Sunday, October 23, 2011

DuQu: A Malware Rashomon*

No self-respecting security blog can ignore [insert dramatic music] ...

DuQu: Son of Stuxnet
G.E.S. original art
A new Windows malware, named DuQu, is the cause for some interesting discussion in the anti-malware industry. The two industry giants, Symantec and McAfee, each analyzed the malware and reached slightly different conclusions.

Both agree that DuQu was developed by the same people who developed Stuxnet. Symantec claim that "DuQu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers" noting "that at least one of the entities [targeted by DuQu] is a Europe-based industrial control systems manufacturer".

McAfee think that DuQu has "a different goal - to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs)" and note that "the attacks are targeting CAs in regions occupied by Canis Aureus" - which is a peculiar and indirect way to say regions with large Muslim populations.

They're probably both right. DuQu is a Remote Access Trojan (RAT) that can be used against any target and is probably being used for both purposes. Symantec noticed that it was found at a an European ICS manufacturer. McAfee noticed it at Middle Eastern CAs.

But is it in fact the "Son of Stuxnet"? How do we know that DuQu was developed by the same people who developed Stuxnet? Symantec and McAfee give two main reasons for this conclusion:
  1. Part of the DuQu code is very similar to the Stuxnet code and only someone with "access to the source code of Stuxnet" (Symantec) could produce this code.
  2. DuQu, just like Stuxnet, "utilizes 'stolen' digital certificates belonging to companies from Taiwan" (McAfee).
Neither of these arguments are very convincing.

Symantec and McAfee don't have access to the source code of Stuxnet or DuQu. All they can see is the compiled binary which seems to indicate a single source. Yet I have no doubt that that if the experts at these companies were challenged to modify the Stuxnet binary to produce a variant that seemed to be compiled from the same source they would have no problem doing so. So how can they be sure that the developers of DuQu didn't do this?

In fact for the first few years of my career as a software developer I wrote many binary patches of compiled code that would look like a compilation of a modified source but were in fact modified binary code. Only someone with access to the original source code and build tools could prove that they weren't - Symantec and McAfee don't have such access.

The fact that both DuQu and Stuxnet "utilize 'stolen' digital certificates belonging to companies from Taiwan" may indicate that for some reason it is easy to steal certificates from Taiwanese companies or that there is a market for stolen Taiwanese certificates. In any case this is definitely not conclusive evidence that they were written by the same people.

So why did Symantec and McAfee rush to connect DuQu to Stuxnet? Well how else would they have gotten so much mainstream press? Hell, if it wasn't for the Stuxnet connection even I wouldn't have written about it ;-}

*Rashomon [Wikipedia link]


  1. Thanks. You're quickly becoming a serious competitor to Schneier :)

  2. Thanks. A poor man's Schneier perhaps :)