No quick patch to kill Duqu, turn back clock to when viruses weren't smarter than your apps

Most blame governments for Stuxnet; is Duqu the same or a huge step forward for digital crooks?

At the top of a story saying Microsoft isn't going to be able to patch the newly discovered hole exploited by the advanced and scary Duqu trojan also shows how freaked out people are by computer viruses (and that the people who write headlines on IT security stories sometimes don't read the stories themselves): ‘Next big cyber threat’ Duqu virus originated from OS bug: Microsoft.

First: No it didn't.

Duqu appears to have originated in the same super-secret lab hidden under the lake in a crater of an extinct volcano that also spewed out Stuxnet on its mission to infect the computers running equipment for Iran's nuclear fuel-development project and keep that from happening.

It didn't come from Windows (or Microsoft). Duqu probably came from the same people who wrote Stuxnet, or at least people with access to the Stuxnet source code, according to analyses by Symantec and the CrySyS Lab in Budapest, which discovered Duqu.

Duqu shares a lot of code with Stuxnet and shares Stuxnet's flair for elegant, creative ways to exploit a weakness or find a way around it. It also shows the same effort to keep the virus covert for as long as possible while it does its work, often in very subtle ways, the reports said.

Second: Duqu didn't become Duqu because of a Windows bug any more than Stuxnet became a threat to regional peace and security because someone forgot to apply the right patches to the Windows boxes Iran used to run its nuclear-fuel centrifuges.

Duqu is unusual among virii because it exploits a completely unknown flaw in Windows that allows it to execute code that decrypts, unzips and unfurls various components, which then sniff around their environment to see where they can best install the malicious core of the app, and erase themselves when they're done so it's harder to find them, according to Symantec's white paper that lays out most of Duqu's details.

Duqu is not able to penetrate Windows machines simply because of a flaw in Windows.

Duqu is designed like a weapon; it takes advantage of flaws or gaps where it finds them, but is not limited to following the path of least resistance.

According to analyses by Symantec, Crysys and Kaspersky Labs, Duqu is a sophisticated, autonomic attack framework that can expand and load the parts of itself that fit a particular set of conditions, find the best service or process on which to attach themselves and phone home for additional drivers or other modules to help it adapt its attack even more drastically.

Duqu: Well-mannered malware

It doesn't just try to copy itself as many times as it cane, take up as much space as possible and spread mindlessly as fast as it can in any direction.

It attacks only companies or facilities at which it has been aimed.

It establishes itself in a way that is far more akin to infiltration than virus infection.

It copies itself onto other machines selectively and, apparently, evaluates how secure each new machine is in order to install and establish itself in a way that is as covert as possible.

It even creates local-area and wide-area networks among its spawn to keep from being too indiscreet or promiscuous in the way it communicates with the command-and-control servers that control it in a way much more similar to a botnet than of a typical virus, even one with keyloggers or other data-stealing functions that have to send stolen data back home.

By default, like most malware, Duqu is designed to use the local network to talk to its command-and-control servers directly. Infecting 100 machines in a secure facility and let them all try to phone home separately is like a burglar jumping up and down in front of a motion detector to see how hard it is to turn on the intruder alert.

Duqu uses the peer-to-peer communications protocol to pass messages hand to hand from infected machines in a secure zone to infected machines in a less secure area of the network, where one machine phoning command-and-control for instructions would be a lot less conspicuous.

Even its installation procedure is as intricate as most commercial software.

The entire installation process is quite involved. During the process seven different files are decrypted, at least three processes are injected into, and ntdll.dll is hooked multiple times to allow dynamic loading of decrypted components into memory. In fact, during the entire process every part of Duqu resides decrypted only in memory.

Only one unencrypted file, the load-point driver, is ever written to the disk during the entire process. Duqu was clearly designed to minimize detectable footprints left on the disk. – Symantec, "W32.Duqu: The precursor to the next Stuxnet" (PDF)

Not everyone believes in Son of Stuxnet

Not everyone is convinced Duqu is such a big deal. Taking advantage of a flaw in the Windows kernel is a "pretty common" technique for malware of all kinds, according to Andrew Storms, director of security operations at nCircle Security, as quoted in Infoworld.

Evidence that Stuxnet and Duqu are directly related is "circumstantial at best" Jon Ramsey, CTO of Dell SecureWorks told Computerworld.

Both viruses are sophisticated in the way they work, but all the similarities are in one module from each – the kernel driver that allows it to inject itself into a specific Windows process, Ramsey said.

Other techniques, such as hiding encrypted DLLs in files using a .PNF extension, which is what Windows uses to store precompiled setup information; fake digital signatures, rootkits to hide files and other techniques used by both Stuxnet and Duqu are also used by many other malware writers for the same purposes, Ramsey said.

