Category: White Papers

Oct 26 2011

Duqu Trojan – FAQs

Duqu TrojanAn emerging malware threat identified as the Duqu trojan has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010.

What is Duqu?
The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

Duqu Vs Stuxnet

Attribute Duqu Stuxnet
Infection Methods Unknown USB (Universal Serial Bus)
PDF (Portable Document Format)
Dropper Characteristics Installs signed kernel drivers
to decrypt and load DLL files
Installs signed kernel drivers
to decrypt and load DLL files
Zero-days Used None yet identified Four
Command and Control HTTP, HTTPS, Custom HTTP
Self Propagation None yet identified P2P (Peer to Peer) using RPCs
(Remote Procedure Call)
Network Shares
WinCC Databases (Siemens)
Data Exfiltration Add-on, keystroke logger for
user and system info stealing
Built-in, used for versioning
and updates of the malware
Date triggers to infect or exit Uninstalls self after 36 days Hard coded, must be in the following range:
19790509 => 20120624
Interaction with Control Systems None Highly sophisticated interaction
with Siemens SCADA control systems

The facts observed through software analysis are inconclusive in terms of proving a direct relationship between Duqu and Stuxnet at any other level.

Does Duqu target industrial control systems?
Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu’s primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.

Is there any evidence in the code indicating specific targets?
Duqu facilitates an adversary’s ability to gather intelligence from an infected computer and the network. Any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware have not yet identified.

What are indicators of a Duqu infection?
The Duqu trojan attempts to use the network to communicate with a remote command and control (C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses the 206.183.111.97 IP address as its C2 server. This IP address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt to resolve the kasperskychk.dyndns.org domain name. The resulting IP address is not used for communications, so this lookup may serve as a simple Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.

The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present on a single infected computer.

Name File Size MD5
jminet7.sys 24,960 bytes 0eecd17c6c215b358b7b872b74bfd80
netp191.pnf 232,448 bytes b4ac366e24204d821376653279cbad8
netp192.pnf 6,750 bytes 94c4ef91dfcd0c53a96fdc387f9f9c3
cmi4432.sys 29,568 bytes 4541e850a228eb69fd0f0e924624b24
cmi4432.pnf 192,512 bytes 0a566b1616c8afeef214372b1a0580c
cmi4464.pnf 6,750 bytes e8d6b4dadb96ddb58775e6c85b10b6c
<unknown>
(sometimes referred to as keylogger.exe)
85,504 bytes 9749d38ae9b9ddd81b50aad679ee87e
nfred965.sy 24,960 bytes c9a31ea148232b201fe7cb7db5c75f5
nred961.sys unknown f60968908f03372d586e71d87fe795c
adpu321.sy 24,960 bytes 3d83b077d32c422d6c7016b5083b9fc
iaStor451.sys 24,960 bytes bdb562994724a35a1ec5b9e85b8e054f

The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.

How do Duqu infections occur?
The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could.

Is antivirus and antimalware protection sufficient for detecting Duqu?
Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.

Sep 25 2011

Doppelganger Domain Attack

Doppelganger Domain AttackDomain typo-squatting is commonly used to spread malware to users whom accidentally misspell a legitimate domain in their web browser. A new type of domain typo-squatting takes advantage of an omission instead of a misspelling.

A Doppelganger Domain is a domain spelled identical to a legitimate fully qualified domain name (FQDN) but missing the dot between host/subdomain and domain, to be used for malicious purposes. Doppelganger Domains have a potent impact via email as attackers could gather information such as trade secrets, user names and passwords, and other employee information.

Each company in the Fortune 500 was profiled for susceptibility to Doppelganger Domains and 151 companies (or 30%) were found to be susceptible. In large corporations, email usage is extremely high and the likelihood of some email being mis-sent is high which could result in data leakage.

Security researcher Peter Kim and Garrett Gee who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

WhitePaper : Doppelganger.Domains.pdf

Sep 05 2009

How I cross-site scripted Twitter in 15 minutes

How I cross-site scripted Twitter in 15 minutes, and why you shouldn’t store important data on 37signals’ applications
“Today the Ruby on Rails security team released a patch for a cross-site scripting issue which affected multiple high-profile applications, including Twitter and Basecamp. If you’re concerned about the issue and would like to see the patch, please read the advisory from the Rails security team. In this post, I discuss the overall process of finding the issue, and the reason why I’d suggest that no important information be stored on the 37signals applications (Basecamp, Highrise, Backpack, and Campfire).

After seeing a bug in Unicode handling in an unrelated program a few weeks ago, I suddenly had an idea: “I wonder if there are any web applications which have Unicode handling problems that might be security issues?”

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?”
- Brian Mastenbrook

Source: Brian Mastenbrook