by Kim Zetter
Then he examined the six kernel hooks the new code used—specific functions on the machine that the malware hooked or hijacked to pull off its attack—and compared them to the functions hooked by other known malicious attacks. He found some that hooked two or three of the same functions, but none that hooked all six. He sifted through the Stuxnet literature to examine what Stuxnet hooked, and there it was—the digital weapon hooked all six of the same functions. There was no doubt in his mind now that the two attacks were related.
It didn’t mean the codes were written by the same people, but it was clear the creators of the new code had developed their attack from the same source code and framework that had been used to develop Stuxnet. Stuxnet had sabotaged Iran’s uranium enrichment program but who knew what this new attack was doing and how many systems it had infected?
Bencsáth dashed off an e-mail to Bartos telling him what he’d found. Until now they’d been working at a leisurely pace, looking at the code whenever they had time. But now he realized they needed to determine what the attack was doing quickly and get the information out to the public before anyone could stop them. After Symantec had published its research on Stuxnet, there were some who wondered why the US government had never tried to thwart them. Bencsáth worried that this time someone would try to intervene.
The next day he told his colleagues, Levente Buttyán and Gábor Pék, about the attack. The three of them knew they weren’t equipped to do a thorough analysis of the files on their own—none of them had ever done malware analysis like this before and had little experience using the debugging tools needed to reverse-engineer it. But they knew they had to do enough analysis to convince other, more experienced, researchers to look at it. The CrySyS Lab, like VirusBlokAda, was hardly a familiar name in the computer security world, and they needed solid evidence to connect the attack to Stuxnet or no one else would agree to examine it.
They set a deadline ten days away and decided to focus only on the parts of the attack that were similar to Stuxnet. But to their surprise, there were more similarities than they expected. At the end of the ten days, they had a sixty-page report. Bartos gave Bencsáth permission to share it with Symantec, but only on condition that if they went public with the report, the CrySyS Lab would not be named in it. Bartos worried that if anyone knew the lab was in Hungary, it wouldn’t take long to identify the victim.
They sent the report to the government CERT, to Chien and his team at Symantec, and to a few others—Péter Szor, a Hungarian researcher at McAfee; someone at VeriSign, because VeriSign would need to revoke the digital certificate the malware used; and to a researcher at Microsoft.5 Bencsáth’s heart was pounding as he clicked Send to e-mail the report. “I was really excited,” he says. “You throw down something from the hill, and you don’t know what type of avalanche there will be [as a result].”
WHEN CHIEN AWOKE on October 14, a Friday, he immediately reached for his BlackBerry to check his e-mail. The subject line of one message caught his eye. It read simply, “important malware,” and came with an attachment. It had been sent by two computer scientists at an obscure university lab in Hungary, who wrote in stilted English that they’d discovered a new attack that bore “strong similarities” to Stuxnet. They dubbed it “Duqu” (dew queue)—because temporary files the malware created on infected machines all had names that began with ~DQ—and were certain it would “open a new chapter in the story of Stuxnet.”
“As we don’t really have experience with this sort of incidents yet [sic], we are uncertain about the next steps that we should make,” they wrote. “We are ready to collaborate with others, including you, by providing access to the malware and participating in its further analysis.”
Chien forwarded the e-mail to the rest of the incident-response team at Symantec and sent a text message to O’Murchu telling him to read it as soon as he woke up. Then he headed to the office feeling cautiously excited.
Over the past year, Chien had grown wary of people contacting him with false alarms about new Stuxnet sightings. Working for an antivirus firm, he was already used to friends and neighbors appealing to his expertise whenever they thought their computers were infected with a virus. But after his team’s work on Stuxnet got widely publicized, random strangers began contacting him too, insisting that the government was spying on them with Stuxnet. One guy even sent an envelope stuffed with fifty pages of printed-out screenshots and network traffic logs that he’d highlighted in yellow. On one, he’d circled the URL of a website he’d visited that contained the letters “en/us”—proof that the US government was watching his computer, he said.6 Another correspondent, a female cookbook author, sent Chien a few e-mails via Hushmail—an anonymous encrypted e-mail service used by activists and criminals to hide their identity. When Chien ignored the e-mails, she tracked down his phone number and left a message. She, too, was certain someone was spying on her with Stuxnet, she said, because every time she went to the library and inserted a USB flash drive into a computer there, her home computer later got infected with a virus from the same USB flash drive.
Despite Chien’s cynicism about every new Stuxnet claim that crossed his desk, he only had to read the first two pages of the report from Hungary before he knew that this one was different. “This is Stuxnet,” he said with certainty.
Despite their lack of experience analyzing malicious code, the Hungarians had produced an impressive report, although they apologized that “many questions and issues remain unanswered or unaddressed.” They had included snippets of decompiled code showing Duqu’s likeness to Stuxnet and produced a side-by-side checklist highlighting more than a dozen ways the two attacks were the same or similar. There was no attack against PLCs in this code—in fact, there was no real payload at all, unless you considered the keylogger a payload. But the fingerprints of Stuxnet’s creators were all over it. Duqu was either written by the same team that was behind Stuxnet or, at the very least, by people with access to the same source code and tools.
