[go: nahoru, domu]
Jump to content

Duqu: Difference between revisions

From Wikipedia, the free encyclopedia
Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
GreenC bot (talk | contribs)
Bots
2,168,338 edits
Rescued 1 archive link. Wayback Medic 2.5 per WP:URLREQ#symantec.com
 
(37 intermediate revisions by 29 users not shown)
Line 1: Line 1:
{{short description|Collection of computer malware discovered in 2011}}
{{Use dmy dates|date=August 2016}}
{{For|the version of malware announced in 2015|Duqu 2.0}}
{{For|the version of malware announced in 2015|Duqu 2.0}}
{{Use dmy dates|date=August 2016}}
'''Duqu''' is a collection of computer [[malware]] discovered on 1 September 2011, thought to be related to the [[Stuxnet]] worm and to have been created by [[Unit 8200]].<ref>[https://medium.com/@jeffreycarr/nsa-unit-8200-and-malware-proliferation-dd6e075ce26e NSA, Unit 8200, and Malware Proliferation] Jeffrey CarrFollow
Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011), Aug 25, 2016</ref> The Laboratory of Cryptography and System Security ([[CrySyS Lab]])<ref>{{cite web | url = http://www.crysys.hu/ | title = Laboratory of Cryptography and System Security (CrySyS) | accessdate =4 November 2011}}</ref> of the [[Budapest University of Technology and Economics]] in [[Hungary]] discovered the threat, analysed the malware, and wrote a 60-page report<ref>{{cite web | url = http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf | title = Duqu: A Stuxnet-like malware found in the wild, technical report | publisher = Laboratory of Cryptography of Systems Security (CrySyS) | date = 14 October 2011}}</ref> naming the threat Duqu.<ref>{{cite web | url = http://www.crysys.hu/in-the-press.html | title = Statement on Duqu's initial analysis | publisher = Laboratory of Cryptography of Systems Security (CrySyS) | date = 21 October 2011 | accessdate = 25 October 2011 | deadurl = yes | archiveurl = https://www.webcitation.org/6B98SI8gJ?url=http://www.crysys.hu/in-the-press.html | archivedate = 3 October 2012 | df = dmy-all }}</ref> Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.<ref name=syamantecduqu>{{cite web |url = http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf |title = W32.Duqu – The precursor to the next Stuxnet (Version 1.4) |work = |publisher = [[Symantec]] |date = 23 November 2011 |accessdate =30 December 2011}}</ref>
'''Duqu''' is a collection of computer [[malware]] discovered on 1 September 2011, thought by [[Kaspersky Labs]] to be related to the [[Stuxnet]] worm<ref>[https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html How Israel Caught Russian Hackers Scouring the World for U.S. Secrets], ''New York Times''</ref> and to have been created by [[Unit 8200]].<ref>[https://medium.com/@jeffreycarr/nsa-unit-8200-and-malware-proliferation-dd6e075ce26e NSA, Unit 8200, and Malware Proliferation] {{Webarchive|url=https://web.archive.org/web/20171025075216/https://medium.com/@jeffreycarr/nsa-unit-8200-and-malware-proliferation-dd6e075ce26e |date=25 October 2017 }} Jeffrey Carr, Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011), medium.com, Aug 25, 2016</ref>{{better source|SPS|date=January 2021}} Duqu has exploited [[Microsoft Windows]]'s [[Zero day vulnerability|zero-day vulnerability]]. The Laboratory of Cryptography and System Security ([[CrySyS Lab]])<ref>{{cite web | url = http://www.crysys.hu/ | title = Laboratory of Cryptography and System Security (CrySyS) | access-date =4 November 2011}}</ref> of the [[Budapest University of Technology and Economics]] in [[Hungary]] discovered the threat, analysed the malware, and wrote a 60-page report<ref>{{cite web | url = http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf | title = Duqu: A Stuxnet-like malware found in the wild, technical report | publisher = Laboratory of Cryptography of Systems Security (CrySyS) | date = 14 October 2011}}</ref> naming the threat Duqu.<ref>{{cite web | url = http://www.crysys.hu/in-the-press.html | title = Statement on Duqu's initial analysis | publisher = Laboratory of Cryptography of Systems Security (CrySyS) | date = 21 October 2011 | access-date = 25 October 2011 | url-status = dead | archive-url = https://web.archive.org/web/20121004111047/http://crysys.hu/in-the-press.html | archive-date = 4 October 2012 | df = dmy-all }}</ref> Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.<ref name=syamantecduqu>{{cite web |url = http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf |archive-url = https://web.archive.org/web/20111213083345/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf |url-status = dead |archive-date = 13 December 2011 |title = W32.Duqu – The precursor to the next Stuxnet (Version 1.4) |publisher = [[NortonLifeLock|Symantec]] |date = 23 November 2011 |access-date =30 December 2011}}</ref>


==Nomenclature==
==Nomenclature==
The term Duqu is used in a variety of ways:
The term Duqu is used in a variety of ways:


* '''Duqu malware''' is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools. Part of this malware is written in unknown high-level programming language,<ref>[http://www.techspot.com/news/47739-duqu-trojan-contains-mystery-programming-language-in-payload-dll.html Shawn Knight (2012)] Duqu Trojan contains mystery programming language in Payload DLL</ref> dubbed "Duqu framework". It is not C++, Python, Ada, Lua and many other checked languages. However, [http://www.securelist.com/en/blog/677/The_mystery_of_Duqu_Framework_solved recent evidence] suggests that Duqu may have been written in [[C (programming language)|C]] with a custom [[Object-oriented programming|object oriented]] framework and compiled in [[Microsoft Visual Studio 2008]].
* '''Duqu malware''' is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools. Part of this malware is written in unknown high-level programming language,<ref>[http://www.techspot.com/news/47739-duqu-trojan-contains-mystery-programming-language-in-payload-dll.html Shawn Knight (2012)] Duqu Trojan contains mystery programming language in Payload DLL</ref> dubbed "Duqu framework". It is not C++, Python, Ada, Lua and many other checked languages. However, it is suggested that Duqu may have been written in [[C (programming language)|C]] with a custom [[Object-oriented programming|object oriented]] framework and compiled in [[Microsoft Visual Studio 2008]].<ref>{{Cite web|url=http://www.securelist.com/en/blog/677/The_mystery_of_Duqu_Framework_solved|title = Securelist &#124; Kaspersky's threat research and reports| date=12 September 2023 }}</ref>
* '''Duqu flaw''' is the flaw in Microsoft Windows that is used in malicious files to execute malware components of Duqu. Currently one flaw is known, a [[TrueType]]-font related problem in <tt>win32k.sys</tt>.
* '''Duqu flaw''' is the flaw in Microsoft Windows that is used in malicious files to execute malware components of Duqu. Currently one flaw is known, a [[TrueType]]-font related problem in {{mono|win32k.sys}}.
* '''Operation Duqu''' is the process of only using Duqu for unknown goals. The operation might be related to Operation Stuxnet.
* '''Operation Duqu''' is the process of only using Duqu for unknown goals. The operation might be related to Operation Stuxnet.


==Relationship to Stuxnet==
==Relationship to Stuxnet==
[[Symantec]], based on the CrySyS report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix.<ref name=syamantecduqu/><ref name="Son_of_Stuxnet">{{cite news | url = https://www.wired.com/threatlevel/2011/10/son-of-stuxnet-in-the-wild/ | title = Son of Stuxnet Found in the Wild on Systems in Europe | accessdate =21 October 2011 | last = Zetter | first = Kim | date = 18 October 2011 | work=Wired}}</ref> Symantec believes that Duqu was created by the same authors as [[Stuxnet]], or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a valid, but abused [[digital signature]], and collects information to prepare for future attacks.<ref name=syamantecduqu/><ref>{{Cite news |url = http://www.zeit.de/digital/internet/2011-10/computerwurm-duqu-stuxnet |title = Virus Duqu alarmiert IT-Sicherheitsexperten |first = |last = |newspaper = [[Die Zeit]] |publisher = |date = 19 October 2011 |accessdate =19 October 2011 }}</ref> [[Mikko Hyppönen]], Chief Research Officer for [[F-Secure]], said that Duqu's kernel driver, <tt>JMINET7.SYS</tt>, was so similar to Stuxnet's <tt>MRXCLS.SYS</tt> that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that the key used to make Duqu's own digital signature (only observed in one case) was stolen from [[C-Media]], located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.<ref name="Son_of_Stuxnet"/>
[[NortonLifeLock|Symantec]], based on the CrySyS team managed by Dr Thibault Gainche report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix.<ref name=syamantecduqu/><ref name="Son_of_Stuxnet">{{cite magazine | url = https://www.wired.com/threatlevel/2011/10/son-of-stuxnet-in-the-wild/ | title = Son of Stuxnet Found in the Wild on Systems in Europe | access-date =21 October 2011 | last = Zetter | first = Kim | date = 18 October 2011 | magazine=Wired}}</ref> Symantec believes that Duqu was created by the same authors as [[Stuxnet]], or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a valid, but abused [[digital signature]], and collects information to prepare for future attacks.<ref name=syamantecduqu/><ref>{{Cite news |url = http://www.zeit.de/digital/internet/2011-10/computerwurm-duqu-stuxnet |title = Virus Duqu alarmiert IT-Sicherheitsexperten |newspaper = [[Die Zeit]] |date = 19 October 2011 |access-date =19 October 2011 }}</ref> [[Mikko Hyppönen]], Chief Research Officer for [[F-Secure]], said that Duqu's kernel driver, {{mono|JMINET7.SYS}}, was so similar to Stuxnet's {{mono|MRXCLS.SYS}} that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that the key used to make Duqu's own digital signature (only observed in one case) was stolen from [[C-Media]], located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.<ref name="Son_of_Stuxnet"/>


Another source, [[Dell SecureWorks]], reports that Duqu may not be related to Stuxnet.<ref>{{cite web | url = https://arstechnica.com/business/news/2011/10/spotted-in-iran-trojan-duqu-may-not-be-son-of-stuxnet-after-all.ars | title = Spotted in Iran, trojan Duqu may not be "son of Stuxnet" after all | accessdate =27 October 2011}}</ref> However, there is considerable and growing evidence that Duqu is closely related to Stuxnet.
Another source, [[Dell SecureWorks]], reports that Duqu may not be related to Stuxnet.<ref>{{cite web | url = https://arstechnica.com/business/news/2011/10/spotted-in-iran-trojan-duqu-may-not-be-son-of-stuxnet-after-all.ars | title = Spotted in Iran, trojan Duqu may not be "son of Stuxnet" after all | date = 27 October 2011 | access-date =27 October 2011}}</ref> However, there is considerable and growing evidence that Duqu is closely related to Stuxnet.


Experts compared the similarities and found three points of interest:
Experts compared the similarities and found three points of interest:
Line 22: Line 22:


==Microsoft Word zero-day exploit==
==Microsoft Word zero-day exploit==
Like [[Stuxnet]], Duqu attacks [[Microsoft Windows]] systems using a [[zero-day vulnerability]]. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a [[Microsoft Word]] document that exploits the Win32k [[TrueType font]] parsing engine and allows execution.<ref>{{cite web | url = http://www.zdnet.com/blog/security/microsoft-issues-temporary-fix-it-for-duqu-zero-day/9764 | title = Microsoft issues temporary 'fix-it' for Duqu zero-day | accessdate =5 November 2011}}</ref> The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to <tt>T2EMBED.DLL</tt>, which is a TrueType font parsing engine if the patch released by Microsoft in December 2011 is not yet installed.<ref>{{cite journal | title = Microsoft Security Advisory (2639658) |url=https://technet.microsoft.com/en-us/security/advisory/2639658 | journal = Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege | date = 3 November 2011 | accessdate =5 November 2011}}</ref>
Like [[Stuxnet]], Duqu attacks [[Microsoft Windows]] systems using a [[zero-day vulnerability]]. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a [[Microsoft Word]] document that exploits the Win32k [[TrueType font]] parsing engine and allows execution.<ref>{{cite web | url = http://www.zdnet.com/blog/security/microsoft-issues-temporary-fix-it-for-duqu-zero-day/9764 | title = Microsoft issues temporary 'fix-it' for Duqu zero-day | website = [[ZDNet]] | access-date =5 November 2011}}</ref> The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to {{mono|T2EMBED.DLL}}, which is a TrueType font parsing engine if the patch released by Microsoft in December 2011 is not yet installed.<ref>{{cite journal | title = Microsoft Security Advisory (2639658) |url=https://technet.microsoft.com/en-us/security/advisory/2639658 | journal = Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege | date = 3 November 2011 | access-date =5 November 2011}}</ref>
Microsoft identifier for the threat is MS11-087 (first advisory issued on 13 November 2011).<ref>{{cite web | url = https://technet.microsoft.com/en-us/security/bulletin/ms11-087
Microsoft identifier for the threat is MS11-087 (first advisory issued on 13 November 2011).<ref>{{cite web | url = https://technet.microsoft.com/en-us/security/bulletin/ms11-087
| title = Microsoft Security Bulletin MS11-087 - Critical | accessdate =13 November 2011}}</ref>
| title = Microsoft Security Bulletin MS11-087 - Critical | access-date =13 November 2011}}</ref>


