Wednesday, October 26, 2011

SCADAhacker publishes Duqu Reference Page

Based on the success of the Stuxnet Resource Page on, today I launched a similar page consolidating the useful information and material relating to the new "Son of Stuxnet" malware known as "Duqu".

There are currently multiple researchers analyzing this relatively unknown piece of malware, and all of them appear to be coming up with different conclusions. I felt that it would be useful to share my bookmarks and some of the interesting references that I come across in performing my own open-source research and analysis.

Please bookmark your browser and visit this page often.

I am currently consolidating information.  If you have anything you would like to share, please pass it along.

SCADAhacker to Offer ICS / SCADA "Blue Team" Security Training and Awareness Course in 2012

Having been involved in the industry for several years, I have realize that there is a lack of specific training to address "how to secure" industrial control systems. There are several very good courses currently available, including those offered by InfoSec Institute (which I will teach until early 2012), Red Tiger Security, Digital Bond, SANS and Idaho National Labs. However, when reviewing the syllabi of these courses, I feel that they tend to focus too much on either (1) theoretical aspects of the problem, or (2) the "hacking" or "red team" side of ICS security.

Knowing this, and not trying to duplicate what is currently available, I have decided to launch my own course entitled "Understanding and Security Industrial Control Systems". This course will be primarily focused on "securing" or "blue teaming" the ICS and will involve several labs that reinforce the selection and implementation of security controls relating specifically to ICS.

Thursday, October 20, 2011

Duqu: ICS experts weigh in on protecting against zero-day threats - Oct. 25, 2011 Webcast

On October 18, 2011, ICS-CERT issued an advisory related to the discovery of new malware – W32.Duqu – targeting industrial control systems. One year after revelations of Stuxnet came to light, the emergence of Duqu points to the continued need for vigilance in protecting critical infrastructure.

What does Duqu – and future zero-day threats – mean to your organization? Join an interactive panel discussion with experts from Industrial Defender, Red Tiger Security and The SCADAhacker on Tuesday, October 25, 2011 at 11 am ET. In this session, you'll gain insight into how you can ready your organization to sustain security in the face of today's threat environment.

Does Anyone Want the Source Code to Stuxnet? Come and Get It!!! (update 1)

After reading report-after-report, blog-after-blog during the past 24 hours, I have decided that rather than comment to each of these individually to offer some additional information which should help set the record straight on who the author is ... or maybe better ... who it is NOT ... in this new variant to our old friend Stuxnet.

Gleg releases Ver 1.7 of the SCADA+ Exploit Pack for Immunity Canvas

On October 20, Gleg released version 1.7 of the SCADA+ Exploit Pack for the Immunity Canvas framework, though this time around, I do not see a lot of unique value in the code updates.

Wednesday, October 19, 2011

Microsoft and other AV Vendors offer signatures for W32.Duqu

As recently communicated via the SCADASec forum, Microsoft and others have made available anti-virus signature updates for the W32.Duqu trogan, covering at least three variants.  The links below are to the Microsoft Malware Protection Center, and provide some useful background information:
Interesting enough are the details contained in the Variant "C" summary which identifies the IP addressed used for the C&C server -, which is registered to WebWerks India Pvt. in Mumbai. This should not lead you to believe that the attackers originate within India, but rather that this site could be used as a proxy.

Bob Radvanovsky also provided a link which highlights the updates of a large number of AV vendors relating to Duqu. This list is available by clicking here.

Son of Stuxnet has Surfaced in Europe According to Symantec Report (update 1)

According to a blog posted by Symantec on October 18, and as reported by Homeland Security News Wire on October 19, a research lab with "strong international connections" alerted Symantec to sample code that appears to be very similar to Stuxnet. This new threat has been named "Duqu" (pronounced dyü-kyü) because it creats files with the prefix "~DQ".  (A copy of the complete Symantec report is available by clicking here).  Samples given to Symantec were obtained from systems located in Europe.

Tuesday, October 4, 2011

SCADAhacker to Speak at Information Security Trends Meeting in Columbia

I will be speaking on current issues facing industrial control system (ICS) cyber security issues at the Digiware Information Security Trends Meeting scheduled for October 12, 2011 at the Marriott Bogota, Columbia.

My talk will focus on the issues facing ICS/SCADA systems used to control a vast majority of a country's infrastructure, including electric generation (fossil, hydro, nuclear), water/wastewater treatment, energy distribution (pipelines), transportation (rail, traffic), process industries (pharma, oil, gas, refining), and discrete manufacturing.  One point of special attention will be on recent attacks and how to address the new "insider threats" where a malicious outside gains inside access via various tools and then "poses" as a valid user with appropriate credentials!  Identifying and stopping these attacks presents unique challenges that many are not completely aware.

I hope to provide live updates of the conference via my Twitter feed at @SCADAhacker.