2011-12-27

DuQu




Duqu

The Duqu term

The Duqu term identifies several different meanings:

Relationship to Stuxnet

Symantec, based on the CrySyS report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix. Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a forged digital certificate, and collects information to prepare for future attacks. Mikko Hyppönen, Chief Research Officer for F-Secure, said that Duqu's kernel driver, JMINET7.SYS, was so similar to Stuxnet's MRXCLS.SYS that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that Duqu's own digital certificate was stolen from C-Media, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.

Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet.

Experts compared the similarities and found three most intriguing factors. 1. The installer exploits zero-day Windows kernel vulnerability(ies). 2. Components are signed with stolen certificates. 3. DUQU is Highly targeted in a way that suggests advanced intelligence.

Microsoft Word zero-day exploit

Purpose

Duqu uses the peer-to-peer SMB protocol to move in secure networks from less secure areas to the secure zone. According to McAfee, one of Duqu's actions is to steal digital certificates from attacked computers to help future viruses appear as secure software. Duqu uses a 54×54 pixel jpeg file (364.5 bytes) and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing code to determine what information the communications contain. Initial research indicates that the virus automatically removes itself after 36 days, which would limit its detection.

Key points are:

Command and control servers

Some of the command and control servers of Duqu have been analysed. It seems that the people running the attack had a predilection for CentOS 5.x servers, leading some researchers to believe that they had a zero-day exploit for it. On the other hand, ssh logs retrieved from compromised servers show multiple failed login attempts, suggesting that the root password had been guessed by brute force attack. Servers are scattered in many different countries, including Germany, Belgium and China.

See also

References


Retrieved from : http://en.wikipedia.org/w/index.php?title=Duqu&oldid=463368262