==Purpose==
==Purpose==
Duqu looks for information that could be useful in attacking [[industrial control systems]]. Its purpose is not to be destructive, the known components are trying to gather information.<ref>{{cite web|author=Steven Cherry, with Larry Constantine|title=Sons of Stuxnet|url=http://spectrum.ieee.org/podcast/telecom/security/sons-of-stuxnet|publisher=[[IEEE Spectrum]]|date=14 December 2011}}</ref> However, based on the modular structure of Duqu, special payload could be used to attack any type of computer system by any means and thus cyber-physical attacks based on Duqu might be possible. However, use on personal computer systems has been found to delete all recent information entered on the system, and in some cases total deletion of the computer's hard drive.
Duqu looks for information that could be useful in attacking [[industrial control systems]]. Its purpose is not to be destructive, the known components are trying to gather information.<ref>{{cite web|author=Steven Cherry, with Larry Constantine|title=Sons of Stuxnet|url=https://spectrum.ieee.org/podcast/telecom/security/sons-of-stuxnet|publisher=[[IEEE Spectrum]]|date=14 December 2011}}</ref> However, based on the modular structure of Duqu, special payload could be used to attack any type of computer system by any means and thus cyber-physical attacks based on Duqu might be possible. However, use of personal computer systems has been found to delete all recent information entered on the system, and in some cases total deletion of the computer's hard drive.
Internal communications of Duqu are analysed by Symantec,<ref name=syamantecduqu/> but the actual and exact method how it replicates inside an attacked network is not yet fully known. According to [[McAfee]], one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in [[public-key cryptography]]) from attacked computers to help future viruses appear as secure software.<ref>{{Cite web |url = http://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-files |title = The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu |work = |publisher = [[McAfee]] |date = 18 October 2011 |accessdate =19 October 2011 |first = Guilherme |last = Venere | first2 = Peter | last2 = Szor}}</ref> Duqu uses a 54×54 pixel [[JPEG]] file and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing the code to determine what information the communications contain. Initial research indicates that the original malware sample automatically removes itself after 36 days (the malware stores this setting in configuration files), which would limit its detection.<ref name="Son_of_Stuxnet"/>
Internal communications of Duqu are analysed by Symantec,<ref name=syamantecduqu/> but the actual and exact method how it replicates inside an attacked network is not yet fully known. According to [[McAfee]], one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in [[public-key cryptography]]) from attacked computers to help future viruses appear as secure software.<ref>{{Cite web |url = http://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-files |title = The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu |publisher = [[McAfee]] |date = 18 October 2011 |access-date = 19 October 2011 |first1 = Guilherme |last1 = Venere |first2 = Peter |last2 = Szor |archive-date = 31 May 2016 |archive-url = https://web.archive.org/web/20160531101034/https://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%e2%80%93-further-tales-of-the-stuxnet-files/ |url-status = dead }}</ref> Duqu uses a 54×54 pixel [[JPEG]] file and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing the code to determine what information the communications contain. Initial research indicates that the original malware sample automatically removes itself after 36 days (the malware stores this setting in configuration files), which would limit its detection.<ref name="Son_of_Stuxnet"/>


Key points are:
Key points are:
Line 36: Line 36:
* Current analysis shows no code related to industrial control systems, exploits, or self-replication.
* Current analysis shows no code related to industrial control systems, exploits, or self-replication.
* The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
* The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
* The exfiltrated data may be used to enable a future Stuxnet-like attack or might already have been used as basis for the Stuxnet attack.
* The exfiltrated data may be used to enable a future Stuxnet-like attack, or might already have been used as the basis for the Stuxnet attack.


