Duqu - the backdoor for a catastrophe

     A new era of computer system attacks have come from the movies to our reality. As new time comes, the computer and technology era evolves faster than anything else, I guess, if not compared to the excitement and ambition of virtual-terrorists. User’s computers, servers, entire networks, or even large institutions do not seem to be desirable enough targets to attack. During summer 2011, Stuxnet amazed everyone with its impressive well-written code and alerted us all about the intention of this new era of attacks. Around October 14th 2011, not too long after Stuxnet hit the security world news, another similar-coded threat was discovered in computer system located in Europe, Duqu. Because the similarities in their codes, researchers still don’t know which malware came first since Duqu seems to be a first stage, reconnaissance phase, of a Stuxnet attack. Named after the filename prefix it creates “~DQ”, Duqu is still being researched and decoded by the major research labs around the world, and is directly linked to Stuxnet because of its similarities and differences.
     Even though researchers seem to agree that it is the same person or organization that wrote both malwares, Duqu differentiates from Stuxnet. Duqu has about 50% of its code exactly the same as the code used in Stuxnet; however both malware have different purpose. According to Symantec, Duqu's purpose is to gather intelligence data and assets from entities, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility, a SCADA-type of attack as the intention of the code found in Stuxnet. Also, instead of a payload designed to sabotage an industrial control system, the Duqu payload has been replaced with general remote access capabilities.
     Duqu have an unusual purpose when compare to other information gathering malware, but have clever characteristics. Duqu is a remote access Trojan (RAT) that does not self-replicate. The main purpose is to open a backdoor to retrieve information from an infostealer program that can record keystrokes, enumerating the network and gain other system information. Using HTTP and HTTPS to communicate with the command-and-control server, the malware uses a C&C protocol to primarily downloading or uploading what appear to be a JPG files. Once the communication is established, it retrieves an encrypted and compressed local log file. Finally, because it is configured to run for 36 days it will automatically remove itself from the system.
     According to the latest updated on Duqu, an installer has been recent recovered. CrySys, the same research lab that initially discovered Duqu, was able to recover one of the many possible installers of the malware. The installer was integrated in a Microsoft Word document (.doc) and exploits a previously unknown kernel vulnerability that allows code execution. Once the file is opened, the malware installs the main Duqu binaries. Below is a schematic of how the Word document installs Duqu.

     Although investigation and research from all major AV companies and even Microsoft continue, nobody could extract all desired details from the code found in the variants of Duqu. What they know is that if it was the same person or organization that wrote both Duqu and Stuxnet, the programmers did not repeated the same mistake of using a stolen certificate from a Taiwan company as they did with Stuxnet. With Duqu, they managed to use an untraceable digital certificate, making it more mysterious. A greater and more serious suspicion is that because of the complexity of both codes, researches believe that nation-states could be behind these attacks. For far, Duqu infections have been confirmed in six possible organizations in eight countries. The author of Duqu nobody knows yet, but in game is the ability and power of a nation being aware of and prepared to deal with the major results of a successful attack.

Reference:

• Higgins, K. J. (2011, October 19). Waiting for “son of Stuxnet” to attack. Dark Reading, Retrieved November 5, 2011, from http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231901226/waiting-for-son-of-stuxnet-to-attack.html
• Higgins, K. J. (2011, October 20). “Duqu” not after same target as Stuxnet, researchers say, Retrieved November 5, 2011, from http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231901335/duqu-not-after-same-target-as-stuxnet-researchers-say.html
• Higgins, K. J. (2011, November 2). What is Duqu up to?, Retrieved November 5, 2011, from http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/231902150/what-is-duqu-up-to.html
• Symantec Security Response Blog (Updated Oct 24th 2011) . W32.Duqu: The Precursor to the Next Stuxnet. Retrieved on November 5, 2011, from http://www.symantec.com/connect/w32_duqu_precursor_next_stuxnet
• Thakur, V. (Updated Nov 3, 2011), Duqu: Status Updates Including Installer with Zero-Day Exploit Found, Symantec Security Response Blog. Retrieved November 6, 2011, from http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit