Duqu – Cyber weapons factory still operating … it’s just the beginning

Pierluigi Paganini March 29, 2012

We all remember the decision of the western states to prohibit the sale of anti-virus systems to Tehran, penalties determined to thwart the development of Iran’s nuclear program. A predictable decision that haven’t created any problem the state that seems has developed a new antivirus program to immunize the systems from the notorious Stuxnet virus.
The security application will be distribute for free during the next weeks, some experts even believe that some instances of malware can still be present in the systems of the nuclear site of Natanz in Iran.

If Stuxnet seem to be beaten, actually the main concerns are related to all the malware derived from it that have been developed using same platforms and techniques. Extremely important the conception of the virus as an open project, a modular system for which it was designed a development platform used to assemble the deadly cyber weapons in relation to the final targets in fact  it has been discovered a platform behind Stuxnet called “Tilded Platform“, used also for the development of Duqu malware, and that make possible the development of a set of reusable tools. It’s a true innovation that make possible the composition of ever new and enhanced agents with modules developed to fulfill specific functions against clearly defined targets.

Duqu is quite different from its relative, it has a modular structure like Stuxnet but it isn’t equipped with modules for SCADA systems attack. It is only able to steal information from the host system. Experts suppose that a team of specialists with high technical skills has been engaged to project this innovative cyber weapons.

The last sightings of malware Duqu date back to last year, when its creators have tried to delete any evidence of their operations deleting all the information on the servers used in the past years.

During last weeks a new instance of Duqu has been isolated in a variant designed to evade detection mechanism of antivirus products and other security systems. Vikram Thakur, principal security response manager at Symantec, announced that the new Duqu Driver has been identified, let’s remind that the module is used for loading the malware’s encrypted body stored on the systems. The driver is called mcd9x86.sys and it was compiled on Feb. 23.

The source code appears to be reshuffled and compiled with a different set of options and it also contains a different subroutine for decrypting the configuration block and loading the malware’s body. A similar operation has been already observed in October 2011. Of course also the references to C&C server are changed because all old structures were shut down on Oct. 20, 2011.

Unfortunately the addresses of this server are not known because principal security firm don’t have the full Duqu body but only the loader in the form of the driver, the loader does not contact the C&C directly, it only loads the main body which is stored in encrypted form.
There were virtually no traces of Duqu since then. But several days ago Symantec’s researchers announced that they found a new “in-the-wild” driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012.

The fact that the new driver was found in Iran confirms that behind the development of the malware there are governments interested to disturb the nulear program of the country.

According Symantec, the number of incidents related to Duqu is at least of 21, most of them located in Iran. One of the main problem in the analysis of the agent is that the majority of the infected machines did not contain main Duqu modules but only the files created by these compnents, with names starting with “~DQ”, “~DF”, “~DO”.

Purpose of the agent was gathering information related to control systems used in different industries in Iran, and for information about trade relationships of particular organizations.
Very interesting is the list of known modifications of Duqu provided by Alexander Gostev, expert of the Kaspersky Lab.

The following table contains information about all the components of Duqu we know about. The files marked with green are known. The files marked with red are missing; they were not found on infected machines, however, we know the names and sizes of some of the missing files indirectly.


For exercise I tried to graph the data supplied by leading teams involved in research on malware, the fact that the majority of instances has been identified in Sudan and Iran will you suggest something? Have you still doubts about who may have developed the powerful family of cyber weapons?


According Gostev the Duqu driver was probably modified to avoid detection of security software and of other applications able to discover the agent like the open-source Duqu Detection Toolkit. The tool have been developed by the Laboratory of Cryptography and System Security (CrySys) in Budapest and updated just two weeks ago.

Forensic stand-alone tools such as the one CrySys developed are fundamental for the analysis of Duqu malware because it can give a precious series of data related to the infection of the victim system and on the mode used during the attack like the identification of the data stolen from the computer stored in files ending in “DQ” and in “DF.”

Costin Raiu, director of the global research and analysis team for Kaspersky Lab has declared:

“The toolkit released by CrySys Lab is top class,”

“Of course, all of this can be done ‘manually,’ but these tools make it much easier to spot anomalies in Duqu-infected computers.”

There are 7 different versions of the main Duqu module (PNF DLL) in the list set up to interact with five 1st tier C&C servers that have been shut down by Kaspersky Lab and Symantec, really interesting is the effort spent in encryption and obfuscation techniques that prove the will of the creators of the malware to conduct an undercover operation, typical advantage of the adoption of cyber weapons.

What we expect from the future?

The authors of Duqu are back after a 4 months of silent and this confirm that malware such as Stuxnet and Duqu are children of an ambitious and complex project that wants to be able to provide an “evolutionary” threat. Prepare to have to deal with new modules and new features designed to attack specific targets.

In a my previous article on the topic I wrote:

Let me raise serious doubts on the immediate effectiveness of preventive measures against this new generation of cyber weapons because the industry in general is still too vulnerable. Possible evolutions of malware could cause serious damage to infrastructures that use the systems in question.
The only way to emerge unscathed from this awkward situation is a close collaboration between industry, producers of control systems and governments, hoping that security will become a requirement in the design phase.

Nothing is yet changed! On the malware development have been invested much money and consequence of this is that the operations will continue for a long time.

We will assist to the born of new version of the existing agents equipped with more sophisticated modules that include new features and that are also able to avoid antivirus detection. we will face with also the development of new malware based on the same platform.

Let us prepare for the worst … errors are not allowed!

Pierluigi Paganini

you might also like

leave a comment