==Command and control servers==
==Command and control servers==
Some of the [[command and control server]]s of Duqu have been analysed. It seems that the people running the attack had a predilection for [[CentOS]] 5.x servers, leading some researchers to believe that they had a [[zero-day exploit]] for it. Servers are scattered in many different countries, including [[Germany]], [[Belgium]], [[Philippines]], [[India]] and [[China]]. [[Kaspersky Lab|Kaspersky]] has published multiple blogposts on the command and control servers.<ref>{{Cite web |url = http://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers |title = The mystery of Duqu part six: The command and control servers|date = 30 November 2011 |accessdate = 30 November 2011}}</ref>
Some of the [[command and control server]]s of Duqu have been analysed. It seems that the people running the attack had a predilection for [[CentOS]] 5.x servers, leading some researchers to believe that they had a<ref name="Suspected Vulnerability">{{cite web |last1=Garmon |first1=Matthew |title=In Command & Out of Control |url=http://www.mattgarmon.com/ |website=Matt Garmon |publisher=DIG}}</ref> [[zero-day exploit]] for it. Servers are scattered in many different countries, including [[Germany]], [[Belgium]], [[Philippines]], [[India]] and [[China]]. [[Kaspersky Lab|Kaspersky]] has published multiple blogposts on the command and control servers.<ref>{{Cite web |last=Kamluk |first=Vitaly |date=30 November 2011 |title=The Mystery of Duqu: Part Six (The Command and Control servers) |url=http://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers |url-status=live |archive-url=https://web.archive.org/web/20220607172949/https://securelist.com/the-mystery-of-duqu-part-six-the-command-and-control-servers-36/31863/ |archive-date=7 June 2022 |access-date=7 June 2022 |website=Securelist by Kaspersky}}</ref>


==See also==
==See also==

{{Portal|Computer security}}
{{div col}}
{{div col}}
* [[Cyber electronic warfare]]
* [[Cyber electronic warfare]]
* [[Cyber security standards]]
* [[Cyber security standards]]
* [[Cyberwarfare in the United States]]
* [[Cyberwarfare in the United States]]
* [[Cyberweapon]]
* [[Flame (malware)]]
* [[Flame (malware)]]
* [[List of cyber attack threat trends]]
* [[List of cyber attack threat trends]]
Line 58: Line 59:
* [[United States Cyber Command]]
* [[United States Cyber Command]]
* [[Unit 8200]]
* [[Unit 8200]]

{{div col end}}
{{div col end}}


Line 65: Line 67:
{{Hacking in the 2010s}}
{{Hacking in the 2010s}}


[[Category:Malware]]
[[Category:Rootkits]]
[[Category:Rootkits]]
[[Category:Privilege escalation exploits]]
[[Category:Privilege escalation exploits]]
Line 71: Line 72:
[[Category:Exploit-based worms]]
[[Category:Exploit-based worms]]
[[Category:Cyberwarfare]]
[[Category:Cyberwarfare]]
[[Category:2011 in computer science]]
[[Category:2011 in computing]]
[[Category:Cyberwarfare in Iran]]
[[Category:Cyberwarfare in Iran]]
[[Category:Cyberattacks on energy sector]]
[[Category:Cyberattacks on energy sector]]

Latest revision as of 22:39, 29 April 2024

For the version of malware announced in 2015, see Duqu 2.0.

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm[1] and to have been created by Unit 8200.[2][better source needed] Duqu has exploited Microsoft Windows's zero-day vulnerability. The Laboratory of Cryptography and System Security (CrySyS Lab)[3] of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report[4] naming the threat Duqu.[5] Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.[6]

Nomenclature[edit]

The term Duqu is used in a variety of ways:

  • Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools. Part of this malware is written in unknown high-level programming language,[7] dubbed "Duqu framework". It is not C++, Python, Ada, Lua and many other checked languages. However, it is suggested that Duqu may have been written in C with a custom object oriented framework and compiled in Microsoft Visual Studio 2008.[8]
  • Duqu flaw is the flaw in Microsoft Windows that is used in malicious files to execute malware components of Duqu. Currently one flaw is known, a TrueType-font related problem in win32k.sys.
  • Operation Duqu is the process of only using Duqu for unknown goals. The operation might be related to Operation Stuxnet.

Relationship to Stuxnet[edit]

Symantec, based on the CrySyS team managed by Dr Thibault Gainche report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix.[6][9] Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a valid, but abused digital signature, and collects information to prepare for future attacks.[6][10] Mikko Hyppönen, Chief Research Officer for F-Secure, said that Duqu's kernel driver, JMINET7.SYS, was so similar to Stuxnet's MRXCLS.SYS that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that the key used to make Duqu's own digital signature (only observed in one case) was stolen from C-Media, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.[9]

Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet.[11] However, there is considerable and growing evidence that Duqu is closely related to Stuxnet.

Experts compared the similarities and found three points of interest:

  • The installer exploits zero-day Windows kernel vulnerabilities.
  • Components are signed with stolen digital keys.
  • Duqu and Stuxnet are both highly targeted and related to the nuclear program of Iran.

