Duqu incidents detected in Iran and Sudan

Researchers say that each infection is unique

Security vendor Kaspersky Lab has identified infections with the new Duqu malware in Sudan and, more importantly, Iran, the main target of the Trojan's predecessor -- Stuxnet.

Duqu took the security industry by storm last week when the Hungarian research laboratory Crysys shared its analysis of the new threat with the world's top antivirus vendors.

Believed to be closely related to the Stuxnet industrial sabotage worm, from which it borrows code and functionality, Duqu is a flexible malware delivery framework used for data exfiltration.

The main Trojan module has three components: a kernel driver, which injects a rogue library (DLL) into system processes; the DLL itself, which handles communication with the command-and-control server and other system operations, like writing registry entries or executing files; and a configuration file.

The secondary module is a keylogger with information-stealing capabilities, which was discovered together with the original Duqu version. It's not known with certainty when the malware appeared in the wild, but the first sample was submitted to the VirusTotal service on Sept. 9 from someone in Hungary.

Since then Kaspersky Lab has identified multiple variants, some of which were created on Oct. 17, and were found on computers in Sudan and Iran. "We know that there are at least 13 different driver files (and we have only six of them)," the Kaspersky researchers said.

Each of the four incidents detected in Iran are interesting in their own way, aside from the fact that they occurred in a country widely believed to have been Stuxnet's primary target.

One incident involved two infected computers located on the same network, with one containing two separate Duqu drivers. In a separate case, the network where the infected computers resided recently registered two attacks that targeted a vulnerability exploited by both Stuxnet and the Conficker worm.

It's worth pointing out that researchers still don't know how Duqu reaches the targeted systems, so these network attacks might serve as an indication of how the infection happens.

"Duqu is used for targeted attacks with carefully selected victims," Kaspersky's researchers said. However, so far there is no indication that any of the victims are linked to Iran's nuclear program, like in Stuxnet's case; Certificate Authorities (CAs), like in other Iranian attacks; or even specific industries, as suggested by other reports.

Another interesting discovery is that each Duqu infection is unique and results in components with different names and checksums. "Analysis of driver igdkmd16b.sys shows that there is a new encryption key, which means that existing detection methods of known PNF files (main DLL) are useless. It is obvious that the DLL is differently encoded in every single attack," the antivirus vendor's researchers said.

Because Duqu's architecture is very flexible, it can update itself, change command-and-control (C&C) servers and install other components at any time. In fact, Kaspersky didn't find the original keylogger module on any of the infected systems in Sudan or Iran, meaning that it was either encoded differently or replaced with another one.

"We cannot rule out that the known C&C in India was used only in the first known incident [...] and that there are unique C&Cs for every single target, including targets found by us," Kaspersky's researchers also noted.

They also believe that the people behind Duqu are reacting to the situation and are not going to stop. As the hunt for new information continues, we'll likely see more developments in the days to come.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitykaspersky lab

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?