Cyberwar could be a local government nightmare {writer: Piet Coetzer}

In the wake of a United Nations report published at the end of 2011, pointing out that Iran may be close to producing a nuclear weapon, news broke in January of an apparent second generation of the computer virus that badly disrupted work at an Iranian nuclear enrichment plant about a year ago.

While the prospect of cyberwar is a subject of concern for national governments, the instruments of such a war can be devastating for local government infrastructure and services.

New malware, based on the infamous Stuxnet – widely considered one of the world’s most sophisticated viruses – has been discovered by computer scientists.

In a highly detailed report, information and communication technology security company, Symantec, says the malware – christened Duqu because it creates files with the filename prefix “DQ” – was uncovered by a Europe-based research lab.

Iranian officials admitted they had uncovered evidence of the Duqu computer virus – labelled “Son of Stuxnet” by cyber experts – at the country’s nuclear sites, reported the state-controlled Islamic Republic News Agency.

“We are in the initial phase of fighting the Duqu virus,” Gholamreza Jalali was quoted as saying. “The final report, which says which organisations the virus has spread to and what its impacts are, has not been completed yet.”

Stuxnet was a highly sophisticated computer worm that was discovered last year and was thought to have successfully targeted and disrupted systems at a nuclear enrichment plant in Iran. At the time, United States officials said the worm’s unprecedented complexity and potential ability to physically sabotage industrial control systems – which run everything from water plants to the power grid in the US and in many countries around the world, notably in the function of local government – marked a new era in cyber warfare.

Though no group claimed responsibility for the Stuxnet worm, several cyber security experts have said it is likely a nation-state created it and that the US and Israel were on a short list of possible culprits.

The Duqu virus, using nearly identical parts of the Stuxnet cyber weapon, has been detected on computer systems in Europe as well, and is believed to be a precursor to a new Stuxnet-like attack, said a major US-based Symantec source.

The new threat is not designed to physically affect industrial systems such as Stuxnet was, but apparently is used only to gather information on potential targets that could be helpful in a future cyberattack, Symantec said in its report.

Duqu is designed to record key strokes and gather other system information at companies and institutions in the control system field and then send that information back to whomever planted the bug, Symantec explained.

If successful, the information gleaned from those entities through Duqu could be used in a future attack on any industrial or distribution control system in the world where the companies’ products are used – from a power plant in Europe to an oil rig in the Gulf of Mexico.

“Right now it’s in the reconnaissance stage, you could say,” Symantec senior director for Security Technology and Response, Gerry Egan, told ABC News. “(But) there’s a clear indication an attack is being planned.”

At least two other cyber security companies, F-Secure Security Labs and McAfee Labs, have analysed some Duqu code and both came to the conclusion that they were dealing with something originating from the same source as Stuxnet.

As with Stuxnet, Duqu fools Windows into allowing it to work, by exploiting a stolen digital certificate taken from a company with headquarters in Taipei, Taiwan. Symantec said that certificate has now been revoked.

Once Duqu has been planted, it immediately starts to communicate with a command-and-control server based in India. It pulls down additional code such as an infostealer, which can record keystrokes and collect other system information that it then sends back to the control server.

To avoid drawing attention to itself, Duqu’s traffic resembles normal Web traffic, passing as JPEG images. Bundled with the JPEG, however, is the stolen data in an encrypted format. Then after 36 days, if it has not been detected, Duqu will automatically remove itself from the system so that a compromised system may never know it had been attacked.

It is too early to tell whether or not we are seeing a next round of cyber warfare unfolding – but one may never know for sure.