• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber warfare
  • Malware
  • Security
  • Duqu – Cyber weapons factory still operating … it’s just the beginning

Duqu – Cyber weapons factory still operating … it’s just the beginning

Pierluigi Paganini March 29, 2012

We all remember the decision of the western states to prohibit the sale of anti-virus systems to Tehran, penalties determined to thwart the development of Iran’s nuclear program. A predictable decision that haven’t created any problem the state that seems has developed a new antivirus program to immunize the systems from the notorious Stuxnet virus.
The security application will be distribute for free during the next weeks, some experts even believe that some instances of malware can still be present in the systems of the nuclear site of Natanz in Iran.

If Stuxnet seem to be beaten, actually the main concerns are related to all the malware derived from it that have been developed using same platforms and techniques. Extremely important the conception of the virus as an open project, a modular system for which it was designed a development platform used to assemble the deadly cyber weapons in relation to the final targets in fact  it has been discovered a platform behind Stuxnet called “Tilded Platform“, used also for the development of Duqu malware, and that make possible the development of a set of reusable tools. It’s a true innovation that make possible the composition of ever new and enhanced agents with modules developed to fulfill specific functions against clearly defined targets.

Duqu is quite different from its relative, it has a modular structure like Stuxnet but it isn’t equipped with modules for SCADA systems attack. It is only able to steal information from the host system. Experts suppose that a team of specialists with high technical skills has been engaged to project this innovative cyber weapons.

The last sightings of malware Duqu date back to last year, when its creators have tried to delete any evidence of their operations deleting all the information on the servers used in the past years.

During last weeks a new instance of Duqu has been isolated in a variant designed to evade detection mechanism of antivirus products and other security systems. Vikram Thakur, principal security response manager at Symantec, announced that the new Duqu Driver has been identified, let’s remind that the module is used for loading the malware’s encrypted body stored on the systems. The driver is called mcd9x86.sys and it was compiled on Feb. 23.

The source code appears to be reshuffled and compiled with a different set of options and it also contains a different subroutine for decrypting the configuration block and loading the malware’s body. A similar operation has been already observed in October 2011. Of course also the references to C&C server are changed because all old structures were shut down on Oct. 20, 2011.

Unfortunately the addresses of this server are not known because principal security firm don’t have the full Duqu body but only the loader in the form of the driver, the loader does not contact the C&C directly, it only loads the main body which is stored in encrypted form.
There were virtually no traces of Duqu since then. But several days ago Symantec’s researchers announced that they found a new “in-the-wild” driver that is very similar to known Duqu drivers. Previous modifications of Duqu drivers were compiled on Nov 3 2010 and Oct 17 2011, and the new driver was compiled on Feb 23 2012.

The fact that the new driver was found in Iran confirms that behind the development of the malware there are governments interested to disturb the nulear program of the country.

According Symantec, the number of incidents related to Duqu is at least of 21, most of them located in Iran. One of the main problem in the analysis of the agent is that the majority of the infected machines did not contain main Duqu modules but only the files created by these compnents, with names starting with “~DQ”, “~DF”, “~DO”.

Purpose of the agent was gathering information related to control systems used in different industries in Iran, and for information about trade relationships of particular organizations.
Very interesting is the list of known modifications of Duqu provided by Alexander Gostev, expert of the Kaspersky Lab.

The following table contains information about all the components of Duqu we know about. The files marked with green are known. The files marked with red are missing; they were not found on infected machines, however, we know the names and sizes of some of the missing files indirectly.

 

For exercise I tried to graph the data supplied by leading teams involved in research on malware, the fact that the majority of instances has been identified in Sudan and Iran will you suggest something? Have you still doubts about who may have developed the powerful family of cyber weapons?

 

According Gostev the Duqu driver was probably modified to avoid detection of security software and of other applications able to discover the agent like the open-source Duqu Detection Toolkit. The tool have been developed by the Laboratory of Cryptography and System Security (CrySys) in Budapest and updated just two weeks ago.

Forensic stand-alone tools such as the one CrySys developed are fundamental for the analysis of Duqu malware because it can give a precious series of data related to the infection of the victim system and on the mode used during the attack like the identification of the data stolen from the computer stored in files ending in “DQ” and in “DF.”

Costin Raiu, director of the global research and analysis team for Kaspersky Lab has declared:

“The toolkit released by CrySys Lab is top class,”

“Of course, all of this can be done ‘manually,’ but these tools make it much easier to spot anomalies in Duqu-infected computers.”

There are 7 different versions of the main Duqu module (PNF DLL) in the list set up to interact with five 1st tier C&C servers that have been shut down by Kaspersky Lab and Symantec, really interesting is the effort spent in encryption and obfuscation techniques that prove the will of the creators of the malware to conduct an undercover operation, typical advantage of the adoption of cyber weapons.

What we expect from the future?

The authors of Duqu are back after a 4 months of silent and this confirm that malware such as Stuxnet and Duqu are children of an ambitious and complex project that wants to be able to provide an “evolutionary” threat. Prepare to have to deal with new modules and new features designed to attack specific targets.

In a my previous article on the topic I wrote:

Let me raise serious doubts on the immediate effectiveness of preventive measures against this new generation of cyber weapons because the industry in general is still too vulnerable. Possible evolutions of malware could cause serious damage to infrastructures that use the systems in question.
The only way to emerge unscathed from this awkward situation is a close collaboration between industry, producers of control systems and governments, hoping that security will become a requirement in the design phase.

Nothing is yet changed! On the malware development have been invested much money and consequence of this is that the operations will continue for a long time.

We will assist to the born of new version of the existing agents equipped with more sophisticated modules that include new features and that are also able to avoid antivirus detection. we will face with also the development of new malware based on the same platform.

Let us prepare for the worst … errors are not allowed!

Pierluigi Paganini


facebook linkedin twitter

Critical infrastructures cyber Cyber attacks Cyber Crime cyber threat cyber threats cyber weapon cyber weapons cyberwarfare duqu Hackers Hacking Hacktivism hacktivist Incident Iran malware stuxnet Tilded Platform Trojan virus warfare

you might also like

Pierluigi Paganini July 07, 2025
Taiwan flags security risks in popular Chinese apps after official probe
Read more
Pierluigi Paganini July 07, 2025
U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Taiwan flags security risks in popular Chinese apps after official probe

    Security / July 07, 2025

    U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 07, 2025

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 06, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT