Security researchers worldwide are on alert following the discovery of a new virus that may be an attempt to launch a cyber attack upon power generation infrastructure. The new virus, named Duqu, shares some source code with the Stuxnet virus, which is believed to be responsible for temporarily shutting down Iran’s nuclear enrichment program. Therefore it is believed that there is a connection between the makers of Stuxnet and Duqu, possibly that they are the same person.
Symantec first noticed the virus in October. On November 2nd, Microsoft admitted that it exploited a previously unknown flaw in Windows and that they are working to fix it.
The sophistication of the Stuxnet virus, and the eventual target of its destruction, has led to widespread rumors regarding it having been created, not by run-of-the-mill hackers, but agents of some government intelligence agency. That makes the possibility that they are also behind the Duqu a matter of significant concern. According to Symantec, confirmed Duqu infections occurred in France, the Netherlands, Switzerland, the UK, Ukraine, Austria, Hungary, Iran, Sudan, Vietnam and Indonesia. Six different organizations were sent e-mails with infected Microsoft Word Documents. When the documents were opened, the previously undiscovered exploit allowed the virus code to be installed and to attempt to further spread itself through the local file server shares. In an interesting twist, if a computer infected through the local file servers did not have access to the internet it would set up a peer-to-peer connection with any other computer on the local area network that did. The computer with the internet connection would then act as a relay for commands from the hackers’ command and control servers. This allows the hackers to reach systgems that might be performing sensitive tasks. So for example, a computer controlling a power plant would likely not be permitted access to the internet but might be connected to the local network for monitoring and reporting purposes. With the peer-to-peer relay system, that computer can be commanded by the hackers.
The currently-discovered e-mail payload limited installations to an eight day period in August, but there may be other infection e-mails with other time windows.
For the typical user, this provides three reminders:
- Keep your software updated. Microsoft will certainly release a critical security patch. It will be important to install it soon afterward. While it takes a great deal of genius to discover a previously unknown exploit, once it is discovered being a copycat is easy.
- Never open an attachment unless you know the sender and are expecting the attachment. Remember that the ultimate target of this exploit wasn’t a computer. It was a person tricked into opening an unexpected Word document.
- Whenever possible send e-mail attachments in an inert format such as PDF that are not expected to contain executable code. The less people see attachments routinely sent in forms such as word documents, the more suspicious it will seem when they do arrive.