AV firms first received a sample of Duqu, an information-stealing trojan that shares much of its code with the notorious Stuxnet worm, on Sept. 1. Based on the dates the files were compiled, however, researchers believe that attacks using the malware may have been underway as early as last December.
Duqu has impacted roughly five Europe-based manufacturers of industrial control systems, researchers have said.
But it was able to go unnoticed for two major reasons: It was specifically crafted to evade detection and was only used against a handful of targets, experts said. Like Stuxnet, Duqu uses a driver file signed with a legitimate digital certificate, in this case issued by Taiwan-based C-Media Electronics. Drivers signed with a valid cert are generally trusted by the automated scanners most AV labs around the world use to detect malware, Mikko Hypponen, chief research officer at anti-virus firm F-Secure, told SCMagazineUS.com on Friday
“It's embarrassing for us and the whole industry,” Hypponen said. “We should be doing better.”
Also helping it to evade detection for so long, Duqu was only unleashed against specific targets, Kurt Baumgartner, senior security researcher at Kaspersky Lab, told SCMagazineUS.com. And because it is not capable of self-replicating, it didn't propagate beyond the sites in which the purveyors were interested.
“If a tree falls in the woods does anyone hear it?” Baumgartner said. “When it showed up in the outside world, we were very immediate. We were very on top of detecting it.”
Still, the delay in detection proves that AV companies just aren't currently able to protect against attacks as advanced as Stuxnet and Duqu.
Stuxnet, which has been dubbed a cyber weapon meant to carry out industrial sabotage, spread for about a year before it was detected. Unlike other sophisticated pieces of malware, Stuxnet did not employ anti-debugging, obfuscation or encryption, features that would have tipped off AV companies that it was malicious, Hypponen said. Instead, it appeared to AV firms' automated scanners as a hardware installer – such a program that easily passes as benign.
The problem lies in that AV companies are primarily using reactive technologies to detect malware and exploits, Chaouki Bekrar, CEO and head of research at a French IT security research company Vupen, told SCMagazineUS.com Friday in an email.
“Unfortunately the approach followed by the AV industry was good 10 years ago, but these days it is a bit outdated and only useful to protect against certain malware or variants,” Bekrar said.
AV companies tend to “overestimate” how effective their technologies are, he added.
At this point, even if AV vendors add detection for Duqu to their products, the malware's creators can change it to dodge scanners, Bekrar said. In fact, since news about Duqu first broke, researchers have discovered new variants of the malware, indicating those behind the threat have not let up.
“We have been examining characteristics of the files we have collected and are seeing indications that the development and release of newer files is ongoing,” Kaspersky's Baumgartner said.
Though researchers are unsure of Duku's ultimate intent, one of the theories is that it was meant to gather information for a future Stuxnet-like attack. This indicates that there may have been a similar information-gathering attack carried out before Stuxnet that was never caught, Hypponen said.
Going forward, AV companies cannot continue to blindly trust digitally signed components, especially considering the increase in attacks against CAs this year, he added.
UPDATE: Additional analysis has revealed that no industrial control systems, vendors or manufacturers were targeted by Duqu, according to an alert issued Friday by the Industrial Control Systems – Cyber Emergency Response Team (ICS-CERT). Further, there is currently no evidence that Duqu poses a threat to industrial control systems at this time, though companies should remain on alert for this and other sophisticated malware, ICS-CERT said.