All the latest UK technology news, reviews and analysis
|
|
|
19 Oct 2011
LAS VEGAS: McAfee is shedding light on a recently discovered malware attack that could be connected to the Stuxnet malware.
Known as "Duqu", the malware has been found to be targeting industrial control systems in Southeast Asia and Northern Africa.
According to McAfee researchers, the Duqu infection has been spread using rogue security certificates. They believe the malware's creators were able to compromise the systems of a certificate authority (CA) firm and then generate certificates for use in the attacks.
VeriSign has since invalidated the certificates used in the attacks and the malware's command and control servers have been blacklisted by McAfee.
Dave Marcus, McAfee Labs head of research and communications, told reporters that while there is no proof Duqu is connected to Stuxnet, the two infections share a number of traits.
Much like Stuxnet, the Duqu malware makes use of multiple encryption keys and rootkit functionalities as well as similar coding techniques. Additionally, the compromised certificate authority and Duqu-infected systems are in the same region as those hit by Stuxnet.
Marcus noted that the compromise of the certificate authority was a key component of the attack. He said that when a CA is compromised and rogue certificates issued, the entire system is undermined.
He suggested CAs need to do more to test their systems and protect themselves from attacks.
"I think you are talking about an area that they may not have fully understood before," Marcus said.
"They need to get together as a group and say our industry is being targeted, what can we do as a group?"
Meanwhile, Marcus suggested that the rest of the industry adjust its perception of targeted attacks. He noted that while Duqu appeared to be a sophisticated attack, many targeted operations rely on relatively simple techniques to infect systems and steal data.
"Just because you are a script kiddie infecting machines for fun does not mean you are not using sophisticated techniques," Marcus explained.
"On the other side, just because you are engaging in nation state attacks does not mean you are using Stuxnet every time."
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
V3 examines the key strengths and weaknesses of Samsung's latest iPhone killer
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Java, J2EE Agile Senior Developer, Warrington, Cheshire...
Location: Geneva Client: A well established world...
Location: Geneva Client : A well known company Job...
Location: Lausanne Client: A well established world...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Script Kiddies or Software Engineers
Script kiddies are not the only creators of malicious software who reuse code and concepts. Stuxnet supplied a toolkit of both just waiting for Son of Stuxnet to be created. The sophisticated software engineers who gave us the Stuxnet missile now, if we are to believe the forensic analysis so far, have given us a software reconnaissance drone. This time the target seems consistent with the Stuxnet scenario and the mission limited. Next time the toolkit might be used by more nefarious forces and the target could be the U.S. or Israeli power grids or gas pipelines anywhere. --Prof. Larry Constantine (Lior Samson, author of WEB GAMES a novel about cyber-terrorism)
Posted by: Larry Constantine 20 Oct 2011
CA was NOT compromised in this attack
The certificate used predated Duqu by 2 years. McAfee is dead wrong about a CA having been compromised in this instance. The certificate was stolen directly from the legitimate party to whom it had been issued.
Posted by: CA Insider 20 Oct 2011