Duqu Trojan a precursor to next Stuxnet, Symantec warns

New malware shares Stuxnet code, targets makers of industrial control systems

By , Computerworld |  Security, Duqu, Stuxnet

Duqu cannot replicate or propagate on its own, Haley said. It is configured to run for 36 days after which it removes itself from the infected machine.

Symantec has not yet figured how attackers have been infecting systems with the Trojan.

"We have not recovered the installer so we don't know yet how Duqu propagates," Haley said. "There's nothing in Duqu that says 'copy me to a USB' or 'look for a network share and take me there.' It just sits there and works as a remote access tool. We don't know how it gets there."

The new malware is named Duqu because it creates files with filenames having the prefix "DQ", Symantec said in a detailed description of the new Trojan.

The Trojan consists of three files -- a driver file, a dynamic link library and a configuration file. The files need to be installed by a separate executable which has not yet been recovered, Symantec said.

Besides the link between Duqu and Stuxnet, there is no other information on who might be behind the Trojan, Haley said.

A driver file on one of the variants was signed with a digital certificate that belongs to company headquartered in Taipei. The certificate, set to expire in August 2012, was revoked on October 14.

Duqu uses HTTP and HTTPS to communicate with a command & control server hosted in India, according to Symantec.

Attackers have been using the C&C server to download key loggers, network enumerators and other information stealing programs. The stolen information is stored on a "lightly encrypted' file and then uploaded back to the server.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Ask a Question
randomness