What Is Duqu Up To?

As researchers debate over a possible Duqu-Stuxnet connection and study a new zero-day exploit used in the Duqu attack, still no word on the actual targets or its mission
But Alex Gostev, chief malware analyst at Kaspersky Lab, says the new zero-day finding helps "reinforce" the theory that Stuxnet and Duqu are from the same attackers. Gostev says the zero-day flaw used with Duqu is similar to one his team found with Stuxnet, specifically MS10-073.

"The detection of the dropper and the route used to penetrate the system (a targeted attack against a specific victim conducted via email) proves our theory that the Duqu attacks are directed against a very small number of victims and in each case, they can employ unique sets of files. To infect other computers in the network, Duqu seems to be using scheduled jobs, a technique that we’ve also seen in Stuxnet and is a preferred choice of APTs," Gostev wrote today in a blog post. "These, together with other previously known details reinforce the theory that Stuxnet and Duqu were created by the same people."

Researchers at McAfee concur that the zero-day matches some of the characteristics of Stuxnet. The kernel driver loaded after exploitation is time-stamped February 21, 2008, and is unsigned, according to Peter Szor and Guilherme Venere of McAfee.

"We have already seen several indications that this threat was related to Stuxnet in some form. When comparing the code of the first Duqu samples we received with older Stuxnet variants, we noticed several similarities, and even exact matches for some important functions such as the DLL-injection routine, decryption of strings and external modules, and management of tables for indirect API calls, among others. Due to the 2008 timeframe for the driver code in question, we have yet another clue, beside the zero-day exploit, that this code is likely based on the same base as Stuxnet, which reused old driver code in several cases while creating new exploits," they said in a post today.

Meanwhile, Symantec says it has confirmed six possible victim organizations in eight different countries, and that a second command-and-control server -- found in Belgium -- has been found and shuttered. The first one, in India, was shut down earlier this week.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.