12 March 2012

Et Tu, Duqu?

Duqu, a trojan of unknown purpose spread by tainted Microsoft Word files, is supposedly the follow up to the Stuxnet worm, the self-replicating USB-stick-distributed malware that wrecked 400 uranium centrifuges with overspeed commands at Iran's Natanz nuclear fuel enrichment facility in 2010. Duqu is a remote access trojan (a RAT) and is waiting on instructions from a remote commander to activate it and tell it which files to steal, corrupt or run.

Stuxnet and Duqu are thought to have come from the same programming teams because they share whole chunks of code.... In a section of the malware called 'payload dll', and sandwiched between regular C++ code, there's a mysterious section written in an unknown programming language. "It's definitely not C++, Objective C, Java, Python, Ada, Lua or many other languages we have checked," says Soumenov. If it is a customised language that might very well need the support and resources of a nation state's security apparatus.

One of the strongest hints in the comments thread suggests that the language may be a variant of the AI programming language LISP, while another says the code looks like it might hail from a version of C++ for old IBM System/38 (from 1978) computers. They suggest the IBM-alike code may give Duqu a robust TCP/IP internet connection for receiving its malicious commands. _NewScientist
Duqu Spread

Here are a few conclusions that experts have arrived at regarding Duqu (excerpted and edited):
  • It is obvious that every single Duqu incident is unique with its own unique files using different names and checksums;
  • Duqu is used for targeted attacks with carefully selected victims (The term APT has been used to describe this, but I don’t like this expression and prefer not to use it);
  • We know that there are at least 13 different driver files (and we have only 6 of them);
    We haven’t found any ‘keylogger’ module usage. Either it has never been used in this particular set of incidents, or it has been encrypted, or it has been deleted from the systems;
  • Analysis of driver igdkmd16b.sys shows that there is a new encryption key, which means that existing detection methods of known PNF files (main DLL) are useless. It is obvious that the DLL is differently encoded in every single attack. Existing detection methods from the majority of AV vendors are able to successfully detect Duqu drivers. But it is almost 100% certain that the main DLL component (PNF) will go undetected.
  • Duqu is a multifunctional framework which is able to work with any number of any modules. Duqu is highly customizable and universal;
  • The main library (PNF) is able (export 5) to fully reconfigure and reinstall the package. It is able to install drivers and create additional components, record everything in the registry, etc. It means that if there is a connection to active the C&C and commands, then Duqu’s infrastructure on a particular system might be changed completely;
The fact that part of Duqu is written in an unknown programming language, suggests that the coders may just bet getting started, and are conducting something of an experiment in advanced remote command and control of computing systems.

Duqu code is being shared among a large number of persons and institutions interested in computer security and hacking. Symantec is among the companies that are tracking Duqu:
Symantec Corp. (SYMC) is among the firms tracking Duqu. Interestingly, they make some statements about the worm's origin which seemingly exonerate the U.S. from Stuxnet suspicions. Symantec states that the Duqu authors must have either been given code by the Stuxnet authors, have stolen the code from the Stuxnet authors, or are themselves the Stuxnet authors.

Symantec's Kevin Haley comments to Reuters, "We believe it is the latter."

The sophistication of this worm suggests that if the U.S. didn't have a hand in crafting it, that China or Russia perhaps did. A command and control server was found to be hosted in Belgium, but it's rather unlikely that the attackers chose their home nation to host the attacking platform.

China -- a cyber-superpower and notorious aggressor -- is thought to maintain a repository of unpublished vulnerabilities on platforms such as Windows, Linux, and OS X, waiting to exploit them when the need arises.

Nine international organizations have found their systems compromised. The compromised nations in these victim organizations are:
Organization A - France, Netherlands, Switzerland, Ukraine
Organization B - India
Organization C - Iran
Organization D - Iran
Organization E - Sudan
Organization F - Vietnam
Other researchers report that systems in the United Kingdom, Austria, Hungary, and Indonesia were infected. _DailyTech
No one is coming forward to admit having composed Duqu or Stuxnet. It is not clear that the two worms were disseminated by the same entities, since Stuxnet appears to have been aimed at Iran's nuclear projects, while Duqu may well be a copycat which is evolving beyond the abilities of its predecessor.

Labels: , ,

Bookmark and Share


Post a Comment

“During times of universal deceit, telling the truth becomes a revolutionary act” _George Orwell

<< Home

Newer Posts Older Posts