Chien e-mailed Bencsáth to let him know they’d received the report, then waited anxiously for O’Murchu to arrive, feeling a mix of emotions. They had long hoped that they or someone else would uncover additional clues to help them resolve their remaining questions about Stuxnet. And Duqu looked like it might provide some of the answers they were seeking. But their analysis of Stuxnet had required months of work, including nights and weekends, and he feared the new code might exact the same amount of time and energy.
O’MURCHU WAS STILL half-asleep when he saw Chien’s text message that morning, but his grogginess quickly dispersed when he opened the attachment and read the report. There was nothing like staring down the barrel of a suspected cyberweapon to clear the fog in your mind. “I’ve got to get to the office,” he told his girlfriend as he threw on some clothes and dashed out the door.
As he drove to work, he tried to wrap his mind around what he’d just seen and couldn’t believe the Stuxnet gang was still active. After all the media attention and finger pointing at Israel and the United States, he thought for sure the attackers would have laid low for a while to let things cool off. At the very least he thought they would have altered their methods and code a little to make sure that any attack they unleashed hereafter couldn’t be traced back to them if found. But judging by the report from Hungary, it appeared they hadn’t bothered to alter their signature moves at all. They really had balls, he thought. They were determined to do whatever they had to do and didn’t care who knew it was them. Either that, or they were already so invested in using the Duqu code that they were loath to replace it even after Stuxnet had been caught.
When O’Murchu got to the office, Chien and their colleagues were already buzzing about the new attack. They contacted Falliere, who had by now relocated from Paris to the States and was now working out of Symantec’s office in Northern California. They downloaded the binary files for Duqu that the Hungarians had sent and worked on the code throughout the day and the weekend. They were happy
to discover that Duqu was much smaller than Stuxnet had been and consisted of just a few files that were fairly easy to decipher. By Monday, they knew pretty much everything there was to know about the code.
Duqu was essentially a remote-access Trojan, or RAT, which operated as a simple back door to give the attackers a persistent foothold on infected machines. Once the back door was installed, however, Duqu contacted a command-and-control server, from which the attackers could download additional modules to give their attack code more functionality, such as the keystroke logger/infostealer the Hungarians had found on one of their systems.
As for Duqu’s intent, it was pretty clear it wasn’t a saboteur like Stuxnet, but an espionage tool. Whereas Stuxnet was a black ops mission bent on destruction, Duqu appeared to be the forward scout, sent out to collect intelligence for future assaults. Symantec suspected it was the precursor to another Stuxnet-like attack. Duqu’s life-span was limited, however; a kill date in the code forced it to self-destruct after thirty-six days, deleting all traces of itself from an infected machine.7
All of this seemed fairly straightforward, but as they examined Duqu’s files, they stumbled across a surprise that seemed to connect it to another mystery attack that had been puzzling them for months. Six months earlier, officials in Iran had announced that computers there had been struck by a second digital attack in the wake of Stuxnet. The announcement came months after Iranian officials had finally acknowledged that computers controlling centrifuges in Iran had been attacked. Although the Iranians had never identified the specific virus that struck the centrifuges, they gave this new attack the name “Stars.” Gholam-Reza Jalali, commander of Iran’s Civil Defense Organization, didn’t say why they called it Stars, nor did he provide much information about the attack other than to say it was aimed at stealing data. He also said it was likely “to be mistaken [on computers] for executable files of the government,” suggesting the malware may have arrived in a phishing attack, with a malicious file attached that masqueraded as a document from a government source.8
Symantec and other security researchers didn’t know what to make of the report at the time, since Iran didn’t release any samples of the malware for outside researchers to examine. The fact that no one else in the world had reported infections from “Stars” led some researchers to dismiss the report, believing that Iran had either fabricated the story to accuse the West of launching more cyberattacks or had simply mistaken a run-of-the-mill virus with a nation-state attack.
But something they found in Duqu suggested it might be Stars. When Duqu’s attackers sent their keylogger to infected machines, they embedded it in a .JPEG file—an ordinary image file—to slip it through firewalls unnoticed. The content of most of the image in that file had been deleted so the keylogger code could be tucked inside. As a result, only an inch or so of the image appeared on-screen when O’Murchu opened the file—it consisted of just a few words of white text printed on a dark background. The words were cut off so only their top half was visible, but it was still possible to make them out: “Interacting Galaxy System NGC 6745.” A Google search on the words revealed the entire picture—a March 1996 image produced from the Hubble Space Telescope. The striking image depicted a thick cluster of luminous blue and white stars enveloped in a gossamer veil of golden matter and gases—the aftermath, a caption revealed, of two galaxies “colliding” after a small galaxy of stars grazed the top of a larger one. Was it possible that Duqu was the mysterious “Stars” that struck Iran?9 It seemed to Symantec and the CrySyS Lab that it was.
Symantec wanted to go public with the news of Duqu, but before the researchers could do so, they worked with Bencsáth to scrub the sample files and CrySyS report of anything that might identify the victim or the lab.10 On October 18, the Symantec team published the anonymized CrySyS report, as well as their own analysis of Duqu, identifying the victim only as “an organization based in Europe” and the CrySyS Lab as a “research lab with strong international connections.”11
Within an hour after the announcement broke, Bencsáth got the first hit to his personal website from someone searching for the hashes he’d posted weeks earlier. Although he’d deleted them from his site, Google cache had preserved his post, and online security forums were buzzing with questions about the deleted message. The next day he got more than four hundred hits to his domain as word spread quickly that this strange Hungarian site about canned fish was somehow connected to Duqu. There was no contact information for Bencsáth on the site, but it didn’t take long for someone to look up the registration for the site’s domain and find his name. From there it took only a simple Google search to connect him to the CrySyS Lab.
It was futile to hide the lab’s identity at this point, so on October 21, Bencsáth published a brief statement on the lab’s website, acknowledging their role in discovering Duqu, and urged everyone to stop speculating about the victim’s identity. It was too late for this, however. Word was already spreading that Duqu’s victim was a certificate authority in Europe after Péter Szor, the McAfee researcher who had received Bencsáth’s original report, wrote a blog post titled “The Day of the Golden Jackal” saying that Duqu was targeting certificate authorities and advising CAs to check their systems to make sure they hadn’t been infected. Since the CrySyS Lab was in Hungary, people assumed the victim was too. And since there were only a few certificate authorities in that country—NetLock and Microsec e-Szigno being the primary ones—it didn’t take long for a few researchers to zero in on NetLock as the victim, though none of them went public with the news.12
The implications were alarming. Certificate authorities are at the core of the trust relationship that makes the internet function. They issue the certificates that governments, financial institutions, and companies use to sign their software and websites, providing users with assurance that they are downloading a legitimate program made by Microsoft or entering their account login credentials at a legitimate website operated by Bank of America or Gmail. Attacking such an authority would allow the attackers to issue themselves legitimate certificates in the name of any company and use it to sign malware. It went a step beyond Stuxnet’s tactic of compromising individual companies like RealTek, JMicron, and C-Media. If Duqu was the work of the United States or Israel, it meant that a NATO country or ally had compromised a fundamental part of the trusted infrastructure that made transactions on the internet possible, all for the sake of advancing a covert campaign. If the United States was behind the attack, it also meant that while one branch of the government was touting the importance of securing critical infrastructure at home and developing acceptable norms of behavior for the internet, another was busy compromising critical systems belonging to a NATO ally that were important for the security of the internet, and establishing questionable norms of behavior that others would copy. But because the identity of the victim was never disclosed at the time Duqu was exposed, the public was denied an opportunity to debate these issues.
Despite the omission of this important detail, when the news of Duqu broke, it elicited a far different response from the security community than Stuxnet had. Research teams that had sat on the bleachers while Symantec had worked for months to deconstruct Stuxnet’s payload quickly jumped on Duqu’s code to examine it—in part because it was less complex than Stuxnet and didn’t have a PLC payload, but also because they had seen what sitting on the sidelines got them. Stuxnet had signaled the dawn of a new era, and many researchers had chosen to sit it out.13
One security firm that was determined not to be left behind this time was Kaspersky Lab in Russia. The Kaspersky researchers hadn’t sat idly when Stuxnet was discovered; they had put in extensive work to deconstruct the Windows portion of the attack and had been the first private researchers to discover additional zero days in Stuxnet and report them to Microsoft. But beyond its menagerie of exploits, they hadn’t considered Stuxnet a particularly interesting threat. The unfamiliar PLC code was a barrier to examining the payload, an
d ultimately they had determined there was little to be gained from deciphering it. So once they’d completed their analysis of the missile portion, they had moved on. But they weren’t going to make that mistake again.
COSTIN RAIU, DIRECTOR of Kaspersky’s Global Research and Analysis Team, was in Beijing when news of Duqu broke, preparing to board an early-morning flight to Hong Kong for a meeting. His first thought was to call his colleagues back in Moscow, but they were still asleep. So before boarding his plane, he quickly downloaded the Duqu files Symantec made available to researchers and examined them during his flight.
As soon as he landed in Hong Kong, he contacted Alexander Gostev in Moscow, a young, highly skilled reverse-engineer and the company’s chief malware researcher. Symantec and the CrySyS Lab had examined the Duqu files thoroughly, but Raiu and Gostev suspected there was much more intelligence to be gleaned from the threat, and they were right.
It was clear to them immediately that Duqu was the work of master programmers. The code was remarkably different from other spyware that crossed their desks—Raiu likened it to the difference between Vincent Van Gogh’s Starry Night and an art-school student’s amateur rendition of a star-filled night. The master brushstrokes and genius in the code were evident to the practiced eye.
Raiu was a thirty-three-year-old Romanian who worked for Kaspersky out of a tiny office in Bucharest with one other researcher and a handful of marketing folks. He had dark, close-cropped, graying hair and a maturity and wisdom that belied his age. The latter made him a natural mentor to younger members of his research team. He also had a calm, Buddha-like demeanor that served him well under pressure when they were juggling multiple complex projects at a time. It was a quality that would prove invaluable over the many months that followed as his team’s research into the Stuxnet-Duqu gang intensified and they began to draw the attention of intelligence agencies.