In the hands of enterprising security agencies, or criminals (the
two are functionally synonymous), Trojans are primarily deployed for
data theft, industrial or financial espionage, keystroke logging
(surveillance) or the capture of screenshots which may reveal
proprietary information.
"
The threat" Symantec avers, "was written by the same authors (or
those that have access to the Stuxnet source code) and appears to have
been created since the last Stuxnet file was recovered."
The malware, which began popping-up on the networks of several
European firms, captured lists of running processes, account and domain
information, network drives, user keystrokes and screenshots from active
sessions and did so by using a valid, not a forged certificate, stolen
from the Taipei-based firm, C-Media.
Whereas Stuxnet, believed to be a co-production of U.S. and Israeli
cyber-saboteurs, was a weaponized virus programmed to destroy Iran's
civilian nuclear power infrastructure by targeting centrifuges that
enrich uranium, Duqu is a stealthy bit of spy kit that filches data from
manufacturers who produce systems that control oil pipelines, water
systems and other critical infrastructure.
Sergey Golovanov, a malware expert at Kaspersky Labs told
Forbes that Duqu is "is likely the brainchild of a government security apparatus. And it's that government's best work yet."
Speaking from Moscow, Golovanov told
Forbes in a telephone interview that "right now were are pretty sure that it is the next generation of Stuxnet."
"We
are pretty sure that Duqu is a government cyber tool and are 70% sure
it is coming from the same source as Stuxnet," Golovanov said.
"The victims' computer systems were infected several days ago.
Whatever it is," Golovanov noted, "it is still in those systems, and
still scanning for information. But what exactly it is scanning for, we
don't know. It could be gathering internal information for encryption
devices. We only know that it is data mining right now, but we don't
know what kind of data and to what end it is collecting it."
Whom, pray tell, would have "access to Stuxnet source code"?
While no government has claimed ownership of Stuxnet, IT experts told
Forbes "with 100% certainty it was a government agency who created it."
Suspects include cryptologists at the National Security Agency, or
as is more likely given the outsourcing of intelligence work by the
secret state, a combination of designers drawn from NSA, "black world"
privateers from large defense firms along with specialists from Israel's
cryptologic division, Unit 8200, operating from the Israeli nuclear
weapons lab at the Dimona complex, as
The New York Times disclosed.
Analyst George Smith
noted:
"Stuxnet was widely distributed to many computer security experts. Many
of them do contract work for government agencies, labor that would
perhaps require a variety of security clearances and which would involve
doing what would be seen by others to be black hat in nature. When that
happened all bets were off."
Smith averred, "once a thing is in world circulation it is not protected or proprietary property."
While
one cannot demonstrably prove that Duqu is the product of one or
another secret state satrapy, one can reasonably inquire: who has the
means, motive and opportunity for launching this particular bit of
nastiness into the wild?
"Duqu's purpose," Symantec researchers inform us, "is to gather
intelligence data and assets from entities, such as industrial control
system manufacturers, in order to more easily conduct a future attack
against another third party."
In other words, while Stuxnet was programmed to destroy industrial
systems, Duqu is an espionage tool that will enable attackers "looking
for information such as design documents that could help them mount a
future attack on an industrial control facility."
Although it can be argued, as Smith does, that "source code for
malware has never been secure," and "always becomes something coveted by
many, often in direct proportion to its fame," it also can't be ruled
out that military-intelligence agencies or corporate clones with more
than a dog or two in the "cyberwar" hunt wouldn't be
very interested in obtaining a Trojan that clips "industrial design" information from friend and foe alike.
Black Programs
The
circulation of malicious code such as Duqu's is highly destabilizing.
Considering that the U.S. Defense Department now considers computer
sabotage originating in another country the equivalent to an act of war
for which a military response is appropriate, the world is on dangerous
new ground.
Speaking with MIT's
Technology Review, Ronald Deibert, the director of
Citizen Lab,
a University of Toronto think tank that researches cyberwarfare,
censorship and espionage, told the publication that "in the context of
the militarization of cyberspace, policymakers around the world should
be concerned."
Indeed, given the fact that it is the United States that is now the
biggest proliferator in the so-called cyber "arms race," and that
billions of dollars are being spent by Washington to secure such
weapons, recent history is not encouraging.
With shades of 9/11, the anthrax mailings and the Iraq invasion as a
backdrop, one cannot rule out that a provocative act assigned to an
"official enemy" by ruling elites just might originate from
inside the U.S. security complex itself and serve as a convenient pretext for some future war.
A hint of what the Pentagon is up to came in the form of a controlled leak to
The Washington Post.
Last spring, we were informed that "the Pentagon has developed a
list of cyber-weapons and -tools, including viruses that can sabotage an
adversary's critical networks, to streamline how the United States
engages in computer warfare."
The list of "approved weapons" or "fires" are indicative of the
military's intention to integrate "cyberwar" capabilities into its
overall military doctrine.
According to Ellen Nakashima, the
"classified list of capabilities has been in use for several months and
has been approved by other agencies, including the CIA."
The
Post reported that the
new "framework clarifies, for instance, that the military needs
presidential authorization to penetrate a foreign computer network and
leave a cyber-virus that can be activated later."
On the other hand, and here's where Duqu may enter the frame, the
"military does not need such approval, however, to penetrate foreign
networks for a variety of other activities. These include studying the
cyber-capabilities of adversaries or examining how power plants or other
networks operate."
Additionally, Nakashima wrote, Pentagon cyberwarriors "can also,
without presidential authorization, leave beacons to mark spots for
later targeting by viruses, the official said."
As part of
Washington's on-going commitment to the rule of law and human rights, as
the recent due process-free drone assassination of American citizen
Anwar Al-Awlaki, followed by that of his teenage son and the revenge
killing of former Libyan leader Muammar Qaddafi by--surprise!--
Al Qaeda-linked militias funded
by the CIA clearly demonstrate, the "use of any cyber-weapon would have
to be proportional to the threat, not inflict undue collateral damage
and avoid civilian casualties."
Try selling
that to the more than 3,600 people killed or injured by CIA drone strikes, as
Pakistan Body Count reported, since our Nobel laureate ascended to his Oval Office throne.
As George Mason University researchers Jerry Brito and Tate Watkins described in their recent paper,
Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy,
despite overheated "rhetoric of 'cyber doom' employed by proponents of
increased federal intervention," there is a lack of "clear evidence of a
serious threat that can be verified by the public."
However, as Brito and Watkins warned, "the United States may be
witnessing a bout of threat inflation similar to that seen in the run-up
to the Iraq War," one where "a cyber-industrial complex is emerging,
much like the military-industrial complex of the Cold War. This complex
may serve to not only supply cybersecurity solutions to the federal
government, but to drum up demand for them as well."
A "demand" which will inevitably feed the production, proliferation
and deployment of a host of viral attack tools (Stuxnet) and assorted
spybots (Duqu) that can and will be used by America's shadow warriors
and well-connected corporate spies seeking to get a leg-up on the
competition.
While evidence of "a serious threat" may be lacking, and while
proponents of increased "cybersecurity" spending advanced "no evidence
... that opponents have 'mapped vulnerabilities' and 'planned attacks',"
Brito and Watkins noted there is growing evidence these are precisely
the policies being pursued by Washington.
Why might that be the case?
As a declining imperialist Empire
possessing formidable military and technological capabilities,
researcher Stephen Graham has pointed out in
Cities Under Siege: The New Military Urbanism,
the United States has embarked on a multibillion dollar program "to
militarize the world's global electronic infrastructures" with a stated
aim to "gain access to, and control over, any and all networked
computers, anywhere on Earth."
Graham writes that "the sorts of on-the-ground realities that result
from attacks on ordinary civilian infrastructure are far from the
abstract niceties portrayed in military theory."
Indeed, as "the
experiences of Iraq and Gaza forcefully remind us," robotized drone
attacks and already-existent cyberwar capabilities buried in CIA and
Pentagon black programs demonstrate that "the euphemisms of theory
distract from the hard fact that targeting essential infrastructure in
highly urbanized societies kills the weak, the old and the ill just as
surely as carpet bombing."
A Glimpse Inside the Complex
In the wake of the HBGary hack by Anonymous earlier this year, the secrecy-shredding web site
Public Intelligence released a 2009 Defense Department contract proposal from the firm.
Among other things, it revealed that the Pentagon is standing-up
offensive programs that "examine the architecture, engineering,
functionality, interface and interoperability of Cyber Warfare systems,
services and capabilities at the tactical, operational and strategic
levels, to include all enabling technologies."
HBGary, and one can assume other juiced defense contractors, are
planning "operations and requirements analysis, concept formulation and
development, feasibility demonstrations and operational support."
"This will include," according to the leaked proposal, "efforts to
analyze and engineer operational, functional and system requirements in
order to establish national, theater and force level architecture and
engineering plans, interface and systems specifications and definitions,
implementation, including hardware acquisition for turnkey systems."
Indeed, the company will "perform analyses of existing and emerging
Operational and Functional Requirements at the force, theater, Combatant
Commands (COCOM) and national levels to support the formulation,
development and assessment of doctrine, strategy, plans, concepts of
operations, and tactics, techniques and procedures in order to provide
the full spectrum of Cyber Warfare and enabling capabilities to the
warfighter."
During the course of their analysis Symantec learned that Duqu "uses
HTTP and HTTPS to communicate with a command-and-control (C&C)
server that at the time of writing is still operational."
"The
attackers were able to download additional executables through the
C&C server, including an infostealer that can perform actions such
as enumerating the network, recording keystrokes, and gathering system
information. The information is logged to a lightly encrypted and
compressed local file, which then must be exfiltrated out."
To where, and more importantly
by whom was that information "exfiltrated" is of course, the $64,000 question.
A working hypothesis may be provided by additional documents published by
Public Intelligence.
According to a cyberwar proposal to the Pentagon by General Dynamics
and HBGary, "Project C" is described as a program for the development
"of a software application targeting the Windows XP Operating System
that, when executed, loads and enables a covert kernel-mode implant that
will exfiltrate a file from disk (or other remotely called commands)
over a connected serial port to a remote device."
We're informed that Project C's "primary objectives" was the design
of an implant "that is clearly able to exfiltrate an on-disk file,
opening of the CD tray, blinking of the keyboard lights, opening and
deleting a file, and a memory buffer exfiltration over a connected
serial line to a collection station."
"As part of the exploit delivery package," HBGary and General
Dynamics told their prospective customers, presumably the NSA, that "a
usermode trojan will assist in the loading of the implant, which will
clearly demonstrate the full capability of the implant."
Duqu, according to Symantec researchers, "uses a custom C&C
protocol, primarily downloading or uploading what appear to be JPG
files. However, in addition to transferring dummy JPG files, additional
data for exfiltration is encrypted and sent, and likewise received."
While we don't know which firms were involved in the design of
Stuxnet and now, Duqu, we do know thanks to Anonymous that HBGary had a
Stuxnet copy, shared it amongst themselves and quite plausibly, given
what we've learned about Duqu, Stuxnet source code may have been related
to the above-mentioned "Project C."
Kevin Haley, Symantec's director of product management told
The Register that "the people behind Stuxnet are not done. They've continued to do different things. This was not a one-shot deal."
W
