Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:04 PM
Connect Directly

What Is Duqu Up To?

As researchers debate over a possible Duqu-Stuxnet connection and study a new zero-day exploit used in the Duqu attack, still no word on the actual targets or its mission

Even as new clues have been uncovered about Duqu over the past few days -- most notably a new zero-day attack that spreads via a Microsoft Word document -- researchers remain at odds over whether this latest highly targeted threat with several parallels to Stuxnet is actually related to Stuxnet.

The discovery revealed yesterday of a zero-day exploit used in the Duqu attack -- specifically, a Word file containing malware that exploits a previously unknown flaw in Windows that was sent to one of the Duqu victim organizations -- still doesn't provide much more information on what specifically Duqu is up to, or who specifically should be worried about it.

Duqu, which originally was found in some unnamed European organizations and appeared to be attacking industrial control-system vendors and certificate authorities (CAs), was thought to be the first stage of a next-generation Stuxnet-type attack. Unlike Stuxnet, which was specifically targeting Iran's nuclear facilities, Duqu is about cyberespionage and not aimed at process control systems. Some commonalities between the two threats have researchers debating whether Duqu is a spinoff of Stuxnet's source code, or whether the same players are behind it as were with Stuxnet.

Researchers from Symantec, McAfee, and F-Secure all say whoever wrote the backdoor had their hands on Stuxnet source code. About half of the code in Duqu is the same as the code used in Stuxnet, according to Symantec.

Meantime, neither Microsoft nor Symantec, which is studying the zero-day exploit, has shared the dropper with other AV firms. Microsoft says it's working on a fix, although experts don't expect it to come in next week's Patch Tuesday release.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," says Jerry Bryant, group manager for response communications in Microsoft Trustworthy Computing.

Still missing is an in-depth analysis of the dropper, which could lead to the true motive behind the attack and would help organizations potentially in the bull's eye to prepare and be on the lookout for Duqu infections. "I don't expect to find any additional zero-days, but if we do find them, we could perhaps have a better clue about the motive," says Roel Schouwenberg, senior researcher at Kaspersky Lab, who notes that there might not be just one dropper. "Then again, these files seem to be created on a per-incident basis. So the insight that one dropper gives us may not be fully applicable to the other targets."

Schouwenberg says with details on the dropper and exploit not yet being shared among security firms, and no names being named as victims, the model for fighting this threat is "broken."

"While I can definitely appreciate the need for anonymity of the target company, it shows we're dealing with a broken model. It's quite likely the Duqu operation is ongoing, and getting out better protection as soon as possible is obviously important," he says. "Hopefully, one of the main takeaways for the industry will be to work on a more intelligent system that enables us to more easily share certain information when the victim's anonymity is a key concern."

Some researchers say the zero-day provides yet another reason to believe a Stuxnet-Duqu connection due to similarities in the Duqu's exploit and that of Stuxnet's.

But other researchers say confirming a definite connection between the two attacks is premature. Tom Parker, chief technology officer at FusionX, says while they authors of the two threats are likely related somehow, there's still much we don't know about Duqu. "It's incorrect to assume with absolute certainty that they are the one and the same. All of the technical likenesses that have been referenced by Symantec could possibly be forged -- whether that's likely is a different question -- however, Symantec are speaking in absolute terms, which I think is wrong," Parker says.

"If you recall with Stuxnet, it took months to really figure out what its true purpose was," he says.

Parker's doubts echo those of Secureworks, whose researchers also aren't sold on a Duqu-Stuxnet connection. "The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level," they wrote last week.

Next page: 'Reinforcing' a Stuxnet connection Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight Transaction...
PUBLISHED: 2020-10-20
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking ...
PUBLISHED: 2020-10-20
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
PUBLISHED: 2020-10-20
DomainMOD before 4.14.0 uses MD5 without a salt for password storage.
PUBLISHED: 2020-10-20
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a ...