Duqu incidents detected in Iran and Sudan

Researchers say that each infection is unique

Security vendor Kaspersky Lab has identified infections with the new Duqu malware in Sudan and, more importantly, Iran, the main target of the Trojan's predecessor -- Stuxnet.

Duqu took the security industry by storm last week when the Hungarian research laboratory Crysys shared its analysis of the new threat with the world's top antivirus vendors.

Believed to be closely related to the Stuxnet industrial sabotage worm, from which it borrows code and functionality, Duqu is a flexible malware delivery framework used for data exfiltration.

The main Trojan module has three components: a kernel driver, which injects a rogue library (DLL) into system processes; the DLL itself, which handles communication with the command-and-control server and other system operations, like writing registry entries or executing files; and a configuration file.

The secondary module is a keylogger with information-stealing capabilities, which was discovered together with the original Duqu version. It's not known with certainty when the malware appeared in the wild, but the first sample was submitted to the VirusTotal service on Sept. 9 from someone in Hungary.

Since then Kaspersky Lab has identified multiple variants, some of which were created on Oct. 17, and were found on computers in Sudan and Iran. "We know that there are at least 13 different driver files (and we have only six of them)," the Kaspersky researchers said.

Each of the four incidents detected in Iran are interesting in their own way, aside from the fact that they occurred in a country widely believed to have been Stuxnet's primary target.

One incident involved two infected computers located on the same network, with one containing two separate Duqu drivers. In a separate case, the network where the infected computers resided recently registered two attacks that targeted a vulnerability exploited by both Stuxnet and the Conficker worm.

It's worth pointing out that researchers still don't know how Duqu reaches the targeted systems, so these network attacks might serve as an indication of how the infection happens.

"Duqu is used for targeted attacks with carefully selected victims," Kaspersky's researchers said. However, so far there is no indication that any of the victims are linked to Iran's nuclear program, like in Stuxnet's case; Certificate Authorities (CAs), like in other Iranian attacks; or even specific industries, as suggested by other reports.

Another interesting discovery is that each Duqu infection is unique and results in components with different names and checksums. "Analysis of driver igdkmd16b.sys shows that there is a new encryption key, which means that existing detection methods of known PNF files (main DLL) are useless. It is obvious that the DLL is differently encoded in every single attack," the antivirus vendor's researchers said.

Because Duqu's architecture is very flexible, it can update itself, change command-and-control (C&C) servers and install other components at any time. In fact, Kaspersky didn't find the original keylogger module on any of the infected systems in Sudan or Iran, meaning that it was either encoded differently or replaced with another one.

"We cannot rule out that the known C&C in India was used only in the first known incident [...] and that there are unique C&Cs for every single target, including targets found by us," Kaspersky's researchers also noted.

They also believe that the people behind Duqu are reacting to the situation and are not going to stop. As the hunt for new information continues, we'll likely see more developments in the days to come.

Tags securitykaspersky lab

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest News Articles

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?