Remaining vigilant to cyber attack

27 March 2012

In April 2011, not even a year after the discovery of Stuxnet, the Hungarian Laboratory of Cryptography and System Security (CrySyS) identified a new malware which has been named Duqu because it creates files with the field ending ‘-DQ’. Professor Dr. Peter Fröhlich, director R&D networking & Controls at Belden EMEA, explains more.

Unlike Stuxnet, Duqu is more of a spy than a saboteur, but there does seem to be some relationship. Duqu opens a backdoor that enables attackers to load other programs onto the system. One infection route is that of e-mailed Word documents containing a ‘zero-day’ exploit. The term ‘exploit’ refers to a vulnerability in the code, i.e. a programming error or a state that is not covered by an error handling routine, enabling – for example – an internal buffer overrun that overwrites other areas of memory. Such vulnerability is exploited when it can be used, for example, to disable existing safety barriers or smuggle clandestine instructions into a program. The zero-day exploit used by Duqu exploits a vulnerability in the handling of embedded fonts in documents. More information about this is available from Microsoft. (

This type of malware is controlled by one or more command & control servers (C&Cs). Duqu disguises its C&C servers by not allowing a newly infected computer to communicate with them directly, but instead only indirectly via other already infected computers. According to the detailed report and the analyses carried out by computer security software company Symantec, Duqu has been traced back to C&C servers in India, Belgium and Vietnam. To avoid drawing attention to itself, Duqu also deactivates itself after 30 days. It has this in common with Stuxnet: not attracting attention is the most important thing. This calls for extremely high-grade coding.

As for other ‘relations’, there seem to be very similar attack mechanisms in Windows kernel drivers that introduce and spread the malicious code, including joint certificates for signing drivers. At present it cannot be proved or disproved that common sources are actually being used, but the architecture is certainly very similar. The ‘payload’, on the other hand - the code that is executed once the infection has taken hold - is very different.

Through the backdoor
Duqu installs a backdoor on the infected computer that can be used to load and execute other programs on the system. On October 18, 2011, it loaded a program onto infected systems that systematically gathers information and passes this to the C&C server: the list of running processes, drive names and sharing options, screenshots, network data such as routes, etc. A similar program found on a Duqu-infected computer was also able to log keystrokes. Information gleaned in this way might actually be used to prepare and mount targeted attacks in the same way as Stuxnet.

Duqu does not appear to constitute a direct threat to machines, installations, automation systems and other industrial or embedded computers. Alongside Microsoft there are now a number of vendors engaged in detecting, analysing and combating the infection of PCs. There are also established processes for recognising and eradicating vulnerabilities. Those responsible for operating PCs need to exercise a degree of caution and perform regular updates, operate virus scanners and firewalls and deal conscientiously with their configuration and maintenance.

In general, manufacturers of automation products and embedded computers do recognise their responsibility and are working to increase the robustness of their products and their immunity to computer attacks. However, users are only slowly beginning to recognise the risks and this is where the first steps need to be taken. Although existing security functions may be far from adequate, all too often not even they are used. All network components should be properly configured and then monitored, for best results using a flexible and powerful network management tool that can also be used to document changes and faults. Once these initial steps have been taken, the next step is to set up a firewall to curb the penetration and particularly the dissemination of malware. This involves monitoring not only gateways from the outside, but particularly all access to the internet or other networks, in other words using firewalls to create a horizontal segmentation.

Here, firewalls separate the individual network segments. They operate like the bulkheads on a ship: if malware does gain entrance anywhere it should not be permitted to leave that segment. This concept is called ‘defense in depth’, and is specified in more detail by the ISA-99 and IEC62443 standards.

Industrial applications generally have the advantage that the protocols used are well known and rarely change. This enables firewalls to be geared specifically to these protocols, and they can do this particularly well if they are able to carry out deep packet inspection. That means that they can view the contents of the data packets and are even familiar with their structure, particularly for industrial protocols.

The threat to industrial systems from computer malware is real and should be taken seriously. It is important to systematically plan and implement robust architectures, and maintain a healthy degree of risk awareness vigilance.

Contact Details and Archive...

Print this page | E-mail this page