Security firms disagree on the importance of a Trojan horse that Symantec "precursor to the next Stuxnet 'call.
Two top security vendors seem to have come to somewhat different conclusions about the specific hazards of a newly discovered Trojan program called Duque.
Symantec and McAfee both Tuesday detailed analysis of the Trojan Duque released after being given a sample of malware from an unknown source.
Symantec released a 60-page report that said Duque a precursor to Stuxnet worm that greatly used to steal information from the creators of industrial control systems.
On the other hand, said rival McAfee's analysis Duque used primarily for the Certification Authorities (CA), purpose in parts of Asia, Europe and Africa.
Security companies had different accounts of a Code Signing Certificate, Duque, who seems to have been originally issued to a Symantec customer.
Stolen or forged certificate in the CA-attack?
McAfee suggested that the certificate used by Duque was forged in a direct attack on a CA, but Symantec says that the certificate was found to be stolen.
A spokesman for Symantec said this afternoon that it has no evidence that specific key centers goal Duque seen.
"Up to this point, the primary target of the threat seems to have been collecting information and data assets of very specific devices to facilitate the implementation of a future attack against a third party," the company said. "Right now what we know as fact is that at least one of these devices is a European-based industrial control systems manufacturer."
In an email to PC World, said Adam Wosotowsky, senior analyst at McAfee Labs, while Duque seems a reconnaissance officer, "his true purpose is unknown." But the assumption is made that it looks for keys that provide the secure network to infiltrate more successful, "he said.
In his report, says Symantec Duque was probably created by the authors of Stuxnet worm last year, and is typically used for critical information to steal from the creators of industrial control systems.
Duque, the next Stuxnet
Symantec said it received a copy of the new malware on Oct. 14 of what he described as "Research Lab with a strong international connections." Symantec has so far investigated two variants of Duque and additional variants recovered from an organization in Europe that are not identified.
Symantec says it believes Duque applied to information that can be used to develop the next Stuxnet steal. Symantec noted that the new Trojan uses the same code as Stuxnet and mimics many of the same behavior exhibited by its predecessor.
Unlike Stuxnet not Duque targeting specific industrial controllers, Symantec said.
But in a blog post something dramatically titled "The Day of the Golden Jackal - The Next story in Stuxnet Files: Duque" two security experts at McAfee said the trojan was primarily focused on 'CA in the regions occupied by' Canis aureus 'or' The Golden Jackal. "
An accompanying map showed that the area of ??Asia, Middle East and Africa.
Like Symantec, McAfee also said that an example of the new malware gets what she described as an "independent team of investigators." And, as Symantec, McAfee noted that Duque closely related to the original Stuxnet worm, and said: "code, through the operation, install drivers and DLL files that are encoded much the same function as the original Stuxnet code."
"Actually," the McAfee report added, "the new director of the code used for injection attack is very similar to Stuxnet, which is more encryption keys and techniques used in Stuxnet."
No risk was found for Symantec Systems
Mcfee blog gives a detailed description of the threat, but makes no mention of industrial control systems. Blogging the shutter instead of a warning for CAS to "carefully consider whether their systems have been supplied by the threat or something else."
The blog noted that McAfee Labs has an "expected variation" identified on another site does not identify.
McAfee researchers said Code Signing Certificate, Duque belonged to a company called C-Media Electronics, based in Taipei. She added that it was "very likely" that was the key forged.
Symantec said it is known that some of the malware files that are associated with Duque signed with private keys associated with a Code Signing certificate issued to a Symantec customer. The certificate was revoked on 14 October, the company said.
"Our research into the use of the main leads us to the conclusion that the private key used for signing Duque was stolen and not fraudulently generated for this malware," Symantec said.
The researcher claimed that at no time was the Symantec root and intermediate CAs in danger. "Our research shows zero evidence of any risk to our systems," says Symantec.
Duque erases itself after 36 days
Anup Ghosh, founder and CTO of security vendor Invincea, said Duque is most notable in that it allegedly targets ICS suppliers.
"If it were found on the system from another company, it would be a lot like any other remote access Trojan see," he said.
Besides the fact that Stuxnet code and the fact that it removes itself in 36 days, in reality, there is not much to distinguish it from other Duque advanced persistent threats reused, said Ghosh. It can be used to steal data from a system, not just ICS suppliers, he said.
Ghosh added that Duque seems to be very well-written code that was probably developed by a nation or a group with deep wells.
The fact that Duque is configured to move away from an infected system after 36 days worth to mention, he said.
"This is what you do when you try to extremely stealthy. This is what you and press and grab operation," he said.