showing my ignorance, but is the source code of a virus, even one as complex of a virus as Stuxnet, impossible to back into?

Nothing's impossible. Stuxnet was ostensibly comprised of components written in multiple languages, for whatever that's worth. And then you have the digital certificate issue to deal with, pre-redeployment. Still, once you've reached the level of resources and will that a nation-state has, it seems like reverse-engineering such a beast is only a matter of time and effort.
posted by Brak at 4:09 PM on October 18, 2011

Nelson: How do they know this was written by someone with access to the Stuxnet source code and not merely a modified version of the Stuxnet binary?

At a guess, I suspect what they're seeing doesn't look like a modified binary.

If all you have is binary code, you can "decompile" it and get something vaguely approximating the original source code, but it won't usually recompile into the exact same thing again, especially if the original binary was run through a mechanical optimization pass. The decompiled-recompiled code will usually still WORK the same, though the regenerated source may need fixes, but the final machine code will almost always look different.

And if people are modifying the binary code directly, it probably looks different again... making room for new code in a program usually requires that you increase the size of the binary and move other code. And moving assembly code around in a program is quite painful, requiring lots of modification of OTHER code to jump to the new, correct targets. So, usually, modifications to assembly code will involve replacing an existing instruction with a jump to new code. The new code, added onto the end, will then do whatever the original instruction was, plus whatever new functions it adds, and then return to the instruction following. It's basically a minimum-impact shim, replacing that single instruction without modifying the rest of the code. This has a very, very clear fingerprint; code that was modified in this way is obvious to someone who can read assembly.

Further, hand-written assembly doesn't really look like compiler output. Compiler output is typically rather odd, especially after optimization. It tends to take advantage of weird little quirks and unusual features of the x86 instruction set that human writers don't typically use, but it uses them in predictable ways. Human-written assembly code will have novel approaches that you don't see in compiler output.

I believe they're probably seeing what they'd expect to see if someone with access to the original source started with that code, modified it, recompiled it, and put it into the wild. It probably doesn't have the unusual structure of a modified binary.

That's not a certain form of analysis by any means, but making it look like you had the original source code would just about require reconstruction OF that source code. Making a compiled version look modified is easy -- you just have to modify it. But making a modified version look like a standard compiled program is HARD. It can obviously be done, and in spycraft, the false-flag benefits might be worth the engineering time, but an organization that would realize the need for this, and that had the resources and expertise available to do it, would be wizardly enough to create something like Stuxnet from scratch anyway.

So, you can still be pretty sure that it's a program funded by a government. You just can't tell which government. Occam's Razor would suggest that it's the same entity that wrote Stuxnet, but when you're dealing with intelligent entities that are trying to fool you, that's a dangerous tool.
posted by Malor at 5:12 PM on October 18, 2011 [15 favorites]

Respectfully, Malor, it sounds like you're guessing. I see the technical point you're making but I'm less certain it'd be hard to make it look like you had source code access. Anyway, I'm hoping there's no need to guess: Symantec has published a lot of research into Duqu. I'm just missing the part where they state their evidence it comes from the source. Did I miss it in the reporting, or is it not there?

The reason I care is the real story here isn't that there's a Stuxnet variant, it's that there's a Stuxnet variant attacking a target in Europe. It's one thing for the US and Israel to cooperate to take out Iranian nuclear facilities; it's another thing entirely for them to be spying on, say, German industrial companies.

Symantec's cagey on who the victims of Duqu are, they just say "The threat was recovered from an organization based in Europe ... Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party." My initial reaction was that someone was using Stuxnet tech to spy on Western European manufacturing companies. Reading this again, though, maybe it's just someone is using Stuxnet (née Duqu) to collect some intelligence on industrial control systems from, say, Siemens in Germany. Not to attack Germany, but to be prepared to attack Iran or Pakistan or North Korea the next time they use industrial systems bought from Germany.
posted by Nelson at 7:57 PM on October 18, 2011 [1 favorite]

Obviously Malor is guessing, but it's an educated guess and I concur with it. It's certainly not impossible that someone made it look as though Duqu is derived from the Stuxnet's source code - but it's a lot of effort, and it seems a bit pointless given that we don't actually know who wrote the original source. It's the computing equivalent of disguising yourself to look like someone else who is both unknown and who is himself wearing a disguise. Yes, there are scenarios in which this would make sense, but the ones I can think of are quite contrived.
posted by Joe in Australia at 11:01 PM on October 18, 2011 [2 favorites]

It's the computing equivalent of disguising yourself to look like someone else who is both unknown and who is himself wearing a disguise.

That spy is not one of ours!
posted by Mitrovarr at 12:27 AM on October 19, 2011

Nelson: of course I'm guessing. Everyone is.

It's one thing for the US and Israel to cooperate to take out Iranian nuclear facilities; it's another thing entirely for them to be spying on, say, German industrial companies.

And why is that, exactly? All that spy apparatus and secrecy that we've built up gets used on everyone. Just because people think they're our friends doesn't make them immune to being spied on or even sabotaged. There's some evidence, for example, that our spy arms have provided intelligence to American corporations to improve their chances of winning bids.

I agree with you that we shouldn't be doing it, but I think it's unrealistic to expect it to be used with discrimination, since it's all shrouded in so much secrecy. Thus, I tend to think we shouldn't be doing ANY of it.

And now that that front has been well and truly opened, we're probably more vulnerable than anyone else, since our networks are the largest and oldest.
posted by Malor at 3:02 AM on October 19, 2011

Respectfully, Malor, it sounds like you're guessing.

Malor makes a bunch of correct points. There are risks in assuming the same source will result in the same machine code output, because it depends on the complier settings. However, for most code when you're shipping binaries, you set it very generically because you don't really know what the CPU is at the user end. If you compile targeted to an Intel Sandy Bridge CPU, you can get much better performance, and anybody with an older CPU can't run it. If you compile to i386 or x86-64, it won't run as fast, but it'll run across vastly more machines.

Given that this is a penetration attempt, and you want it spread wide, you want to complie it as generic as possible, so if you used the same complier and it's mostly the same source, I'd expect large parts of the binary to be identical.

I disagree with his leap to "it must be government" -- but it does really look like whoever made DuQu has the Stuxnet source. This doesn't mean that the *original* creators of Stuxnet created DuQu.

Because, after all, just because they're writing trojans doesn't mean they're immune to trojans.
posted by eriko at 4:29 AM on October 19, 2011 [1 favorite]

Windows is simply not viable.

For years I and others have been saying that the viruses that people actually get, that spend their money on long distance calls, delete all their files and jam their networks , are the kind, this-is-a-warning type of viruses. These viruses, once installed, have the opportunity to do vast amounts of damage, but they merely delete your files, forcing you to restore backups or learn the importance of backups.

Nobody paid attention. Now Iran has paid the price, and others will too.
posted by CautionToTheWind at 4:33 AM on October 19, 2011

Gratuitous example: measles virus contains a stretch of its genome that, depending on if the ribosome slips one nucleotide or not, two entirely different proteins can be made from the same RNA. That's analogous to starting reading this sentence as "Hat's..." instead of "That's..." and having it mean something completely intelligible and different!

Yes indeed, a very intelligent designer.
posted by mattoxic at 5:10 AM on October 19, 2011

I don't know who wrote this, but I'm fairly certain it isn't India.

Do you think they are all too busy serving in a corner store or something?
posted by mattoxic at 5:18 AM on October 19, 2011 [1 favorite]

I more or less agree with Malor. Completely reverse-engineering the original Stuxnet would be incredibly expensive; if you read carefully, even the major security companies and academic researchers have only scratched the surface of exactly how it works.

It's far more likely that the original authors made a second release than that someone spent the millions of dollars to completely reverse engineer the first release, and make a new one that is almost-but-not-quite the same.

Reverse engineering obscured binaries is tough work. I know a very smart guy who spent two years working full time on understanding Skype at the machine-code level, and really didn't get all that far. Sometimes security through obscurity works!
posted by miyabo at 6:42 AM on October 19, 2011

IF stuxnet targeted Iranian centrifuges (pretty well accepted) and IF Duqu is part of the same operation (this is likely but not certain) THEN Duqu may be an attempt to attack enrichment infrastructure Iran can not make themselves and must outsource to another country.

Is this the preliminary for an attack on Iran's suppliers of essential enrichment tech?

AQ Khan and Pakistan's military kleptocrats have never really paid much of a price for being the nuclear provider to the "Axis of Evil."
posted by warbaby at 7:00 AM on October 19, 2011

I disagree with his leap to "it must be government"

Well, if you accept that the original Stuxnet was of government origin, then it seems equally likely that this also is. From what I've read, it has to either be someone with the same source code (implying a government), or else an organization with the resources to decompile a binary, and then fix the source well enough that the subsequent generated binaries look the same. That is not, to my understanding, easy to do at all. And it strikes me that pretty much only a government would A) even think of that as a goal, and B) then be willing to spend the money doing it.

I suppose it could be entirely accidental, that it decompiled well enough to look the same when recompiled again. That's not impossible, but my limited experience with disassemblers/decompilers is that they simply don't generate very good code. It takes a lot of fixing to work again, and it never truly looks like the original.

To be sure, think we'd probably need to ask someone with very serious compiler and decompiler experience, and I'm not sure we have anyone like that on tap at MeFi.
posted by Malor at 7:03 AM on October 19, 2011

/sure, think/sure, I think/
posted by Malor at 7:03 AM on October 19, 2011

Nelson: "How do they know this was written by someone with access to the Stuxnet source code and not merely a modified version of the Stuxnet binary?"

I'm guessing because the changes were global rather than localized. Ie, they didn't just change a string, but added and removed variables which changed offsets all over the program and they didn't just pad it with noops.
posted by pwnguin at 7:04 AM on October 19, 2011

I don't know who wrote this, but I'm fairly certain it isn't India.

Do you think they are all too busy serving in a corner store or something?
posted by mattoxic

No, the cydonian is making an intelligent observation based on his particular experience as a former technical specialist from India who works extensively with and/or knows the Indian tech situation perhaps better than you or I (and puts on an excellent dinner along with Mrs The Cy)
posted by infini at 9:49 AM on October 19, 2011

Respectfully, Malor, it sounds like you're guessing. I see the technical point you're making but I'm less certain it'd be hard to make it look like you had source code access.

Malor's guess sounds very solid. I spent a decade or so writing compilers for a living, and have spent the majority of my career dinking around in low-level systems code. I've spent countless hours reading disassemblies, in several different processor architectures, and many many years ago dabbled in software cracking. It is easy to tell when an executable has been patched, and easy to tell whether it was generated by a compiler or written by hand. It is often possible to tell which specific compiler produced the code. I won't say that it is impossible to patch an existing binary in such a way that it appears to have been compiled from source, but I believe that it would be very difficult, for even a skilled attacker. It would be a very different project from a normal crack attempt.
posted by Mars Saxman at 12:41 PM on October 19, 2011 [2 favorites]

I haven't been following this one at all, so I'm no help, here, and I don't really have the time to parse it. Back then I didn't have my head full of secret project, but right now I do.

But I agree with Malor. Odd things are afoot. At a quick glance from what I've read it seems likely that they had access to the original source code for Stuxnet, which is more than a little alarming.

I was originally only appraised of Stuxnet because it was really different and interesting, and as others have commented it really is what could arguably called the first true "weapons grade" virus. And as we talked about in the Stuxnet thread (and elsewhere on the web) one of the really alarming things about Stuxnet is how it obviously could be re-purposed and re-engineered into entirely different kinds of attack vectors and payloads.

And, well, I guess we're seeing that happen now.

Outside of governments - and this is totally wild conjecture - another random conspiracy idea I had about the source/authors of Stuxnet is it might actually be a criminal syndicate with waaaay too much money and time on their hands, and some really nefarious goals in mind. But maybe I read too many cyberpunk novels.

