Skip Links

Symantec, McAfee differ on Duqu threat

Security firms disagree on inten of Trojan Symantec calls precurser to next Stuxnet

By Jaikumar Vijayan, Computerworld
October 19, 2011 04:20 PM ET

Computerworld - Two top security vendors appear to have come to slightly different conclusions about the specific dangers posed by a newly discovered Trojan program called Duqu .

Symantec and McAfee Tuesday both released detailed analyses of the Duqu Trojan after obtaining a sample of the malware from an unidentified source.

Symantec released a 60-page report that called Duqu a precursor to the next Stuxnet worm that is being used largely to steal information from makers of industrial control systems.

On the other hand, rival McAfee's analysis said that Duqu is primarily used to target Certificate Authorities (CA) in parts of Asia, Europe and Africa.

The security vendors had different accounts of a code signing certificate associated with Duqu, which appears to have been originally issued to a Symantec customer.

McAfee suggested that the certificate used by Duqu had been forged in a direct attack at a CA, while Symantec said that the certificate appeared to have been stolen.

A Symantec spokesman this afternoon said the company has seen no evidence that Duqu specifically targets certificate authorities.

"Up to this point the threat's primary purpose seems to have been to gather intelligence data and assets from very specific entities in order to more easily conduct a future attack against another third party," the company said. "At this time, what we know as fact is that at least one of these entities is a Europe-based industrial control systems manufacturer."

In an e-mail to Computerworld, Adam Wosotowsky, senior research analyst at McAfee Labs said that while Duqu appears to be a "reconnaissance agent," its true purpose in unknown. "But the assumption was made that it was looking for keys that would allow it to infiltrate secure networks more successfully," he said.

In its report, Symantec said Duqu was most likely created by the authors of last year's Stuxnet worm and is being used specifically to steal critical information from makers of industrial control systems.

Symantec said it received a sample of the new malware on October 14 from what it described as "research lab with strong international connections." Symantec has so far analyzed two variants of Duqu and recovered additional variants from an organization in Europe that it didn't identify.

Symantec said that it believes that Duqu is being used to steal information that can be used to develop the next Stuxnet. Symantec noted that the new Trojan uses the same code as Stuxnet and mimics many of the same behaviors exhibited by its predecessor.

Unlike Stuxnet, Duqu is not targeted at industrial control systems specifically, Symantec noted.

However, in a blog post somewhat dramatically titled "The Day of the Golden Jackal - The Next Tale in the Stuxnet Files: Duqu" two security researchers from McAfee said the Trojan was primarily targeting "CAs in regions occupied by "Canis Aureus," or "the Golden Jackal."

An accompanying map showed that region to be parts of Asia, the Middle East and Africa.

Like Symantec, McAfee too said that it had received a sample of the new malware from what it described as an "independent team of researchers." And like Symantec, McAfee noted that Duqu is closely related to the original Stuxnet worm and said "the code, delivered via exploitation, installs drivers and encrypted DLLs that function very similarly to the original Stuxnet code."

Originally published on Click here to read the original story.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News