Everything that you need to know about Duqu:
Everything that you need to know about Duqu:
Duqu was reported to antivirus vendors around the 14th of October, 2011, but it has been in the wild since November of 2010. Since then there have been varients (updated copies with additional features or upgrades to code) released.
It has been billed as the next Stuxnet, the son of Stuxnet, or a Stuxnet clone. In reality, Duqu is actually more like a payload of Stuxnet rather than the entire attack campagin, because it is a backdoor package dropped via other means. The reason why Stuxnet was considered to be so advanced was in large part because of its varied numbers of unpatched exploits that it used to ensure successful infection.
Lets take a look at the similarities:
- Duqu uses code segments that can be identical to or very close to those used in the Stuxnet payload.
- Both Stuxnet and Duqu use signed code in order to appear to antivirus, Windows, and users as legitimate code.
- Registers a remote procedure call server in a very similar fashion to Stuxnet
- Has the same list of antivirus products, in the same order as Stuxnet except one more product was added.
- Checks for running processes in a manner similar to Stuxnet
- Both Stuxnet and Duqu use “import by hash” techniques instead of directly importing function names.
These similarities are code similarities, which means that Stuxnet and Duqu seem to share a common resource base, code base, and methodology in loading and running executables. Essentially we can think of the ways Duqu and Stuxnet install and launch themselves as being similar enough to warrant either worry that it is the same perpetrator of Stuxnet, or that they have access to the source code of the Stuxnet threat.
There are plenty of significant differences, however, namely that Duqu only performs information-gathering techniques. In comparison, Stuxnet destroyed industrial equipment, disabled safety systems, and was overtly malicious. Duqu’s most significant malicious payload is its spying ability.
Duqu infections currently have the following functionalities:
- View processes, accounts, and domain information
- View drive names/information
- Ability to take screenshots
- View network and network setup
- Keylogger
- Window name enumeration
- Share enumeration
- File exploration on all drives
Duqu sends this information to a command-and-control server currently located in India, the IP address of which is hard-coded into the Duqu payloads. Interestingly enough, Duqu is also set to destroy itself after 36 days of infection, a probable reason for why it has been able to live so long in the wild without detection.
Targets:
Duqu appears to be mostly targeting some industrial control systems and Certificate authorities, probably for the purposes of gaining information to be used in further exploits. CA compromises are also lucrative because of their use in malware. Duqu itself is a sterling example of the use of compromised CA information because it uses a stolen certificate to sign itself as legitimate software, fooling the operating system, antivirus, and user alike with the ruse.
Infection Methods:
At first, Duqu was largely reported to have come from the same folks who created Stuxnet. This simply doesn’t have to be the case. The techniques could have been copied or even stolen wholesale by the malware authors. Duqu also behaves differently and uses different infection methods. Whereas Stuxnet was focused on remote exploitation or spread-exploitation, Duqu’s exploit of choice (MS11-087, which has since been patched) is a trojan-horse method that requires a user to open an infected Microsoft Word document.
What Can We Learn From This?
Don’t trust the initial reports, be wary, but try not to buy into the paranoia because it’s important to have measured and rational reactions to security threats so your customers and users don’t view you as the “boy who cried wolf”. The sad thing about Duqu is that it would be very hard to detect without antivirus signatures. With it being signed, silent, patient and auto-deleting, it is a threat that is difficult to detect or defend against unless you have the proper security infrastructure (Intrusion detection system, VLANs, exfil firewalls, Data Loss Prevention, ect…). Use this as an excuse to justify increased security expenditures if you don’t have things up-to-spec.
Related articles
- Duqu hackers scrub evidence from command servers, shut down spying op (ctolabs.com)
- Duqu incidents detected in Iran and Sudan (ctolabs.com)
- Microsoft Releases Temporary Plug For Duqu (bobgourley.com)