What Is Duqu Up To?

Even as new clues have been uncovered about Duqu over the past few days -- most notably a new zero-day attack that spreads via a Microsoft Word document -- researchers remain at odds over whether this latest highly targeted threat with several parallels to Stuxnet is actually related to Stuxnet.

The discovery revealed yesterday of a zero-day exploit used in the Duqu attack -- specifically, a Word file containing malware that exploits a previously unknown flaw in Windows that was sent to one of the Duqu victim organizations -- still doesn't provide much more information on what specifically Duqu is up to, or who specifically should be worried about it.

Duqu, which originally was found in some unnamed European organizations and appeared to be attacking industrial control-system vendors and certificate authorities (CAs), was thought to be the first stage of a next-generation Stuxnet-type attack. Unlike Stuxnet, which was specifically targeting Iran's nuclear facilities, Duqu is about cyberespionage and not aimed at process control systems. Some commonalities between the two threats have researchers debating whether Duqu is a spinoff of Stuxnet's source code, or whether the same players are behind it as were with Stuxnet.

Researchers from Symantec, McAfee, and F-Secure all say whoever wrote the backdoor had their hands on Stuxnet source code. About half of the code in Duqu is the same as the code used in Stuxnet, according to Symantec.

Meantime, neither Microsoft nor Symantec, which is studying the zero-day exploit, has shared the dropper with other AV firms. Microsoft says it's working on a fix, although experts don't expect it to come in next week's Patch Tuesday release.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," says Jerry Bryant, group manager for response communications in Microsoft Trustworthy Computing.

Still missing is an in-depth analysis of the dropper, which could lead to the true motive behind the attack and would help organizations potentially in the bull's eye to prepare and be on the lookout for Duqu infections. "I don't expect to find any additional zero-days, but if we do find them, we could perhaps have a better clue about the motive," says Roel Schouwenberg, senior researcher at Kaspersky Lab, who notes that there might not be just one dropper. "Then again, these files seem to be created on a per-incident basis. So the insight that one dropper gives us may not be fully applicable to the other targets."

Schouwenberg says with details on the dropper and exploit not yet being shared among security firms, and no names being named as victims, the model for fighting this threat is "broken."

"While I can definitely appreciate the need for anonymity of the target company, it shows we're dealing with a broken model. It's quite likely the Duqu operation is ongoing, and getting out better protection as soon as possible is obviously important," he says. "Hopefully, one of the main takeaways for the industry will be to work on a more intelligent system that enables us to more easily share certain information when the victim's anonymity is a key concern."

Some researchers say the zero-day provides yet another reason to believe a Stuxnet-Duqu connection due to similarities in the Duqu's exploit and that of Stuxnet's.

But other researchers say confirming a definite connection between the two attacks is premature. Tom Parker, chief technology officer at FusionX, says while they authors of the two threats are likely related somehow, there's still much we don't know about Duqu. "It's incorrect to assume with absolute certainty that they are the one and the same. All of the technical likenesses that have been referenced by Symantec could possibly be forged -- whether that's likely is a different question -- however, Symantec are speaking in absolute terms, which I think is wrong," Parker says.

"If you recall with Stuxnet, it took months to really figure out what its true purpose was," he says.

Parker's doubts echo those of Secureworks, whose researchers also aren't sold on a Duqu-Stuxnet connection. "The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level," they wrote last week.

Next page: 'Reinforcing' a Stuxnet connection