Duqu is precursor to next Stuxnet

Malware as invasive as Stuxnet created specifically to collate information on industrial targets
Kerry Butters

November 8, 2011
malware

A trojan discovered last month uses the same code as last year’s Stuxnet worm, and is thought to have been written by the same authors, according to a report by Symantec.

Duqu, however, is different in that it uses a zero-day exploit, thought to be carried out through a vulnerability in Word, to collect information on specific targets, rather than control them.

Stuxnet was discovered in June last year and was created in order to infiltrate and control specific targets, such as Iranian nuclear plants. The worm had the capability of taking control of engines in a nuclear control plant and making them spin faster so that they would fail – this could also be disguised as a genuine mechanical breakdown.

Whilst at the moment, it is not thought that Duqu has similar control capabilities, it is as invasive as Stuxnet and appears to have been created specifically to collate information on industrial targets.

This represents a risk to critical infrastructures should a more sustained attack be carried out in the future.

The Duqu worm infects a computer in the first instance through an exploit in a deliberately constructed Word document.

Once a computer is infected, the worm installs keyloggers and other software, and then proceeds to attempt to propagate over a network.

The keylogger and infostealers monitor user names and passwords, and uses these to identify other machines of interest on the network. It then stealthily infects these too.

At the moment, Duqu has been confirmed in eight countries around the world, with a further four suspected but not yet verified.

Symantec call the malware “the precursor to the next Stuxnet” as it is thought that it is collecting the information in order to carry out a more informed attack on industrial targets.

Duqu pretends to be a driver and uses a digital certificate to aid installation (which was revoked on October 14th 2011). It is thought that the keys required to make the certificate work were stolen from a company in Taiwan.

Once the malware has been installed, it downloads additional executables to the target machine, mostly infostealers which include keyloggers and software to report on system information.

In order to extract the information, the control and command function masks the outgoing information as a jpg in order to appear legitimate.

The malicious software runs on an infected machine for thirty days, after which it deactivates itself. However, Symantec have noted that some of the files downloaded to an infected machine instruct the malware to extend its lifetime.

Whilst they continue to point out that the payload of Duqu is radically different from that of Stuxnet, Symantec also say that there are too many similarities to assume that Duqu has been created by reverse engineering.

The authors of Duqu are therefore thought to have had at least access to the source code of Stuxnet, or are the same people as the worm creators.

Stuxnet and Duqu are both written using more than one coding language, a fact which is unusual in malware authoring.

Additionally, Duqu is as sophisticated as its predecessor and uses many of the same processes during infection.

However, the key difference is that its behaviour is more Trojan-like, rather than a worm like Stuxnet.

Specualtion abounds on the potential creators and future of Duqu. Some reports suggest that it could be international political espionage, whilst others feel it could be financially motivated.

Microsoft are working on a patch for affected Windows systems, the trojan attacks OS’ from XP through to Windows 7 and is capable of infecting both 32 and 64 bit operating systems.

The trojan can be cleaned using Bit Defender’s removal tool and it is advisable that users should employ an online document viewer such as Google Docs to read emailed docs rather than opening them locally.






 

Post a comment

Your email address will not be published. Required fields are marked *

Visited 1773 times, 1 so far today