Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


7 Facts On Duqu Malware Attacks

Research into Duqu malware finds a component compiled in 2007, but identified successful attacks that occurred as recent as April 2011.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
New information continues to emerge about the Duqu malware that was designed to steal information relating to industrial control systems.

The latest analysis of the Duqu malware has found that one of the components used in the attack was compiled in 2007. But Duqu was used in a targeted attack as recently as April 2011, pointing to a possible four-year attack campaign by Duqu's authors, whose identities and affiliations remain unknown.

What is known, however, is that to date, Duqu infected organizations in at least eight countries--including Iran--in part by using a still-unpatched Windows zero-day vulnerability. Furthermore, as researchers continue to study Duqu variants, these findings have emerged:

1. Duqu was a boutique exploit.

To date, researchers have discovered "12 unique sets of Duqu files," said Alexander Gostev, chief security expert at Kaspersky Lab and author of a recent Duqu report. That's significant, since "for every victim, a separate set of attack files was created," he said via email.

2. Duqu relates to Stars.

According to a Duqu timeline assembled by Kaspersky Lab, Duqu appeared at the same time as the Stars virus hit Iran. "At that time Iranian specialists didn't share samples of the discovered virus with any of the antivirus companies, and this, it has to be said, was a serious mistake, which gave rise to all subsequent events in this saga," said Gostev. "Most probably, the Iranians found a keylogger module that had been loaded onto a system and which contained a photo of the NGC 6745 galaxy. This could explain the title 'Stars' given to it."

[ Security clearly can be improved. Read DARPA Seeks New Methods For Biometric Authentication. ]

3. Attackers covered their tracks.

Pointing to the difficulty of tracing attacks back to the actual people who launched them, Gostev said that the Duqu exploits, which used malicious .doc files attached to emails, "took place from anonymous mailboxes, probably via compromised computers." In the case of one particular attack, dubbed "variant F" by Kaspersky, attackers used a computer--again, likely compromised--in South Korea to send attack emails on April 17, 2011, followed by another attack four days later. The first attack ended up in a junk mail folder. "The second attack turned out successful: the addressee opened the attached .doc file that contained the vulnerability exploit and Trojan installer," said Gostev.

4. Exploit used Dexter font.

How did Duqu attack? For the Duqu-F variant at least, "the vulnerability exploit was contained in the font called 'Dexter Regular,' said Gostev. But that attack code was only a dropper or installer program, which then downloaded further attack code onto the targeted PC. "After penetration into a system the attackers installed extra modules and infected neighboring computers," he said.

5. Duqu used a ruse.

Interestingly, after infecting a PC, Duqu did nothing--at least initially--except residing in memory and staying put even if the .doc file was closed. "This period of inactivity lasted around 10 minutes, after which the exploit waited for the user's activity to stop--no keyboard or mouse activity. Only then did the dropper kick into action," said Gostev.

6. Attackers used disposable control servers.

Each Duqu variant had its own, separate control server, which provides further evidence that it was a highly targeted attack. Having a disposable infrastructure, furthermore, helped ensure that the discovery of one Duqu variant or attack wouldn't give away any of the others. Unlike Shady RAT's masterminds, the Duqu attackers also appear to have left the control servers active only for as long as they were required. Indeed, for a control server used to launch the Duqu-F attack, "we think that it is not functioning now and all critical information on it has already been deleted by the attackers," said Gostev. Kaspersky likewise found an identical data-wipe after researching another Duqu variant.

7. Duqu contained communication backups.

Duqu can connect not just to command-and-control (C&C) servers, but also function as a server itself. "There are two lists of C&C servers, one can contain domain names, IP addresses, or names of network shares, and the other contains IP addresses in binary format and is used to connect using Windows HTTP (winhttp) services," according to a report published by Kasperksy Lab expert Igor Soumenkov. "Although the configuration blocks we have found so far are similar and are set up to connect to its C&C using HTTP and HTTPS, the payload .dll [file] is able to connect to a network share and even become a server." In other words, while Duqu may have only attacked a handful of organizations, it was engineered to succeed.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.