Duqu infections found in Iran

Elusive malware infections could be a precursor to another Stuxnet style attack
Kerry Butters

November 15, 2011

Iran say that they have the Duqu trojan under control, after it was found to have infected computers within the country.

Officials claim to have found a way to control the malware, which is similar to the Stuxnet worm that targeted nuclear plants last year.

Duqu has been found to have source code very similar to Stuxnet and it is thought that the malware is currently gathering information using keyloggers and other methods to prepare for a more damaging attack.

Security experts at Sophos have found that the trojan is specific in its targets and the authors change the malicious code to suit different targets.

It comes in as a document in an email and in one case, Sophos found that the attacks were altered until they were successful. For example, emails containing the malicious code which end up in the junk folder are altered for the next attack to make them more tempting to the recipient.

It has also been found that some systems were infected as long ago as April, with the malicious coders adding various updates and modules to the malware before it was discovered last month.

It is also thought that the authors may have been working on the project for four years as some components of the malware had a compilation date of August 31st 2007.

The sneaky software lies dormant following the initial infection, waiting until the computer operator stops using the machine before dropping its payload, thus helping it to avoid detection.

It is thought that the victims of Duqu attacks so far have been carefully selected targets. The fact that the attackers adapt the malware in each separate case makes it a difficult job for security researchers attempting to find a solution to the trojan, especially since the malware has a variety of drivers which it drops into an infected machine.

Sophos say that they have made some headway with discovering some of the components, which were previously unknown, and this is helping them to make at least some progress in getting to the bottom of the problem.

Whilst security companies have some idea where the control servers may be situated, the information is not yet being released due to the ongoing nature of the investigations.

However, it is possible that more than one C&C server is being used and that different servers are used for each separate attack.

Whilst it’s not known what the goals of the Duqu creators are at present, speculation exists that this is merely a precursor to another Stuxnet-type attack due to the nature of the information that the attackers are gathering.

It would seem then, that the race is on – can security specialists discover all of the various components in time to beat the malware authors to it, or is the changing nature of the trojan and the work that is being put into it going to win out?

It’s a tall order to find and disable a piece of malware that is constantly changing the game as it alters code to suit its target.


Post a comment

Your email address will not be published. Required fields are marked *

Visited 2531 times, 3 so far today