Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS)of the Budapest University of Technology and Economics in Hungary, which participated in the discovery of Duqu in an international collaboration, analyzed the malware and wrote a 60-page report, naming the threat Duqu.Duqu got its name from the prefix “~DQ” it gives to the names of files it creates.
Relationship to Stuxnet
Symantec, based on the CrySyS report, continued the analysis of the threat, which it called “nearly identical to Stuxnet, but with a completely different purpose”, and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix.Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a forged digital certificate, and collects information to prepare for future attacks.[ Mikko Hypponen said that Duqu’s kernel driver, JMINET7.SYS, was so similar to Stuxnet’s MRXCLS.SYS that F-Secure’s back-end system thought it was Stuxnet. Hypponen further said that Duqu’s own digital certificate was stolen from C-Media, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.
Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet.
Microsoft Word zero-day exploit
Like Stuxnet, Duqu attacks Windows systems using a zero-day vulnerability. The installer file is a Microsoft Word (.doc) that exploits the Win32k TrueType font parsing engine and allows execution.Duqu Malware targets one of the problems in T2EMBED.DLL, which is a TrueType font parsing engine.”Microsoft is collaborating with our partners to provide protections for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process”, Jerry Bryant, group manager of response communications in Microsoft’s Trustworthy Computing group said in a statement on 3 November 2011. However, Microsoft did not include a patch for the vulnerability in the batch of patches issued on 8 November 2011.
Duqu uses the peer-to-peer SMB protocol to move in secure networks from less secure areas to the secure zone. According to McAfee, one of Duqu’s actions is to steal digital certificates from attacked computers to help future viruses appear as secure software.Duqu uses a 54×54 pixel jpeg file (364.5 bytes) and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing code to determine what information the communications contain. Initial research indicates that the virus automatically removes itself after 36 days, which would limit its detection.
Key points are:
- Executables developed after Stuxnet using the Stuxnet source code have been discovered.
- The executables are designed to capture information such as keystrokes and system information.
- Current analysis shows no code related to industrial control systems, exploits, or self-replication.
- The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
- The exfiltrated data may be used to enable a future Stuxnet-like attack.