2011 October

October 2011

Update on W32.Duku

Based on research being performed, here is what the community knows about Duku:

  • There has only been a few infections to-date
  • It does not self-propigate or spread like Stuxnet did, so the victums have to be selectively targeted
  • Unlike the initial perception, it does not seem to target control system equipment or vendors
  • The attackers are using Duku to look for information, such as blueprints, design documents, and any information that can potentially be used to create a future attack on an industrial facility
  • Some of the executables used within the Duku framework shares code with Stuxnet and appears to have been compiled after Stuxnet was discovered
  • The malware is designed to self-desctruct after 36 days
  • Duku may have other variants that are not currently detectable by Antivirus
  • Seems to leverage C&C servers based in India

Steps asset owners should consider to avoid infection:

  • update all AV signatures
  • tighten up host prevention strategies and consider application whitelisting technology
  • review all ports open on perimeter devices such as firewalls and reduce the attack surface by closing off unnecessary ports on network devices upstream of critical SCADA or DCS systems
  • isolate control system elements from the corporate IT networks as much as possible
  • operate at a higher treat level and review logs on an increased periodic basis
  • monitor sensitive SCADA and DCS hosts for new and unusual services that are not traditionally running on those devices
  • enable verbose logging on all host systems, and forward the logs to a centralized SEM or SIEM
  • monitor hosts for new files added to system directories such as system32, and system32drivers
  • monitor outgoing traffic leaving the network to unknown destination IP address
  • place a sniffer on the external side of the firewall and record traffic for 24 hours, then parse the data and cross check the IP addresses in the PCAP files to see if the traffic contains any IP addresses for known C&C servernet and botnets
  • also monitor the dirty side of the firewall for spikes in traffic

Hope this briefing provides helpful insight as to how Duku works, and the migitation efforts that can reduce the chance of getting infected.

thanks,
Jonathan

Leave a Reply