The Duqu malware that targeted industrial manufacturers around the world contains so many advanced
features that it could only have been developed by a team of highly skilled programmers who worked
full time, security researchers say.
The features include steganographic processes that encrypt stolen data and embed it into image
files before sending it to attacker-controlled servers, an
analysis by NSS researchers found. Using a custom protocol
to hide the proprietary information inside the innocuous-looking file, before it's sent to
command and control servers, is a centuries-old technique used to conceal the exchange of
sensitive communications.
Duqu is also the world's first known modular plugin rootkit, the researchers said. That allows
the attackers to add or remove functionality and change command and control servers quickly with
little effort. The conclusion the researchers draw from their analysis is that Duqu is the product
of a well organized team of highly motivated developers (can you spell...CIA/NSA?).
“Given the complexity of the system (solid driver code plus impressive system architecture)
it is not possible for this to have been written by a single person, nor by a team of part-time
amateurs,” NSS researchers Mohamed Saher and Matthew Molinyawe wrote. “The implication
is that, given the requirement for multiple man-years of effort, that this has been produced by a
disciplined, well-funded team of competent coders.”
The modular design means that there's a potentially large number of components that have yet to
be discovered. NSS has released a
scanning tool, written in
python, that can detect all Duqu drivers installed on an infected system. The tool doesn't generate
false positives and has already been used to spot two previously undetected Duqu drivers, the
researchers said.
“We hope the research community can use this tool to discover new drivers and would ask that
any samples be provided to NSS researchers (anonymously if preferred) in order to aid us in
understanding more about the threat posed by Duqu,” they wrote.
The researchers echoed previous reports that Duqu contains many similarities to the Stuxnet worm
used to sabotage uranium enrichment plants in Iran. The NSS analysis said Duqu uses similar code
and techniques to those of Stuxnet, but they said there's not enough evidence to say Duqu is
derived from Stuxnet.
“Many researchers are claiming definitively that the Duqu authors had access to the
original Stuxnet source code,” they wrote. “This has not been proven. It is possible
for anyone to reverse engineer the original Stuxnet code to the point where it can be modified
and recompiled.”
If at the end of all of this you're left scratching your head, you're in good company. Duqu's
state-of-the-art design and its resemblance to Stuxnet makes the malware worth watching, but with
key questions still unanswered, it's too early to know exactly what to think.
“There is no possible explanation for the production of such a sophisticated and elegant
system merely to steal the information that has been targeted so far,” they wrote.
“Why go to all this trouble to deploy a simple key-logger? Given that there are additional
drivers waiting to be discovered, we can liken Duqu to a sophisticated rocket launcher – we have
yet to see the real ammunition appear.” ®
The creators of the Duqu malware that penetrated industrial manufacturers in at least eight
countries tailored each attack with exploit files, control servers, and booby-trapped Microsoft
Word documents that were different for each victim, according to research published on Friday.
What's more, two of the drivers this sophisticated, highly modular rootkit used in one attack
showed compilation dates of 2007 and 2008, Alexander Gostev, the Kaspersky Lab expert and author
of the report said. If the dates are genuine, they suggest the Duqu architects may have spent
the past four years developing the malware.
Like forensics investigators combing through a homicide scene for the tiniest scraps of evidence,
security researchers around the world are examining every email and computer file associated
with Duqu for clues about who created it and and for what purpose. The aggregate picture of
Duqu that's emerging is that like Stuxnet before it, it was painstakingly developed by a
world-class team of disciplined and well-financed engineers.
The Duqu version examined in Friday's report (11/11/11) was recovered by the Sudan Computer
Emergency Response Team from an undisclosed company that the attackers targeted in advance.
Like attacks on other targets, it was launched using a booby-trapped Word document with content
that was tailored to the receiving organization and exploited a
previously unknown vulnerability
in the kernel of all supported versions of Microsoft Windows.
The first attempt at infection in the incident studied by Kaspersky failed because the email
containing the Word document wound up in a spam folder. On May 21, four days after the first
email was sent, the attackers tried again with a slightly modified message. Both the subject
line and the title of the attached file referenced the targeted company specifically.
Interestingly, the DLL file that served as the trojan's main module was dated April 17, the
same day as the first attempt to infect the target.
When the recipient of the second email opened the Word document, a malicious payload immediately
hijacked the computer, but sat dormant for about 10 minutes, Gostev said. The exploit didn't
actually install the spy components until the end user went idle. The infected computer used a
command and control server researchers have never seen before. So far, investigators have
identified at least four such servers, and each one was used to send and receive data from only
one target.
In late May, a second computer in the attack examined by Kaspersky was infected over the targeted
company's local network. Gostev didn't say how the Duqu infection was able to spread. Separate
research from Symantec has suggested the malware is able to spread across networks through SMB
connections used to share files from machine to machine.
For all the skill and care the attackers took, they also showed an intriguing sense of humor.
The malicious shellcode for their exploit was embedded in a fictitious font called
“Dexter Regular,” and contained the line “Copyright (c) 2003 Showtime Inc.”
The hidden message is an obvious reference to the Dexter television series, which depicts a
ritualistic serial killer who works as a crime-scene investigator for the Miami Police Department.
“This is another prank pulled by the Duqu authors,” Gostev wrote. ®
The zero-day vulnerability exploit Duqu uses was recently discovered by researchers from the
Laboratory of Cryptography and System Security, or CrySyS. The security consultancy provided
bare-bones facts on its homepage, and
researchers from Symantec elaborated on them
here. The Word document was phrased in a way to “definitively target the intended
receiving organization,” Symantec researchers said.
Duqu generated intrigue almost immediately after its discovery was announced two weeks ago because,
according to CrySyS and Symantec, its source code was
directly derived from the Stuxnet worm used to sabotage Iran's nuclear program. Tuesday's
update begins to answer some of the key gaps contained in the initial reports, including how the
malware infected computer networks, whom it targeted, and exactly what it was programmed to do.
It also provides new details that reinforce claims that it's a highly sophisticated piece of
malware that was designed for a very specific purpose.
According to Symantec, the Duqu installer file is a Microsoft Word document that exploits a
previously unknown kernel vulnerability that allows code execution. Opening the file installs
the Duqu remote access trojan that conducts surveillance on the infected networks.
Microsoft researchers are working with partners to protect Windows users against the attack,
including through the release of a security update, the company said in a statement. There are
currently no workarounds users can follow to insulate themselves against the threat, other than
to follow standard safe practices, such as not opening suspicious files attached to emails.
Interestingly, the code contained in the Word document ensured that Duqu would be installed
during a single eight-day window in August, most likely in a bid to conceal the attack or to
minimize the damage it might cause. As previously reported, the main binaries of the trojan
were configured to run for 36 days and then automatically remove it from the infected system.
In at least one organization that was infected, evidence suggests Duqu was able to spread across
networks through SMB connections used to share files from machine to machine. Even when some of the
newly infected computers had no access to the internet, the malware on them was still able to
communicate with attacker-controlled servers by using file-sharing code to route the connection
through an infected computer that did have internet access.
“This allowed the attackers to access Duqu infections in secure zones with the help of
computers outside the secure zone being used as proxies,” Symantec researchers wrote.
The researchers also said Duqu appears to have infected six organizations in eight countries,
including France, Netherlands, Switzerland, Ukraine, India, Iran, Sudan, and Vietnam. It's
possible the number may be smaller. Some of the organizations were traceable only to the ISP they
used, so some of the six organizations counted in fact may not be separate.
Symantec researchers also discovered a second command and control server that some versions of
Duqu used to communicate with their operators. It was located in Belgium and used the IP address
77.241.93.160. Previously, Duqu was known to use only
a control server located in India. Both servers have been taken offline.
While CrySyS and Symantec researchers both say Duqu contains technical signatures proving it was
designed by the same developers who spawned Stuxnet, investigators from Dell SecureWorks disagree.
All of the perceived similarities are contained only in the component used to inject code into
the Windows kernel, they said in a report published last week. The actual payloads, they concluded,
are “significantly different and unrelated.”
Their ultimate conclusion: “The facts observed through software analysis are inconclusive
at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any
other level.”
Symantec has revised one key detail since publishing its findings last week. Previously, it said
Duqu infected organizations involved in the manufacture of industrial control systems, such as
those used in gasoline refineries, nuclear power plants, and other industrial facilities.
In an update, the researchers said that term, and the previous use of the term
SCADA (short for supervisory control and data acquisition) wasn't technically accurate. The firm
now says Duqu targeted “industrial industry manufacturers.”
Researchers continue to search for files that might have been used to install Duqu on infected
machines, so it's possible the attackers may have exploited other zero-day vulnerabilities.
Stuxnet targeted at least four zero day bugs. ®
FAQ
What is Duqu?
The Duqu trojan is composed of several malicious files that work together for a malicious purpose.
The first component is a Windows kernel driver that searches for and loads encrypted dynamic link
library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a
remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised
computer and to download and run additional programs.
In addition to the RAT, another piece of malware was recovered with Duqu in one instance. This
malware is an information stealer designed to log user keystrokes and other information about
the infected system. This piece of malware is believed to be related due to programming
similarities with the main Duqu executables.
What is the relationship to Stuxnet?
There has been much speculation that Duqu is a new version of Stuxnet or that it was written by
the same authors. There are several factors that could influence these speculations:
- Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats.
- Encrypted DLL files are stored using the .PNF extension. This is normally the extension Microsoft Windows uses for precompiled setup information files. The commonality exists due to the kernel driver implementation being similar.
- The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats.
- Both Stuxnet and Duqu have variants where the kernel driver file is digitally signed using a software signing certificate. One variant of the Duqu kernel driver was signed by a certificate from C-Media Electronics Incorporation. An unsigned Duqu kernel driver claimed to be a driver from the JMicron Technology Company, which was the same company whose software signing certificate was used to sign one of the Stuxnet kernel driver files. The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion.
| Attribute |
Duqu |
Stuxnet |
| Infection Methods |
Unknown |
USB (Universal Serial Bus)
PDF (Portable Document Format) |
| Dropper Characteristics |
Installs signed kernel drivers
to decrypt and load DLL files |
Installs signed kernel drivers
to decrypt and load DLL files |
| Zero-days used |
None yet identified |
Four |
| Command and Control |
HTTP, HTTPS, Custom |
HTTP |
| Self propagation |
None yet identified |
P2P (Peer to Peer) using RPCs
(Remote Procedure Call)
Network Shares
WinCC Databases (Siemens) |
| Data exfiltration |
Add-on, keystroke logger for
user and system info stealing |
Built-in, used for versioning
and updates of the malware |
| Date triggers to infect or exit |
Uninstalls self after 36 days |
Hard coded, must be in the following range:
19790509 => 20120624 |
| Interaction with control systems |
None |
Highly sophisticated interaction
with Siemens SCADA control systems |
Table 1. Comparison of Duqu and Stuxnet.
Both Duqu and Stuxnet are highly complex programs with multiple components. All of the similarities from a software point of view are in the "injection" component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level.
Does Duqu target industrial control systems?
Unlike Stuxnet, Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs). Duqu's primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization.
Is there any evidence in the code indicating specific targets?
Duqu facilitates an adversary's ability to gather intelligence from an infected computer and the network. CTU malware analysts have not identified any specific market segments, technologies, organizations or countries that are targeted by the Duqu malware.
What are indicators of a Duqu infection?
The Duqu trojan attempts to use the network to communicate with a remote command and control
(C2) server to receive instructions and to exfiltrate data. Analysis of Duqu revealed that it uses
the 206.183.111.97 IP address as its C2 server. This IP
address is located in India and has been shut down by the hosting provider. Also, Duqu may attempt
to resolve the kasperskychk.dyndns.org domain
name. The resulting IP address is not used for communications, so this lookup may serve as a simple
Internet connectivity check. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.
Duqu uses multiple protocols to communicate with its C2 server, including standard HTTP on TCP
port 80 and a custom protocol on TCP port 443. Some of Duqu's communications that use TCP port 443
do not use the HTTPS protocol. Organizations may be able to monitor egress traffic through proxy
servers or web gateways and investigate network traffic that does not conform to the SSL
(Secure Sockets Layer) specification. Non-SSL traffic on port 443 is commonly observed with other
threats, and this behavior is not exclusive to Duqu.
The CTU research team is aware of the following files that may be installed by the Duqu trojan.