Microsoft Word zero-day exploit[edit]

Like Stuxnet, Duqu attacks Microsoft Windows systems using a zero-day vulnerability. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a Microsoft Word document that exploits the Win32k TrueType font parsing engine and allows execution.[12] The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine if the patch released by Microsoft in December 2011 is not yet installed.[13] Microsoft identifier for the threat is MS11-087 (first advisory issued on 13 November 2011).[14]

Purpose[edit]

Duqu looks for information that could be useful in attacking industrial control systems. Its purpose is not to be destructive, the known components are trying to gather information.[15] However, based on the modular structure of Duqu, special payload could be used to attack any type of computer system by any means and thus cyber-physical attacks based on Duqu might be possible. However, use of personal computer systems has been found to delete all recent information entered on the system, and in some cases total deletion of the computer's hard drive. Internal communications of Duqu are analysed by Symantec,[6] but the actual and exact method how it replicates inside an attacked network is not yet fully known. According to McAfee, one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in public-key cryptography) from attacked computers to help future viruses appear as secure software.[16] Duqu uses a 54×54 pixel JPEG file and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing the code to determine what information the communications contain. Initial research indicates that the original malware sample automatically removes itself after 36 days (the malware stores this setting in configuration files), which would limit its detection.[9]

Key points are:

  • Executables developed after Stuxnet using the Stuxnet source code that have been discovered.
  • The executables are designed to capture information such as keystrokes and system information.
  • Current analysis shows no code related to industrial control systems, exploits, or self-replication.
  • The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
  • The exfiltrated data may be used to enable a future Stuxnet-like attack, or might already have been used as the basis for the Stuxnet attack.

Command and control servers[edit]

Some of the command and control servers of Duqu have been analysed. It seems that the people running the attack had a predilection for CentOS 5.x servers, leading some researchers to believe that they had a[17] zero-day exploit for it. Servers are scattered in many different countries, including Germany, Belgium, Philippines, India and China. Kaspersky has published multiple blogposts on the command and control servers.[18]

See also[edit]

References[edit]

  1. ^ How Israel Caught Russian Hackers Scouring the World for U.S. Secrets, New York Times
  2. ^ NSA, Unit 8200, and Malware Proliferation Archived 25 October 2017 at the Wayback Machine Jeffrey Carr, Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011), medium.com, Aug 25, 2016
  3. ^ "Laboratory of Cryptography and System Security (CrySyS)". Retrieved 4 November 2011.
  4. ^ "Duqu: A Stuxnet-like malware found in the wild, technical report" (PDF). Laboratory of Cryptography of Systems Security (CrySyS). 14 October 2011.
  5. ^ "Statement on Duqu's initial analysis". Laboratory of Cryptography of Systems Security (CrySyS). 21 October 2011. Archived from the original on 4 October 2012. Retrieved 25 October 2011.
  6. ^ a b c d "W32.Duqu – The precursor to the next Stuxnet (Version 1.4)" (PDF). Symantec. 23 November 2011. Archived from the original (PDF) on 13 December 2011. Retrieved 30 December 2011.
  7. ^ Shawn Knight (2012) Duqu Trojan contains mystery programming language in Payload DLL
  8. ^ "Securelist | Kaspersky's threat research and reports". 12 September 2023.
  9. ^ a b c Zetter, Kim (18 October 2011). "Son of Stuxnet Found in the Wild on Systems in Europe". Wired. Retrieved 21 October 2011.
  10. ^ "Virus Duqu alarmiert IT-Sicherheitsexperten". Die Zeit. 19 October 2011. Retrieved 19 October 2011.
  11. ^ "Spotted in Iran, trojan Duqu may not be "son of Stuxnet" after all". 27 October 2011. Retrieved 27 October 2011.
  12. ^ "Microsoft issues temporary 'fix-it' for Duqu zero-day". ZDNet. Retrieved 5 November 2011.
  13. ^ "Microsoft Security Advisory (2639658)". Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. 3 November 2011. Retrieved 5 November 2011.
  14. ^ "Microsoft Security Bulletin MS11-087 - Critical". Retrieved 13 November 2011.
  15. ^ Steven Cherry, with Larry Constantine (14 December 2011). "Sons of Stuxnet". IEEE Spectrum.
  16. ^ Venere, Guilherme; Szor, Peter (18 October 2011). "The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu". McAfee. Archived from the original on 31 May 2016. Retrieved 19 October 2011.
  17. ^ Garmon, Matthew. "In Command & Out of Control". Matt Garmon. DIG.
  18. ^ Kamluk, Vitaly (30 November 2011). "The Mystery of Duqu: Part Six (The Command and Control servers)". Securelist by Kaspersky. Archived from the original on 7 June 2022. Retrieved 7 June 2022.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Duqu&oldid=1221433416"