Identity, Threat Management, Threat Management

What Does Duqu Actually Do?

There’s been a lot of chatter this week about Duqu and what it’s actually aimed at accomplishing. I started off with Darren’s link in the show notes to a Network World article titled “Symantec, McAfee differ on Duqu threat“. After spending some time reading through different articles I focused on three by Symantec, McAfee and Kaspersky that had very different takes on Duqu. The links for each are below. It seems that there is some agreement on characteristics of Duqu, but a lot less on what it is aimed at doing.
First, here’s what Symantec, McAfee and Kaspersky agreed on.
Duqu is Stuxnet related. Symantec stated that the authors had access to the Stuxnet source code. McAfee said that it was the Stuxnet team because it attacked small certificate authorities in the “Canis Aureus” region. Oh, and the code of Duqu was Stuxnet related. (Their order, not mine.) Kaspersky simply stated that the code and functionality was similar and let it go at that.
One of the Duqu files were signed drivers purporting to be C-Media Electronics. McAfee called these “stolen digital certificates”. VeriSign revoked the certificate for this driver on October 14, 2011. Other drivers were note signed.
Symantec and McAfee agree remote access and key logging are two of its capabilities. Kaspersky only mentioned the keylogger.
But then we get to what its actually for…

Fox News decided it was the “hydrogen bomb of cyberwarfare”. How’s that for a purpose?

Symantec states that Duqu’s purpose is “gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party.” The main payload is for general remote access.
McAfee also says that it is aimed at espionage and “targeted attacks against sites such as Certificate Authorities (CAs).” At the end of their article they issued a warning specific to CAs to carefully check their systems.
Kaspersky took a different approach and didn’t take a guess Duqu’s purpose. Instead they gave information about the four Duqu drivers that they have, stated that they only had one confirmed infection (as of Oct 20, 2011) and they were continuing to investigate.
Between the three articles there is information that could be used to look for signs of Duqu on your hosts. File names, driver names and versions. HTTP and HTTPS used for communications. JPG files used as the data transfer method. The full paper from Symantec also includes registry paths that we could look for. However, these are only from the files that they have discovered so far. So while we have a bit of information to start checking our systems with, what it does is still a bit of a debate.
Symantec – W32.Duqu: The Precursor to the Next Stuxnet
Symantec’s full paper on Duqu
McAffee – The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu
Kaspersky – The Mystery of Duqu – Part One
Fox News – Stuxnet Clone ‘Duqu’: The Hydrogen Bomb of Cyberwarfare? Nothing like a little hyperventilation to make it interesting.

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.