Hell, maybe they read too many cyberpunk novels. Maybe one of the new mega-rich capitalist-industrial-criminal combines out of Russia or China or something has set up an exploratory side business backed by real "fuck off" money to make some really scary criminal tools with the idea of shopping them around like a modern arms dealer to the highest bidders.

It's not like there's never been any money in that particular banana stand or anything.
posted by loquacious at 2:34 PM on October 19, 2011 [2 favorites]

Well, it's not like there aren't a bunch of precedents for state funded scary tech weapons getting loose as the result of criminals, corruption, fanatics and just plain Gen. Jack D. Ripper craziness.

Some examples: the Pakistani nuclear proliferation, various drug operations (there are lots of these tainted with corrupt government involvement), the Karnal Bunt outbreak in the 1990's was strongly suspected to be the result of Russian mafia getting access to Soviet bioweapons stocks and using it to manipulate commodity prices, not to mention the anthrax attacks of 2001. All these were "insider" situations where state security apparatus gets turned to criminal or terrorist purposes by a few operators working well inside the security perimeter.

There's always blowback from so-called "deniable" offensive operations. Always.

The list of nations wishing the Iranian nuke program ill is very long and the list of well-wishers is short: Russia, North Korea and Pakistan. The two closest nations with means, motive and opportunity are the Israelis and the Saudis. It seems to me unlikely, as some have suggested, that two or three nations are cooperating in the Stuxnet attacks. Unlikely because of the increased security risk. However, the source code getting loose is exactly one of those security risks.
posted by warbaby at 8:47 PM on October 19, 2011

Respectfully, I'm still looking for a basic answer here. Every report on this says "Symantec says this is based on someone with Stuxnet source code". Where does Symantec say that and on the basis of what evidence? Because I'm not seeing it in their analytic paper. Both Symantec's and "the research lab"'s analysis documents in great detail the structural similarity of Duqu and Stuxnet, but it's hard to tell from just reading their analysis whether Duqu is actually the same source or simply written by someone who studied Stuxnet and copied many of its techniques.

I totally agree with the intuition that patching compiled code is hard and leaves obvious fingerprints. Except that I've also learned my intuition about what tricks it's possible to apply to code is often wrong. Also the conclusion here is quite extraordinary: that US/Israel are spying on European industrial companies. Which is certainly possible but surprising given that they must have known they'd be caught at doing it.

Again, simple factual question: why does Symantec say with certainty that Duqu is built by someone with access to Stuxnet source? Or are they just guessing too? I fully believe that Duqu could be written by an Israeli/US cooperative, just like Stuxnet, I'm just trying to understand the quality of evidence supporting that conclusion.
posted by Nelson at 9:18 PM on October 19, 2011

Nelson, like we said, making it look like you have access to the source when you don't can be done, but it's very difficult, and of fairly dubious value.

why does Symantec say with certainty that Duqu is built by someone with access to Stuxnet source? Or are they just guessing too?

Yes, they are just guessing too. But it's a very educated guess. It would, I imagine, be admissible as expert opinion in court.
posted by Malor at 2:16 PM on October 20, 2011

Also the conclusion here is quite extraordinary: that US/Israel are spying on European industrial companies. Which is certainly possible but surprising given that they must have known they'd be caught at doing it.

Nations spying on private industrial concerns for various reasons isn't exactly new. Also, the trick isn't so much avoiding getting caught, as having deniability. As long as they can't absolutely prove who did it, the U.S. and Israel can publicly deny any involvement. Just like how the Kremlin is shocked, shocked I say, that someone is doing DoS attacks against Livejournal.
posted by happyroach at 2:33 PM on October 20, 2011

Dell SecureWorks explains why Duqu may seem to be related to Stuxnet, but argues that "supporting evidence is circumstantial at best and insufficient to confirm a direct relationship."
posted by gemmy at 1:53 PM on October 26, 2011 [1 favorite]

Thank you, gemmy, that's exactly the sort of analysis I was looking for. They never talk about "compiled from the same source," which is a curious omission given that it's the only evidence Symantec mentioned (but did not describe).

One of the oddest things about Duqu so far is no one knows how it spreads.
posted by Nelson at 6:38 AM on October 27, 2011