Stuxnet and Duqu are two malwares which got into the malware hall of fame in recent years. Some of us might have already read about Stuxnet in the reading list. Duqu has been covered by a blogger last year.
To recap, Stuxnet dubbed as the “hack of the century” is a sophisticated computer worm which spreads via windows and is known to attack only Siemens industrial software and equipment. The malware with help of two stolen certificates installs itself in kernel mode and gets access to privileged execution. One of the beautiful exploits it can perform is an attack similar to man in the middle attack. It would induce a malfunction in the device but would hide the malfunction from the controller of the device. It would be too late by the time the controller realized the error. Iran’s nuclear facility centrifuges have been among the victims of this malware. The malware attacked the motor controls of the centrifuges and ran them at different speeds there by destroying them. The controller of the motors never saw the variation of the speeds on his sensors. Stuxnet spreads itself via P2P RPC methods.
| Country | Stuxnet Infected computers |
| Iran | 58.85% |
| Indonesia | 18.22% |
| India | 8.31% |
| Azerbaijan | 2.57% |
| United States | 1.56% |
| Pakistan | 1.28% |
| Others | 9.2% |
Duqu came after Stuxnet and is reported to be identical to Stuxnet. Duqu unlike Stuxnet has been designed to provide services like injection tools and information retrieval to the attackers. An attacker can also send a payload via Duqu which can then be used to attack any system. Like Stuxnet, Duqu uses a zero-day-vulnerability of Microsoft Windows. How Duqu spreads its self is still unknown. One of the key capabilities of Duqu is the ability to steal certificates and make any future payloads to appear as secure softwares.
Flame is a recent malware announced on May 28th, 2012. One of the discoverers claim that Flame is the most complex malware ever found. Flame like Duqu is primarily used for espionage and is capable of recording a wide variety of information which includes screenshots, network traffic and also skype conversations. It heavily encrypts the data it extracts so that only the attacker can view the stolen data. One of its capabilities is that it can turn an infected computer into a bluetooth device and use it to transmit information to one of the many command centers spread across the world. Fame similar to Stuxnet and Duqu avoids security softwares via rootkit functionality. Currently Flame is being used to deliver various payloads and is still evolving. It’s full capabilities are yet to be seen.
References:
http://en.wikipedia.org/wiki/Stuxnet
http://en.wikipedia.org/wiki/Flame_%28malware%29
http://en.wikipedia.org/wiki/Duqu
http://en.wikipedia.org/wiki/Rootkit
http://www.pcworld.com/article/2009973/flame-malware-continues-to-burn.html