Duqu

Duqu is a collection of computer Malware discovered on 1 September 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS Lab)^[1] of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report^[2] naming the threat Duqu.^[3] Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.^[4]

Nomenclature

The term Duqu is used in a variety of ways:

Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools. Part of this malware is written in unknown high level programming language,^[5] dubbed "Duqu framework". It is not C++, Python, Ada, Lua and many other checked languages. However, recent evidence suggests that Duqu may have been written in C with a custom object oriented framework and compiled in Microsoft Visual Studio 2008.
Duqu flaw is the flaw in Microsoft Windows that is used in malicious files to execute malware components of Duqu. Currently one flaw is known, a TrueType-font related problem in win32k.sys.
Operation Duqu is the process of only using Duqu for unknown goals. The operation might be related to Operation Stuxnet.

Relationship to Stuxnet

Symantec, based on the CrySyS report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix.^[4]^[6] Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a valid, but abused digital signature, and collects information to prepare for future attacks.^[4]^[7] Mikko Hyppönen, Chief Research Officer for F-Secure, said that Duqu's kernel driver, JMINET7.SYS, was so similar to Stuxnet's MRXCLS.SYS that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that the key used to make Duqu's own digital signature (only observed in one case) was stolen from C-Media, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.^[6]

Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet.^[8] However, there is considerable and growing evidence that Duqu is closely related to Stuxnet.

Experts compared the similarities and found three of interest:

The installer exploits zero-day Windows kernel vulnerabilities.
Components are signed with stolen digital keys.
Duqu and Stuxnet are both highly targeted and related to the nuclear program of Iran.

Microsoft Word zero-day exploit

Like Stuxnet, Duqu attacks Microsoft Windows systems using a zero-day vulnerability. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a Microsoft Word document that exploits the Win32k TrueType font parsing engine and allows execution.^[9] The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine if the patch released by Microsoft in December, 2011 is not yet installed.^[10] Microsoft identifier for the threat is MS11-087 (first advisory issued on 13 November 2011).^[11]

Purpose

Duqu looks for information that could be useful in attacking industrial control systems. Its purpose is not to be destructive, the known components are trying to gather information.^[12] However, based on the modular structure of Duqu, special payload could be used to attack any type of computer system by any means and thus cyber-physical attacks based on Duqu might be possible. However, use on personal computer systems has been found to delete all recent information entered on the system, and in some cases total deletion of the computer's hard drive. Internal communications of Duqu are analysed by Symantec,^[4] but the actual and exact method how it replicates inside an attacked network is not yet fully known. According to McAfee, one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in public-key cryptography) from attacked computers to help future viruses appear as secure software.^[13] Duqu uses a 54×54 pixel jpeg file and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing the code to determine what information the communications contain. Initial research indicates that the original malware sample automatically removes itself after 36 days (the malware stores this setting in configuration files), which would limit its detection.^[6]

Key points are:

Executables developed after Stuxnet using the Stuxnet source code that have been discovered.
The executables are designed to capture information such as keystrokes and system information.
Current analysis shows no code related to industrial control systems, exploits, or self-replication.
The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
The exfiltrated data may be used to enable a future Stuxnet-like attack or might already have been used as basis for the Stuxnet attack.

Command and control servers

Some of the command and control servers of Duqu have been analysed. It seems that the people running the attack had a predilection for CentOS 5.x servers, leading some researchers to believe that they had a zero-day exploit for it. Servers are scattered in many different countries, including Germany, Belgium, Philippines, India and China. Kaspersky has published multiple blogposts on the command and control servers.^[14]

References

↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ ^4.0 ^4.1 ^4.2 ^4.3 Lua error in package.lua at line 80: module 'strict' not found.
↑ Shawn Knight (2012) Duqu Trojan contains mystery programming language in Payload DLL
↑ ^6.0 ^6.1 ^6.2 Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.
↑ Lua error in package.lua at line 80: module 'strict' not found.

[1] Lua error in package.lua at line 80: module 'strict' not found.

[2] Lua error in package.lua at line 80: module 'strict' not found.

[3] Lua error in package.lua at line 80: module 'strict' not found.

[syamantecduqu-4] 4.0 ^4.1 ^4.2 ^4.3 Lua error in package.lua at line 80: module 'strict' not found.

[5] Shawn Knight (2012) Duqu Trojan contains mystery programming language in Payload DLL

[Son_of_Stuxnet-6] 6.0 ^6.1 ^6.2 Lua error in package.lua at line 80: module 'strict' not found.

[7] Lua error in package.lua at line 80: module 'strict' not found.

[8] Lua error in package.lua at line 80: module 'strict' not found.

[9] Lua error in package.lua at line 80: module 'strict' not found.

[10] Lua error in package.lua at line 80: module 'strict' not found.

[11] Lua error in package.lua at line 80: module 'strict' not found.

[12] Lua error in package.lua at line 80: module 'strict' not found.

[13] Lua error in package.lua at line 80: module 'strict' not found.

[14] Lua error in package.lua at line 80: module 'strict' not found.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

v t e Hacking in the 2010s
Major incidents	Operation Aurora (2010) Australian cyberattacks (2010) Operation Payback (2010) HBGary Federal (2011) DigiNotar (2011) Operation Tunisia (2011) 2011 PlayStation Network outage (2011) Operation AntiSec (2011) Stratfor email leak (2012–13) LinkedIn hack (2012) South Korea cyberattack (2013) Snapchat hack (2013) Operation Tovar (2014) iCloud leaks of celebrity photos (2014) Sony Pictures Entertainment hack (2014) Office of Personnel Management data breach (2015) Hacking Team (2015) Ashley Madison data breach (2015) VTech data breach (2015) Bangladesh Bank heist (2016) Commission on Elections data breach (2016)
Groups	Anonymous associated events CyberBerkut Bureau 121 Derp GNAA Goatse Security Hacking Team Iranian Cyber Army Lizard Squad LulzRaft LulzSec NullCrew PayPal 14 PLA Unit 61398 RedHack Syrian Electronic Army TeaMp0isoN Tailored Access Operations UGNazi Yemen Cyber Army
Individuals	George Hotz Guccifer Hector Monsegur Jeremy Hammond Junaid Hussain Kristoffer von Hassel Mustafa Al-Bassam Ryan Ackroyd Topiary The Jester weev
Vulnerabilities discovered	Heartbleed (2014) Shellshock (2014) POODLE (2014) JASBUG (2015) Stagefright (2015) DROWN (2016) Badlock (2016)
Malware	Careto / The Mask CryptoLocker Dexter Duqu FinFisher Flame Gameover ZeuS Mahdi Metulji botnet NSA ANT catalog R2D2 (trojan) Shamoon Stars virus Stuxnet

Duqu

Contents

Nomenclature

Relationship to Stuxnet

Microsoft Word zero-day exploit

Purpose

Command and control servers

See also

References

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools