An emerging malware threat identified as the Duqu trojan has received a great deal of attention because it is similar to the infamous Stuxnet worm of 2010.
What is Duqu?
The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.
Duqu Vs Stuxnet
| Attribute | Duqu | Stuxnet |
|---|---|---|
| Infection Methods | Unknown | USB (Universal Serial Bus) PDF (Portable Document Format) |
| Dropper Characteristics | Installs signed kernel drivers to decrypt and load DLL files |
Installs signed kernel drivers to decrypt and load DLL files |
| Zero-days Used | None yet identified | Four |
| Command and Control | HTTP, HTTPS, Custom | HTTP |
| Self Propagation | None yet identified | P2P (Peer to Peer) using RPCs (Remote Procedure Call) Network Shares WinCC Databases (Siemens) |
| Data Exfiltration | Add-on, keystroke logger for user and system info stealing |
Built-in, used for versioning and updates of the malware |
| Date triggers to infect or exit | Uninstalls self after 36 days | Hard coded, must be in the following range: 19790509 => 20120624 |
| Interaction with Control Systems | None | Highly sophisticated interaction with Siemens SCADA control systems |
The facts observed through software analysis are inconclusive in terms of proving a direct relationship between Duqu and Stuxnet at any other level.
Does Duqu target industrial control systems?
Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu’s primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.
Is there any evidence in the code indicating specific targets?
Duqu facilitates an adversary’s ability to gather intelligence from an infected computer and the network. Any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware have not yet identified.
What are indicators of a Duqu infection?
The Duqu trojan attempts to use the network to communicate with a remote command and control (C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses the 206.183.111.97 IP address as its C2 server. This IP address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt to resolve the kasperskychk.dyndns.org domain name. The resulting IP address is not used for communications, so this lookup may serve as a simple Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.
The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present on a single infected computer.
| Name | File Size | MD5 |
|---|---|---|
| jminet7.sys | 24,960 bytes | 0eecd17c6c215b358b7b872b74bfd80 |
| netp191.pnf | 232,448 bytes | b4ac366e24204d821376653279cbad8 |
| netp192.pnf | 6,750 bytes | 94c4ef91dfcd0c53a96fdc387f9f9c3 |
| cmi4432.sys | 29,568 bytes | 4541e850a228eb69fd0f0e924624b24 |
| cmi4432.pnf | 192,512 bytes | 0a566b1616c8afeef214372b1a0580c |
| cmi4464.pnf | 6,750 bytes | e8d6b4dadb96ddb58775e6c85b10b6c |
| <unknown> (sometimes referred to as keylogger.exe) |
85,504 bytes | 9749d38ae9b9ddd81b50aad679ee87e |
| nfred965.sy | 24,960 bytes | c9a31ea148232b201fe7cb7db5c75f5 |
| nred961.sys | unknown | f60968908f03372d586e71d87fe795c |
| adpu321.sy | 24,960 bytes | 3d83b077d32c422d6c7016b5083b9fc |
| iaStor451.sys | 24,960 bytes | bdb562994724a35a1ec5b9e85b8e054f |
The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.
How do Duqu infections occur?
The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could.
Is antivirus and antimalware protection sufficient for detecting Duqu?
Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.