Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


7 Facts On Duqu Malware Attacks

Research into Duqu malware finds a component compiled in 2007, but identified successful attacks that occurred as recent as April 2011.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
New information continues to emerge about the Duqu malware that was designed to steal information relating to industrial control systems.

The latest analysis of the Duqu malware has found that one of the components used in the attack was compiled in 2007. But Duqu was used in a targeted attack as recently as April 2011, pointing to a possible four-year attack campaign by Duqu's authors, whose identities and affiliations remain unknown.

What is known, however, is that to date, Duqu infected organizations in at least eight countries--including Iran--in part by using a still-unpatched Windows zero-day vulnerability. Furthermore, as researchers continue to study Duqu variants, these findings have emerged:

1. Duqu was a boutique exploit.

To date, researchers have discovered "12 unique sets of Duqu files," said Alexander Gostev, chief security expert at Kaspersky Lab and author of a recent Duqu report. That's significant, since "for every victim, a separate set of attack files was created," he said via email.

2. Duqu relates to Stars.

According to a Duqu timeline assembled by Kaspersky Lab, Duqu appeared at the same time as the Stars virus hit Iran. "At that time Iranian specialists didn't share samples of the discovered virus with any of the antivirus companies, and this, it has to be said, was a serious mistake, which gave rise to all subsequent events in this saga," said Gostev. "Most probably, the Iranians found a keylogger module that had been loaded onto a system and which contained a photo of the NGC 6745 galaxy. This could explain the title 'Stars' given to it."

[ Security clearly can be improved. Read DARPA Seeks New Methods For Biometric Authentication. ]

3. Attackers covered their tracks.

Pointing to the difficulty of tracing attacks back to the actual people who launched them, Gostev said that the Duqu exploits, which used malicious .doc files attached to emails, "took place from anonymous mailboxes, probably via compromised computers." In the case of one particular attack, dubbed "variant F" by Kaspersky, attackers used a computer--again, likely compromised--in South Korea to send attack emails on April 17, 2011, followed by another attack four days later. The first attack ended up in a junk mail folder. "The second attack turned out successful: the addressee opened the attached .doc file that contained the vulnerability exploit and Trojan installer," said Gostev.

4. Exploit used Dexter font.

How did Duqu attack? For the Duqu-F variant at least, "the vulnerability exploit was contained in the font called 'Dexter Regular,' said Gostev. But that attack code was only a dropper or installer program, which then downloaded further attack code onto the targeted PC. "After penetration into a system the attackers installed extra modules and infected neighboring computers," he said.

5. Duqu used a ruse.

Interestingly, after infecting a PC, Duqu did nothing--at least initially--except residing in memory and staying put even if the .doc file was closed. "This period of inactivity lasted around 10 minutes, after which the exploit waited for the user's activity to stop--no keyboard or mouse activity. Only then did the dropper kick into action," said Gostev.

6. Attackers used disposable control servers.

Each Duqu variant had its own, separate control server, which provides further evidence that it was a highly targeted attack. Having a disposable infrastructure, furthermore, helped ensure that the discovery of one Duqu variant or attack wouldn't give away any of the others. Unlike Shady RAT's masterminds, the Duqu attackers also appear to have left the control servers active only for as long as they were required. Indeed, for a control server used to launch the Duqu-F attack, "we think that it is not functioning now and all critical information on it has already been deleted by the attackers," said Gostev. Kaspersky likewise found an identical data-wipe after researching another Duqu variant.

7. Duqu contained communication backups.

Duqu can connect not just to command-and-control (C&C) servers, but also function as a server itself. "There are two lists of C&C servers, one can contain domain names, IP addresses, or names of network shares, and the other contains IP addresses in binary format and is used to connect using Windows HTTP (winhttp) services," according to a report published by Kasperksy Lab expert Igor Soumenkov. "Although the configuration blocks we have found so far are similar and are set up to connect to its C&C using HTTP and HTTPS, the payload .dll [file] is able to connect to a network share and even become a server." In other words, while Duqu may have only attacked a handful of organizations, it was engineered to succeed.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-13
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
PUBLISHED: 2019-12-13
samurai 0.7 has a heap-based buffer overflow in canonpath in util.c via a crafted build file.
PUBLISHED: 2019-12-13
Yabasic 2.86.2 has a heap-based buffer overflow in myformat in function.c via a crafted BASIC source file.
PUBLISHED: 2019-12-13
E5572-855 with versions earlier than has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle att...
PUBLISHED: 2019-12-13
Huawei smartphones HUAWEI Y9 2019 and Honor View 20 have a denial of service vulnerability. Due to insufficient input validation of specific value when parsing the messages, an attacker may send specially crafted TD-SCDMA messages from a rogue base station to the affected devices to exploit this vul...