Duqu – Stuxnet part 2?

Duqu malware is making waves in the security world at the moment. It is an attack that uses a zero-day to exploit a vulnerability in the windows kernel, more specifically it targets the Win32k TrueType font parsing engine. The reason why its big news is because its a highly sophisticated attack on specific organisations that steals digital certificates, keystrokes, and other systems information. While the specific organisations that have been targeted haven’t been made public, they all dealt with highly sensitive things such industrial control systems. The infection usually began with a .doc dropper file that was emailed and socially engineered to be something that the targeted user would open.

So security experts have began to conjecture that Duqu was developed and executed by the same people responsible for Stuxnet. The reason being that they share a lot in common. They both exploited zero-days relating to the windows kernel, both are signed using stolen certificates, and they both have been highly sophisticated attacks directed at specific organisations. Not only does the profile of the attack match Stuxnet but so does the source code. Where Stuxnet and Duqu start to differ is that Stuxnet was created to act autonomously while Duqu is reliant on command and control servers. Stuxnet targeted industrial machines while Duqu is attacking computer systems.

There are many features that add to Duqu’s sophisticated nature that raises it above the level of ordinary malware. One is that its able to communicate through server message blocks, the protocol that allows networked resources to interact. This allowed Duqu to infect systems that weren’t connected to the internet but were on a network with devices that were. On top of that it was able to receive and transmit message from the C&C server by transmitting the data to a computer connected to the internet and then through SMB to the device on the network that didn’t have internet access. Even the C&C servers themselves show a high level of dedication because they used a unique C&C server for each individual attack. So far only two have been discovered with one in India and one in Belgium. To avoid detection on infected systems it uses 54×54 jpeg files as containers to store stolen data. This way the network traffic wouldn’t show important data moving around just jpeg files. After 30 days of running on the system Duqu deletes itself hiding anyway of detecting it had been there.

So what I most likely think is that Duqu was created and used by the same people who did Stuxnet, and due to the level of sophistication and scale it was most likely a state actor. The state actor probably being a collaboration between the USA and Israel. As of right now Microsoft still hasn’t fixed the vulnerability that allows it. For most users this isn’t that big of a deal because the exact method of the zero-day isn’t known so Duqu’s the only one using it. So unless you happen to be part of large organization then the threat and danger from Duqu is minimal.

Further reading:




Facebook’s security woes: 600K accounts compromised per day

Facebook’s security woes: 600K accounts compromised per day

By Kara Reeder

November 2, 2011, 7:49 AM PDT

Takeaway: Kara Reeder reports on the latest security mishaps from the Facebook camp.

With more than 800 million active users, there’s no shortage of people looking for loopholes in the social network. The latest vulnerability has been discovered by Nathan Powers, who works for technology consultancy CDW. Powers has discovered a way for a user to send an executable file to another user who is not their friend. The risk, as Computerworld points out, is that “a hacker [could] send, for instance, a key logging program to another user in a kind of spear-phishing attack.”

Facebook’s Security Manager Ryan McGeehan is downplaying the flaw, noting that “an additional layer of social engineering” would be required for the scam to work.

Security issues are nothing new for Facebook. In fact, as msnbc.com reports, buried deep in a recent security announcement, Facebook revealed that 600,000 accounts are compromised every day. Of course, Facebook put a different spin on it, saying “only 0.06 percent of 1 billion logins per day are compromised.” Still, 600,000 a day is nothing to scoff at as hijacked Facebook accounts lay the foundation for a number of misbehaviors, including cyber bullying and scams designed to trick unsuspecting users into coughing up money.

Editor’s Note: Facebook has clarified what they mean by “compromised.” According to TechCrunch:

Facebook wants it known that these accounts weren’t hacked or compromised on Facebook itself, they are compromised off site, such as through phishing scams, for example.

Facebook blocks access to accounts when they have reason to believe someone other than the true owner is trying to access it. Here is Facebook’s original infographic (PDF), which includes the numbers cited (.06% of 1 billion logins per day).


