What Is Duqu Up To?

Even as new clues have been uncovered about Duqu over the past few days -- most notably a new zero-day attack that spreads via a Microsoft Word document -- researchers remain at odds over whether this latest highly targeted threat with several parallels to Stuxnet is actually related to Stuxnet.

The discovery revealed yesterday of a zero-day exploit used in the Duqu attack -- specifically, a Word file containing malware that exploits a previously unknown flaw in Windows that was sent to one of the Duqu victim organizations -- still doesn't provide much more information on what specifically Duqu is up to, or who specifically should be worried about it.

Duqu, which originally was found in some unnamed European organizations and appeared to be attacking industrial control-system vendors and certificate authorities (CAs), was thought to be the first stage of a next-generation Stuxnet-type attack. Unlike Stuxnet, which was specifically targeting Iran's nuclear facilities, Duqu is about cyberespionage and not aimed at process control systems. Some commonalities between the two threats have researchers debating whether Duqu is a spinoff of Stuxnet's source code, or whether the same players are behind it as were with Stuxnet.

Researchers from Symantec, McAfee, and F-Secure all say whoever wrote the backdoor had their hands on Stuxnet source code. About half of the code in Duqu is the same as the code used in Stuxnet, according to Symantec.

Meantime, neither Microsoft nor Symantec, which is studying the zero-day exploit, has shared the dropper with other AV firms. Microsoft says it's working on a fix, although experts don't expect it to come in next week's Patch Tuesday release.

"Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process," says Jerry Bryant, group manager for response communications in Microsoft Trustworthy Computing.

Still missing is an in-depth analysis of the dropper, which could lead to the true motive behind the attack and would help organizations potentially in the bull's eye to prepare and be on the lookout for Duqu infections. "I don't expect to find any additional zero-days, but if we do find them, we could perhaps have a better clue about the motive," says Roel Schouwenberg, senior researcher at Kaspersky Lab, who notes that there might not be just one dropper. "Then again, these files seem to be created on a per-incident basis. So the insight that one dropper gives us may not be fully applicable to the other targets."

Schouwenberg says with details on the dropper and exploit not yet being shared among security firms, and no names being named as victims, the model for fighting this threat is "broken."

"While I can definitely appreciate the need for anonymity of the target company, it shows we're dealing with a broken model. It's quite likely the Duqu operation is ongoing, and getting out better protection as soon as possible is obviously important," he says. "Hopefully, one of the main takeaways for the industry will be to work on a more intelligent system that enables us to more easily share certain information when the victim's anonymity is a key concern."

Some researchers say the zero-day provides yet another reason to believe a Stuxnet-Duqu connection due to similarities in the Duqu's exploit and that of Stuxnet's.

But other researchers say confirming a definite connection between the two attacks is premature. Tom Parker, chief technology officer at FusionX, says while they authors of the two threats are likely related somehow, there's still much we don't know about Duqu. "It's incorrect to assume with absolute certainty that they are the one and the same. All of the technical likenesses that have been referenced by Symantec could possibly be forged -- whether that's likely is a different question -- however, Symantec are speaking in absolute terms, which I think is wrong," Parker says.

"If you recall with Stuxnet, it took months to really figure out what its true purpose was," he says.

Parker's doubts echo those of Secureworks, whose researchers also aren't sold on a Duqu-Stuxnet connection. "The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level," they wrote last week.

Next page: 'Reinforcing' a Stuxnet connection But Alex Gostev, chief malware analyst at Kaspersky Lab, says the new zero-day finding helps "reinforce" the theory that Stuxnet and Duqu are from the same attackers. Gostev says the zero-day flaw used with Duqu is similar to one his team found with Stuxnet, specifically MS10-073.

"The detection of the dropper and the route used to penetrate the system (a targeted attack against a specific victim conducted via email) proves our theory that the Duqu attacks are directed against a very small number of victims and in each case, they can employ unique sets of files. To infect other computers in the network, Duqu seems to be using scheduled jobs, a technique that we’ve also seen in Stuxnet and is a preferred choice of APTs," Gostev wrote today in a blog post. "These, together with other previously known details reinforce the theory that Stuxnet and Duqu were created by the same people."

Researchers at McAfee concur that the zero-day matches some of the characteristics of Stuxnet. The kernel driver loaded after exploitation is time-stamped February 21, 2008, and is unsigned, according to Peter Szor and Guilherme Venere of McAfee.

"We have already seen several indications that this threat was related to Stuxnet in some form. When comparing the code of the first Duqu samples we received with older Stuxnet variants, we noticed several similarities, and even exact matches for some important functions such as the DLL-injection routine, decryption of strings and external modules, and management of tables for indirect API calls, among others. Due to the 2008 timeframe for the driver code in question, we have yet another clue, beside the zero-day exploit, that this code is likely based on the same base as Stuxnet, which reused old driver code in several cases while creating new exploits," they said in a post today.

Meanwhile, Symantec says it has confirmed six possible victim organizations in eight different countries, and that a second command-and-control server -- found in Belgium -- has been found and shuttered. The first one, in India, was shut down earlier this week.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.