The byproducts in Table 2 have been collected from multiple Duqu variants and would not be present
on a single infected computer.
| Name |
File Size |
MD5 |
| jminet7.sys |
24,960 bytes |
0eecd17c6c215b358b7b872b74bfd800 |
| netp191.pnf |
232,448 bytes |
b4ac366e24204d821376653279cbad86 |
| netp192.pnf |
6,750 bytes |
94c4ef91dfcd0c53a96fdc387f9f9c35 |
| cmi4432.sys |
29,568 bytes |
4541e850a228eb69fd0f0e924624b245 |
| cmi4432.pnf |
192,512 bytes |
0a566b1616c8afeef214372b1a0580c7 |
| cmi4464.pnf |
6,750 bytes |
e8d6b4dadb96ddb58775e6c85b10b6cc |
<unknown>
(sometimes referred to as keylogger.exe) |
85,504 bytes |
9749d38ae9b9ddd81b50aad679ee87ec |
| nfred965.sys |
24,960 bytes |
c9a31ea148232b201fe7cb7db5c75f5e |
| nred961.sys |
unknown |
f60968908f03372d586e71d87fe795cd |
| adpu321.sys |
24,960 bytes |
3d83b077d32c422d6c7016b5083b9fc2 |
| iaStor451.sys |
24,960 bytes |
bdb562994724a35a1ec5b9e85b8e054f |
Table 2. Byproducts of Duqu.
The name "Duqu" was assigned to this malware because the keylogger program creates temporary files that begin with the prefix "~DQ". A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.
How do Duqu infections occur?
The mechanism by which Duqu infections occur is unknown. Current analysis of Duqu has not revealed any ability to infect additional systems like the Stuxnet worm could. In addition, all of the Duqu files CTU researchers have analyzed would likely have been installed by an initial installer or "dropper" malware. None of the original installers have been recovered. The recovery of one of these installers may help provide clues to how Duqu infections occurred.
Is Duqu an advanced persistent threat (APT)?
Dell SecureWorks does not identify individual tools as APT. APT is a threat actor or actors targeting an organization for assets of interest. An APT involves planning by the adversary, teams with specialized roles, multiple tools, patience and persistence. While Duqu does provide capabilities used by other tools observed in APT-related intrusions, an assessment of the particular threat requires knowledge of the adversary, targeted organization and assets and the scope of attacks.
Is antivirus and antimalware protection sufficient for detecting Duqu?
Since its discovery, security vendors have worked to improve their ability to detect Duqu. However, the author may simply release newer variants that are no longer detected by antivirus and antimalware products.
What can I do to protect my organization from Duqu?
- Administrators should use host-based protection measures, including antivirus and antimalware, as part of a holistic security process that includes network-based monitoring and controls, network segmentation and policies, user access, and controls to help mitigate the threat of malware like Duqu.
- A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.
- Organizations may want to monitor egress traffic through proxy servers or web gateways and investigate network traffic that does not conform to the SSL (Secure Sockets Layer) specification. Non-SSL traffic on port 443 is commonly observed with other threats, and this behavior is not exclusive to Duqu.
- Administrators should monitor their network for systems attempting to resolve Duqu-related domains or connect to Duqu C2 IP addresses for possible infection.
In addition to the basic findings listed above, NSS Labs have also noted the following important points during their extended analysis:
- It is premature to describe DuQu as “Stuxnet 2.”
- The DuQu infrastructure is still active despite the deactivation of the CC server; new drivers have been discovered after the original CC server was deactivated, indicating that a second CC network is currently active.
- DuQu is the first known modular plugin rootkit.
- While the DuQu code is simple, the fault-tolerant architecture is impressive; the writers anticipated discovery and deactivation of the CC network and planned for it. Alternative infection and control methods have been incorporated, and the modular nature allows for expansion and the addition of new functionality at a later date.
- The techniques used for concealing data for exfiltration are good. NSS has developed additional tools to aid in detecting these files.
- Given the complexity of the system (solid driver code plus impressive system architecture) it is not possible for this to have been written by a single person, nor by a team of part-time amateurs. The implication is that, given the requirement for multiple man-years of effort, that this has been produced by a disciplined, well-funded team of competent coders.
- It is too early to attribute authorship.
- Many researchers are claiming definitively that the DuQu authors had access to the original Stuxnet source code. This has not been proven. It is possible for anyone to reverse engineer the original Stuxnet code to the point where it can be modified and recompiled.
- There is no possible explanation for the production of such a sophisticated and elegant system merely to steal the information that has been targeted so far. Why go to all this trouble to deploy a simple key-logger? Given that there are additional drivers waiting to be discovered, we can liken DuQu to a sophisticated rocket launcher – we have yet to see the real ammunition appear.
- The ultimate target is something far more valuable than personal information or credit card numbers. It is not likely that this has been developed with simple mercenary intentions – the target is much higher level.
- What we have seen so far is merely the first stage in a multi-stage attack - we have not heard the last of DuQu.
