Having spent twelve years of my life in the antivirus and antimalware business, I'm relieved at now working with an operating system that doesn't require me to put in the 20 hour days and the neverending daily mobilization for Iwo Jima that was an every day part of protecting "Windows world."
There are many times that I miss the action, but more than anything else I miss the fun and challenges of the detective work. The majority of malware that I analyzed for a living was mundane, boring, and often pure amateur hour.
Every now and then a new rogue malware came along that made the hunt interesting and rewarding, and wrestling those provided the rare sense of accomplishment that made the madness of being in the industry rewarding.
If I were offered a gig back in the antivirus business again, this one would probably be a more interesting ride than the three hour tour on the Lulz boat.
Thanks to some of my colleagues at the Wilder's security forums I was made aware of an allegedly new variant or precursor of a new version of Stuxnet, known as "W32.Duqu" making the rounds, with writeups and reports on it hitting the blogs last Friday.
Curiously enough however, Symantec notes that when they reviewed sample submissions of this new malware, they found previous samples dating back to September and possibly as far back as December of 2010. The rogues are signed with private certificates issued to a Symantec customer in Taiwan by Symantec. Symantec revoked the rogue certificate last Friday.
Speculation about Duqu is that it's a precursor to another attack against embedded systems, and has been gathering information already about industrial systems, particularly engineering data and other design information.
MSNBC in an interview with Mikko Hypponen of F-Secure, goes into further detail claiming that Duqu at this time has only created a backdoor into systems and is connecting to a C&C in India awaiting further instructions.
However if this backdoor has been around for nearly a year now undetected, I for one would be concerned that it could have already done its intended job since anyone in the antimalware business as well as the people we monitor know that when you successfully land on a machine, you'd better get your business done right away because it's only a matter of hours or days before your "RAT" gets detected. Or at least that's the way it used to be.
That a virus with samples in the hands of the antivirus companies is still operating nearly a year after the first samples of it were received should be of great concern, especially something like stuxnet.
Then again, we've got drones flying around infected with a cheesy little password stealer called "AGENT.KGB" which I detected in our BOClean product nearly five years ago, so anything's possible these days.
So for those of you who are responsible for infrastructure, please be on the lookout for W32.Duqu if you're running Windows. For me, I'm going to go back to my browser now and continue arguing with trolls on the forums since Duqu doesn't work on KNOS and therefore nothing for me to do about it here.
About the author: Kevin McAleavey is the architect of the KNOS secure operating system for client computers ( http://www.knosproject.com ) and has been in antimalware research and security product development since 1996.
