• United States



Maiffret: Duqu a bunch of hype

Nov 06, 20113 mins
Core Java

eEye chief researcher Marc Maiffret says far too much is being made of the Duqu threat.

In a blog post, he writes an analysis dripping with sarcasm, noting that “the world is indeed coming to an end” because Duqu is supposed to be based off of Stuxnet and is, as said, “The Hydrogen Bomb of Cyberwarfare.”

He writes:

The fuss is being made because some anonymous researchers sent a report to some anti-virus companies showing analysis of some new malware that shared similar characteristics to Stuxnet. This has of course lead people to make all sorts of outlandish claims of what this means and how bad it all is.

The reality, however, is that while Duqu and Stuxnet might share characteristics within their code and how they embed into a system, it becomes apples and oranges to draw any more comparisons than that. What made Stuxnet revolutionary was not how it compromised systems using zeroday, or how it backdoored systems, but rather its unique ability to actually implant code into physical systems to cause actual damage in the real world outside of cyberspace.

It’s not that Duqu doesn’t deserve to be taken seriously in its own right. Researchers have backed off the Stuxnet link in recent days, but vulnerabilities targeted by this malware have been concerning enough for Microsoft to issue warnings.

It’s the hydrogen bomb analogy Maiffret finds tough to swallow.

The capabilities of Duqu, while maybe structured like Stuxnet, are not unique to Stuxnet or Duqu. In fact, a lot of the command and control functionality that is accessible by attackers leveraging Duqu is not much different than any of the functionality you get in common botnet malware. The ability to list processes, take screen shots, log keystrokes, load modules, grab system information, etc… is all functionality that a wide variety of malware backdoor programs have these days. One could argue that it is hard to actually write any modern piece of malware these days that does not include various functionality and characteristics from Duqu, Stuxnet, Aurora and so on and so forth.

This part I particularly agree with:

I am not typically a fan of anonymous research reports that are quickly regurgitated by large anti-virus companies to drive “sky is falling” headlines. What you end up getting is exactly what we have now… major news media outlets and security industry publications blowing everything out of proportion, using “what if” and “maybe” quotes. There is an utter lack of facts and scientific rigor in any discussions. There was one security publication that quoted a security company representative as saying “Duqu could be the precursor to another SCADA-type attack. Or the events could be entirely independent.” I understand that sound bites can be hard to say, but our industry is honestly becoming more and more hype-oriented by giving sloppy, fear mongering quotes with little to no factual information to back any of it up.

So now we have Maiffret’s opinion. I agree with him about all the FUD mongering and such, but I’ve stated my case in a couple posts in recent weeks.

I want to know what the rest of you think. Use the comments section below and have at it!

–Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO’s Daily Dashboard gives you a

Get your morning news fix with the daily Salted Hash e-newsletter!