Super-spy malware Duqu is back with new tricks, new hints at who wrote it

Duqu authors are professional, 'old school,' and may have worked on civil engineering projects

Just as Kaspersky Labs solved the previous big mystery about the industrial espionage software known as Duqu, Symantec caught an update that uses new techniques to penetrate its targets and accomplish the same mission as before.

The update makes itself look legitimate using a valid security certificate rather than the stolen one the previous version used, and uses a new algorithm to decrypt, unpack and load the body of the virus once the stealth version lodges itself in a new machine.

The new encryption algorithm makes the Duqu loader module harder to identify, as does its use of a Microsoft security certificate it uses to pose as a Microsoft "High changer class driver FileVersion 2.1.0.14" that uses the file name "mcd9x86.sys," according to Symantec.

Unfortunately, Symantec caught only the driver file, not the shell code, installation code, main drivers and configuration file. The fragment verifies that a new version with significant new capabilities is loose in the wild, but doesn't provide any information on the names or locations of the command-and-control servers that give the malware its orders and send it new configuration or installation modules to match conditions the loader finds.

Symantec and Kaspersky researchers were able to find C&C servers for the previous versions of Duqu; they were shut down in October, 2011.

Duqu is a new piece of software apparently developed using the same development tools as Stuxnet – a Trojan Horse designed specifically to infect and sabotage sensitive equipment used in nuclear-fuel-refinement facilities in Iran.

While similar in many ways, Duqu's purpose is not sabotage but espionage. The C&C servers that supply its orders can direct Duqu much more precisely at picked targets than is usual for viruses, and alter it so gather different types of information.

The first versions were found last October in corporate systems in Iran and Sudan, though not in organizations linked by a single industry or that are all involved in nuclear development.

Why is Duqu unique?

Duqu differs from most malware in the flexibility of its modular design, which makes it more a malware framework than a simple virus or Trojan.

The main Trojan module includes a kernel driver responsible for penetrating a machine's security, a DLL library that communicates with C&C servers, configures other modules and runs executable code, and a configuration file with instructions on how to do all that.

There is also a keylogger designed to capture data from the initial victim as well as any Duqu seeks out on an infected network.

Duqu is hard to identify because its configuration changes drastically from one infection to another. When it was first discovered there were at least 13 driver files that could use different methods and signatures to penetrate new systems. Each installation used different checksums and file names.

It's not clear from either the victims or Duqu's methods who its specific targets are or what information its authors are after.

Symantec's Duqu whitepaper has the specifics on the structure and capabilities of previous Duqu versions (PDF).

Wasn't Duqu busted already?

It's a little surprising that Duqu's authors are charging ahead with the same virus and apparently the same goals, despite wide public recognition of both the virus and its intentions, according to Vikram Thakur, principal security response manager at Symantec.

"Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active," Symantec's blog reads.

"I think when you invest as much money as invested into Duqu and Stuxnet to create this flexible framework, it's impossible to simply throw it away and start from zero," according to Costin Raiu, director of Kaspersky Lab's global research and analysis team.

Previous Duqu version partially written using mysterious variant of C.

On Monday Kaspersky announced it had cracked the mystery of the code previous versions of Duqu used to communicate with C&C servers, which looked as if it had been programmed using an unknown new language.

The code turned out to be an unusual use of the C programming language, compiled using the Microsoft Visual Studio Compiler 2008.

Using feedback from discussions on Reddit, Sourceforge and other public-discussion forums, Kaspersky researchers concluded the Duqu code was most similar to the kind of work done by experienced "old school" programmers whose goal was to build an app that would run flawlessly on as many platforms as possible and respond intelligently to specific conditions it found there.

The command-and-control code may have been reused from a previously existing project and/or be built into the object-oriented programming framework set up to allow many programmers to work on the Duqu project simultaneously.

Overall it looked like the work of a professional team of developers, possibly with experience building software for complex civil engineering projects, not contemporary malware.

"All the conclusions indicate a rather professional team of developers, which appear to be reusing older code written by top “old school” developers," according to Kaspersky's analysis. "Such techniques are normally seen in professional software and almost never in today’s malware. Once again, these indicate that Duqu, just like Stuxnet, is a 'one of a kind' piece of malware which stands out like a gem from the large mass of “dumb” malicious program we normally see."

What to expect from Duqu

For all the detail from Symantec and Kaspersky, we still don't know much about the identity or intentions of Duqu developers.

We know it's designed to be used as something closer to fire-and-forget industrial espionage software than the large-scale cyberespionage projects attributed to the Chinese military, which depend on spear phishing emails to get a toehold in an organization, and malware to get permanent access.

That approach has been wildly successful, but requires far more manpower than the heavily automated Duqu.

As with previous versions of the malware "gem," there is no clear indication who the authors' targets may be or what specific information it seeks.

Most infections have been in Iran in countries friendly to it.

The only conclusion Symantec or Kaspersky researchers came to is that Duqu is still uniquely effective, uniquely changeable and under constant development to make it harder to identify, harder to stop and more effective when it does infect a new installation.

As with Stuxnet, Israel and the U.S. are the primary suspects, but so far there is no incontrovertible evidence indicating even a connection with Stuxnet, let alone a common ownership or set of targets.

Welcome to the new world of cyberwar.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies