Duqu Malware - Targeted, Sophisticated, and Likely Nation State Sponsored

The malware, which is turning out to be a family of malware, has a specific purpose, to disable Industrial Control Systems. The latest variant appears to be focused on enabling access to systems that support ICS for the purpose of information gathering. The short lifespan of the malware probably means that there is a specific target, it monitors for 36 days and then removes itself. It takes a lot of time and resources to develop tools like this, so it points to a nation state as the likely author.

It's been over a year since the original Stuxnet was discovered and the author still hasn't been identified publicly. We may discover other variants over time, but never find out who is responsible.

Duqu and Stuxnet have specific goals and have a lot of time and development effort behind them. It's not easy to defend against a determined attacker with unlimited resources. Defense in depth is a relative easy way to try and defend against these types of threats. You may not be able to stop them, but with a mix of tools you could be alerted to odd behavior before too much information was leaked. For example, using a web proxy allows control over what websites users can access. A firewall and IPS can block attacks in real time based on blacklists and signatures. Two factor authentication is more difficult to compromise than passwords alone. Once public, malware like Duqu will be in all the major antivirus signature databases. Using all of these elements together increases the likelihood of catching malicious activity quickly.

Additionally, there are several companies that sell data feeds that provide real-time lists of known bad hosts and domains. These lists can be used to compare to active network connections through a firewall or proxy server and alert analysts and system administrators to potential data exfiltration. A common example is known botnet Command and Control servers, corporate hosts should never contact these bonnet CC's so any connection would be suspect. ScoutVision solves part of this by allowing users to take multiple data feeds, combine them, and quickly identify what impact those threats might have. It helps provide visibility into a variety of large data sets, that would normally require manual analysis.