I am astonished that Facebook down plays such a large number of compromised accounts.  600,000 accounts a day are compromised!  I can’t even begin to wrap my head around that figure.  Many of these users are not in the information technology field and most likely don’t have a healthy sense of skepticism when using a social networking site like Facebook.  IF attackers are able to compromise user’s accounts, they can harvest useful information that user’s post on Facebook assuming their information is safe and secure.  They need a password to access their profile so they assume no one else is able to access the profile without their knowledge.  This is definitely not a safe assumption to make.  The stat of 600,000 compromised accounts a day clearly prove that.

The discovery of the latest vulnerability of Facebook was made by Nathan Powers of CDW.  The vulnerability makes it possible for an attacker to send an executable file to another user that they are not friends with.  Programs like key loggers and bonnets could be sent in attempts at a spear fishing attack.  This presents a major security risk for the end users of Facebook.  Their personal information including passwords, pin numbers, web surfing activity, and bank account numbers to name a few could now be possible accessed remotely by another Facebook user.  The victim would have no idea that this was happening until it was too late.  The attacker could also make fraudulent entries on the victims Facebook profile and damage their reputation with friends, family and colleagues.

I myself am a Facebook user, but after reading this article I am going to have to think long and hard if continuing to do so is just too risky.  It is wonderful that I am able to keep in touch with friends and family that live far away and see pictures of them; but is that really worth possibly exposing myself to an attacker looking to hack my account and cause havoc?

Real World Pen Testing

Want to get into pen testing? Knowing the following attack vectors is a good place to start. View the source for more detailed information on each category.

  • Information Gathering

    • Goal: Employee Information
  • Social Engineering

    • Goal: Gain Employee Credentials by directly asking for them
    • Goal: Enticing Users to a Website
  • Phishing

    • Goal: Internal Access via Employees

Preventing skimming

For those who don’t know skimming is when a person records the information on a credit or debit card without the persons permission, and in most cases without them knowing. Skimming has been going on for a long time and continues to be a big issue. Just recently a German man was sentenced to three years in prison for bringing skimming equipment into the UK. SANS had a article about this in there news bits that read:

A German man has been sentenced to three years in prison for bringing card skimming technology into the UK. Thomas Beeckmann was arrested at Victoria Station in London in June; investigators say he was carrying sophisticated skimming equipment, some of which would allow users to retrieve data captured by skimmers though Bluetooth technology from a distance of 100 meters. Beeckmann’s sentence includes time for refusing to divulge his laptop encryption password to law enforcement officials as well as for possessing skimming equipment.

Law enforcement in the United States as well as other countries are continuously investigating skimming attacks. But the problem I have found is that even with investigations and prison sentences, skimming attacks are still to easy to preform with little risk of getting caught. Equipment to perform simple skimming attacks is very easy to come by. A simple search around the internet and you can find a place to purchase some equipment at not to high of a price. Also people don’t really watch out for skimming much, which makes it easy to get away with and not get caught. If people don’t know its happening there not going to report it to the police.  An article at merchantequip.com said:

Skimming most commonly occurs in restaurants, where the card owner looses contact with the card and a purchase is made. It takes about two seconds to scan a card through a portable reader, and the reader records all of the information on the credit card. Portable card readers are small enough that someone could easily conceal one in the pocket, sleeve, and even in their hand.

Which brings to question, how many people even think about whats happening to their card when they give it to the waiter or waitress at a restaurant.

What to do to prevent skimming? I doubt it will ever just stop happening, so the best thing to do is just be aware of how it can happen, and watch out for it. If your careful about how you use your card, and who you give it to there’s less chance your cards information will be stolen.

Office printer sending malicious emails?

Printers are obviously an important part of most offices, and lots of times we don’t really think of a printer as more than a printer. Why would we consider it a security threat, it just prints paper? Well the fact is there are many attacks that involve network printers. Some of the more recent printers are specifically a problem. Office printers are now being built with a scan to email feature. When a paper is scanned the copy of that paper gets received through email. Attackers are taking advantage of this by sending emails that look as if they are from the printers containing an attachment the same way the normal printers send the file. The difference is these attackers are sending a ZIP file containing an exe file inside. This is an example Symantec has on there website:

This exe is usually hidden by an icon of a word document or something similar. This exe when executed installs malware on the system. The best way to prevent this is to try to filter out these emails, and educate employees about the possible threat. When receiving a ZIP file as an attachment, no matter who the sender you should take caution.

More information can be found at: