Duqu … Do we really know the enemy?

Pierluigi Paganini November 18, 2011

In recent months we have read many reports related the analysis of the famous malware  and different assumptions about its genesis. Who designed the malicious agent? For what purpose? What features of Duqu we know? How can protect our structure from this threat? Let’s approach the questions step by step talking about its origin, on which much has been discussed.

Comparing Stuxnet to Duqu

Many researcher indicate that Stuxnet is the progenitor of the Duqu, both attack Windows systems through a then-zero day DLL vulnerability, but Stuxnet went on to infect a PLC on Siemens PCS 7 systems and its main purpose is to compromise nuclear power systems in Iran, Duqu seems to be oriented to espionage nothing more. Of course Industrial Control Systems community has been deep impacted.

According Kaspersky and Symantec (first firm that has discovered the malware), Duqu and Stuxnet share same piece of source code, is there the same mind behind those projects? F-Secure’s Mikko Hypponen has informed  the community that they appear to have been authored by somebody that has access to common source code. Stuxnet needed to disseminate itself without any external support and using numerous zero-day exploits, meanwhile  Duqu once has infected its target contact a remote command and control server downloading an agent that is able to steal and collect data from the target.  This infostealer is actually the component from which Duqu gets its name, because it prepends log files related to stolen data with “DQ”. Actually we have found only 2 server located in Belgium and India that have been isolated, and an another similarity is the country where the malware has been located, Iran, an event which causes suspicion about a possible government-sponsored. Duqu is considered first known modular plugin rootkit, that allows the attackers to change functionality, command and control servers quickly. Resuming Stuxnet has been created to destroy, Duqu to spy … at least for now considering its modular structure!

The origin

To confirm this there is another proof, the drivers used by Duqu seems to be originated from a Taiwanese hardware company called JMicron exactly the same company that proprietary of the stolen certificate used to sign Stuxnet drivers.  Remember that using a driver signed by well known company provides a considerable level of trust.

Researcher John Langill is sure that the de-compiled Stuxnet code has been leaked by Anonymous group after the HB Gary Federal attack on February, Another particularly troubling for obvious reasons. Behind the development of both malware, all the researchers, are convict that there is an  high skilled team that has worked with specific commitment maybe they have been working on code for more than four years. Kaspersky Lab has published results on an analysis provided by researchers in the Sudan, that demostrate that one driver included with the attack payload was compiled in August 2007 giving a temporal location to the work. Other files related Duqu have been found with a build date date of February 2008, but the attacks have been tracked back only to April 2011.

 

The attack

But how has been conducted the first attack? It has been used the mailing system, according the by CrySyS Lab in fact the attack has been moved via e-mail on April 2011. The attack took place on a pre-selected target. For obvious reasons, we can’t reveal the name of the company that was targeted in incident No.#1,. Like with the incident investigated by CrySyS Lab, the attack was launched via e-mail two times, but only the second one has been successful. Both times the e-mail was sent by IP-address based in Seoul, South Korea.  After the victim opened the file the exploit start: it became active, residing in the memory, but did nothing! This period of inactivity is estimated of around ten minutes, after which the exploit waited for the user’s activity to stop (no keyboard or mouse activity). Only then did the dropper kick into action.

Following and interesting picture that show the time sequence of the attack (reported on The Duqu Saga Continues: Enter Mr. B. Jason and TV’s Dexter):

 

After infection of the system and establishing the link with the control server, the Duqu malware  installed extra modules like a keylogger and infected neighboring computers; In this way it is able to collect information about the system, searching for files, stealing passwords and so on.

Considerations

We have said that Duqu may have been produced by an high skilled team This might lead one to suppose that it has been produced by professionals that have had a Government support. Reading the considerations, reported following,  of NSS researchers Mohamed Saher and Matthew Molinyawe it is clear that it is illogical that the malware has been developed only for information stealing purpose and considering the nature of the instances of the malware analyzed there is the serious possibility that the development of Duqu in a work in progress and that soon we will observe new variant of the main agent.

“Given the complexity of the system (solid driver code plus impressive system architecture) it is not possible for this to have been written by a single person, nor by a team of part-time amateurs. The implication is that, given the requirement for multiple man-years of effort, that this has been produced by a disciplined, well-funded team of competent coders,” wrote Saher and Molinyawe.”

 “There is no possible explanation for the production of such a sophisticated and elegant system merely to steal the information that has been targeted so far. Why go to all this trouble to deploy a simple key-logger? Given that there are additional drivers waiting to be discovered, we can liken Duqu to a sophisticated rocket launcher – we have yet to see the real ammunition appear,” Saher and Molinyawe contend.  (http://www.isssource.com/duqu-from-well-funded-coders/)

Which is the impact of Duqu on common people?

Several removal tool have released during the last weeks but the threat is really high. A reverse engineering of the patch released by Microsoft could allow criminals to be able to discover the vulnerability used for the exploit and this means that any Windows computer that isn’t updated could be attacked. Let me say that the impact could be done on large scale.

Links:

http://www.symantec.com/security_response/writeup.jsp?docid=2011-101814-1119-99

https://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter

http://www.f-secure.com/weblog/archives/00002264.html



you might also like

leave a comment