There’s been a lot of chatter this week about Duqu and what it’s actually aimed at accomplishing. I started off with Darren’s link in the show notes to a Network World article titled “Symantec, McAfee differ on Duqu threat“. After spending some time reading through different articles I focused on three by Symantec, McAfee and Kaspersky that had very different takes on Duqu. The links for each are below. It seems that there is some agreement on characteristics of Duqu, but a lot less on what it is aimed at doing.
First, here’s what Symantec, McAfee and Kaspersky agreed on.
Duqu is Stuxnet related. Symantec stated that the authors had access to the Stuxnet source code. McAfee said that it was the Stuxnet team because it attacked small certificate authorities in the “Canis Aureus” region. Oh, and the code of Duqu was Stuxnet related. (Their order, not mine.) Kaspersky simply stated that the code and functionality was similar and let it go at that.
One of the Duqu files were signed drivers purporting to be C-Media Electronics. McAfee called these “stolen digital certificates”. VeriSign revoked the certificate for this driver on October 14, 2011. Other drivers were note signed.
Symantec and McAfee agree remote access and key logging are two of its capabilities. Kaspersky only mentioned the keylogger.
But then we get to what its actually for…
Symantec states that Duqu’s purpose is “gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.” The main payload is for general remote access.
McAfee also says that it is aimed at espionage and “targeted attacks against sites such as Certificate Authorities (CAs).” At the end of their article they issued a warning specific to CAs to carefully check their systems.
Kaspersky took a different approach and didn’t take a guess Duqu’s purpose. Instead they gave information about the four Duqu drivers that they have, stated that they only had one confirmed infection (as of Oct 20, 2011) and they were continuing to investigate.
Between the three articles there is information that could be used to look for signs of Duqu on your hosts. File names, driver names and versions. HTTP and HTTPS used for communications. JPG files used as the data transfer method. The full paper from Symantec also includes registry paths that we could look for. However, these are only from the files that they have discovered so far. So while we have a bit of information to start checking our systems with, what it does is still a bit of a debate.
Links:
Symantec – W32.Duqu: The Precursor to the Next Stuxnet
Symantec’s full paper on Duqu
McAffee – The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu
Kaspersky – The Mystery of Duqu – Part One
Fox News – Stuxnet Clone ‘Duqu’: The Hydrogen Bomb of Cyberwarfare? Nothing like a little hyperventilation to make it interesting.