DUQU Trojan On The Loose


On the 1st of September this year a new computer worm was discovered by the Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics in Hungary. This worm was named DUQU under the pretenses that it creates files with the prefix "~DQ".


This malware is fairly similar to the Stuxnet Trojan that targets Supervisory Control and Data Acquisition (SCADA) systems and could be developed in to a security attack. The Mountain View, Calif. based vendor has sufficient reason to be believe that someone who had access to the Stuxnet source code is responsible behind the creation of this Trojan.


According to Mikko Hyppönen, Chief Research Officer for F-Secure, stated:

Duqu's kernel driver, JMINET7.SYS, was so similar to Stuxnet's MRXCLS.SYS that F-Secure's back-end system thought it was Stuxnet.
Stuxnet was created to disrupt industrial control systems and Win32.Duqu, which is very similar to the original Stuxnet gathers intelligence data and assets “in order to more easily conduct a future attack against another third party,” Symantec said.

Symantec further stated in their report:
The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.
Kevin Haley, director of Symantec security technology and response stated:


Because of the amount of time and effort that went into creating the Stuxnet code, it’s not surprising that the people behind it would try to reuse it. Stuxnet was an incredibly complex piece of code and something you would want to get your money’s worth out of.
Haley has reported that researches are still looking for answers as to how this malware acts and spreads. But we do know that it attacks Windows using zero-day vulnerability (a computer threat that tries to exploit computer application vulnerabilities that are unknown to others or the software developer). Once infected, DUQU uses a keylogger that records keystrokes and seeks out additional system information, copy lists of running processes, account details and domain information. It can also take screenshots, record network information and explore files on all drives, including removable drives. According to McAfee, DUQU also steals digital certificates from attacked computers to help future viruses appear as secure software. The data extracted is sent to a command-and-control (C&C) server, which has now been has been blacklisted by the ISP.

DUQU, using a simple peer-to-peer protocol to move within secure networks, goes to the lengths of its abilities and removes itself from the system after 36 days which means that it has a specific target.

Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement on 3 November 2011:


Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process",
Microsoft has not released a patch for the malware in the batch of patches issued on 8 November 2011.

Iran has declared that they are actively fighting against (and succeeding) DUQU.
"We are in the initial phase of fighting the Duqu virus," Gholamreza Jalali, was quoted as saying. "The final report which says which organizations the virus has spread to and what its impacts are has not been completed yet.
"All the organizations and centers that could be susceptible to being contaminated are being controlled," he said, according to Reuters.