Threat Management, Malware, Vulnerability Management

Duqu variant uncovered

The year's first variant of the notorius W32.Duqu trojan has been discovered by Symantec researchers.

Duqu, a sophisticated piece of malware, is a dropper program that exploits a vulnerability in the Windows kernel.

After the original zero-day exploit appeared in November, Symantec researcher Vikram Thakur wrote in a blog post: "The installer file is a Microsoft Word document that exploits a previously unknown kernel vulnerability that allows code execution. When the file is opened, malicious code executes and installs the main Duqu binaries."

Writing on the Symantec blog on March 20, researchers said they had uncovered a variant that consists solely of the loader file used to insert the threat when a computer is restarted. Presumably, the other segments of the overall attack code have already been implanted in encrypted form on the user's disk.

The Symantec researchers wrote that this new iteration alters the code slightly, disguising itself as a Microsoft Class driver, to evade detection by security products.

"A new instance of Duqu along with an updated encryption algorithim shows that the team is still very active," Robert M. Lee, a cyber space officer with the U.S. Air Force, told SCMagazine.com on Friday in an email. "There would be few reasons to continue to use Duqu, and update it, if there was not valuable information that the team still wanted access to."

Writing in SC Magazine in December 2011, Liam Ó Murchu, operations manager of security technology & response at Symantec, said he was certain Duqu was created using the same source code as Stuxnet, a worm that crippled two of Iran's nuclear facilities. In that instance, malware relayed instructions to the processing plants' physical machinery that literally made the equipment blow a gasket. Ó Murchu said roughly 50 percent of the code in Duqu is reused from Stuxnet.

But, while the underlying code bares obvious similarities, not all are convinced that the motives are similar. According to a Dell SecureWorks research note, Duqu does not contain any code specifically designed to infiltrate industrial control systems.

"Both Duqu and Stuxnet are highly complex programs with multiple components," they wrote. "All of the similarities from a software point of view are in the 'injection' component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship."

Lee agreed that the motive differs. "While Stuxnet was able to target and physically damage centrifuges, Duqu is merely an information-gathering tool," he wrote to SCMagazine.com. "Basing Stuxnet and Duqu off of a common platform allows them to be quickly updated and remain effective against a variety of targets through the use of different modules of code, encryption updates and stealth measures."

Lee added that if there were to be a third cyber weapon based off of the common code in Duqu and Stuxnet, which Kaspersky has labeled Tilded platform, it would be advantageous for the team to take lessons learned from Stuxnet and information stolen by Duqu to create it.

Some security experts claim that Stuxnet was discovered earlier than the team creating it had anticipated and, therefore, it wasn't a complete success, Lee wrote.  "However, Stuxnet was one of at least two pieces of malware based off of the Tilded platform. It was very much a proof-of-concept attack for this type of cyber weapon creation, development and employment process to whatever nation-state that used it."

The continued use of Duqu and the active team apparently behind it shows that the proof-of-concept was a success, Lee wrote. "I would not be surprised if there was a third type of cyber weapon based off of Tilded, and I would be very surprised if there were not nation-state-made cyber weapons utilizing a platform approach being developed currently."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.