Having to use a crutch like that to get past routine security – and having to rely on Word documents for transport – may mean Duqu is not only not related to Stuxnet, but that it's a lot less sophisticated than many seem to think, Storms told Infoworld.

Maybe, but I doubt it.

Too smart to be 'just a virus'

Storms is right that a lot of viruses exploit Windows flaws.

Usually they exploit known flaws and count on users not having installed all the patches they should.

Most virus writers don't discover new flaws in the kernel and use them as an entry point for a colony of malware that communicates sotto voce among themselves and hand responsibility for communicating with the home office to versions of themselves living in Administration rather than R&D.

Most don't build in so much sophisticated programming they're able to restructure themselves, change themselves and their environment by manipulating the Windows registry and choose which Windows process to build themselves into so they can keep as close an eye as possible on everything going on within their own view while remaining invisible themselves.

Most virus writers that would like their code to check in with them periodically, let each bit of it phone home. They don't have many instances of their code designate a spokes-virus to do their talking for them.

That's a lot more subtle than most viruses. More akin to the way Stuxnet moved into the Windows-based SCADA machines on in Iran – but didn't just wreck the centrifuges. It slowed them down and changed the speed registers so the Iranian technicians didn't know right away that their bomb development had been Fubared and wouldn't guess their computers had been infected.

Duqu may not be the Son of Stuxnet.

Duqu may not be, as Symantec predicts, the precursor to a new, more powerful Stuxnet that will become an even fiercer saboteur.

But it's not a normal bit of malware. Its complexity and subtlety is much greater not only than most viruses, but greater than most malware carrying keyloggers or other data-stealing payloads.

On the other hand: The Obligatory Conspiracy Theory

It is that level of sophistication that leads some analysts to guess that only a national intelligence agency would have the resources, patience or desire to build a weapon like Duqu, let alone an organization big enough and desire for specific information persistent enough to justify development and use of a tool that's more remote access than it is a fire-and-forget attack mechanism.

Duqu wasn't designed to invade a facility and just steal or break whatever the virus could reach. It was designed to give a staff snoops remote control over agents they could re-use, reconfigure and redirect during an intelligence operation with specific targets and time limits.

That sounds a lot like a national intelligence agency. Nothing else fits quite as easily.

It also sounds like what a sophisticated criminal organization might build that was interested in expanding beyond identity theft and fraud, or even beyond smash-and-grab raids for information it could resell as industrial espionage.

If that's the business you were going into, you'd want a tool that was effective enough to get the job done, subtle enough not to warn the victim you're coming or give too much evidence to the law that you'd been there, and that was changeable enough to adapt to the technical infrastructure of new victims and the differing requirements of clients wanting different types of information, for different reasons, from different types of targets.

If the analyses aren't overstating Duqu's sophistication, and the relationship to Stuxnet is real, it's still more likely Duqu was either written or inspired by a national intelligence agency.

But, given that all its targets and the intent of its users appears simply to be industrial espionage, at least right now, it's barely possible Duqu's main intent is both criminal and commercial. If so it's also possible that the agency running it is either a very sophisticated criminal organization or a spinoff from an intelligence agency going into business for itself.

Gordon Gecko has taken control of your servers; please deposit $3M to continue computing

The real problem with Duqu isn't that it might be another example of what James Bond's gagdet-meister Q might have done if he'd had software to play with instead of exploding pens.

The real difference both Stuxnet and Duqu bring to both international cyberwar and everyday corporate computing is that they advance the art of covert data-thieving intelligent agents by so far that they make every other bit of malware look like bent-nosed thugs looking for a car window to break so they can steal the stereo and GPS.

Stuxnet was more the kind of ninja cat burglar who infiltrates through secure skylights and has his way with your systems while dangling from a wire and risking capture at any second.

Duqu wears a suit, walks into your office in daylight and cons everyone in sight out of their watches, wallets and keys to the big old vault filled with filthy money it will take to the dry cleaners and bring right back before you even miss it. It's "Oceans Eleven" compared to "The Fast and the Furious." "The Thomas Crown Affair" compared to "Clockwork Orange."

Duqu sets a standard for technical complexity, sure. It also gives a virtuoso demonstration of just how far a bit of malicious software can go when it's designed, written and used as if it were a sophisticated data- and cash-extraction tool that runs a soft con rather than a smash-and-grab.

If it's a precursor to something even more sophisticated, most of the security industry can just quit now. The next step up in malware evolution wouldn't even have to con your business out of its money or data. It would just take what it wants, hand you junk in return and laugh publicly at how foolish you were to be seduced by something so smooth and smart you never knew you were one of a herd of sheep being called to the slaughter.

With just one more step up in sophistication, Stuxnet, Duqu and all their descendants won't even be viruses.

They'll be Wall Street.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Top 10 Hot Internet of Things Startups
Join the discussion
Be the first to comment on this article. Our Commenting Policies