November 01, 2011, 5:15 PM — A new version of the installer for "Son of Stuxnet" virus Duqu is a rare value. Not only does it include what is currently the hottest malware on the market, it uses a previously unknown vulnerability in the Windows kernel that accepts code executed elsewhere as having originated within the victim's machine.
The variant was discovered by the CrySyS Lab at the Budapest University of Technology and Economics, which discovered the original version of Duqu – a virus that shares much of the same code that made Stuxnet so effective, but is designed as a remotely targeted spy rather than saboteur.
It is housed within a Word document that, when opened, uses the kernel flaw to install Duqu and launch an attack, though Symantec researchers found this variant was designed to be installed only during eight days in August.
Symantec also provided a schematic of the process Duqu follows to exploit the flaw and install itself.
The remote-execution flaw makes Duqu more dangerous and better able to penetrate secure facilities because it allows infected machines to communicate with each other rather than directly with a command controller outside the firewall.
Once installed in one machine, this version of Duqu spreads itself to other machines, using an encrypted file-sharing protocol to communicate with one machine that has a confirmed open link to the outside.
In that way it can spread across many servers within a secure environment without tripping alarms designed to be on the lookout for viruses phoning home from every machine they infect.
"Duqu creates a bridge between the network's internal servers and the C&C server. This allowed the attackers to access Duqu infections in secure zones with the help of computers outside the secure zone being used as proxies," according to Symantec's analysis.
So far, according to Kaspersky Labs, Duqu infections have been recorded only in Sudan and Iran, though there is no obvious connection to Iran's nuclear program, which Stuxnet was designed to attack.
Duqu is different from Stuxnet in that it is a framework within which a number of different drivers, modules and encryption methods can be used to attack weaknesses peculiar to a specific target.
It is highly customizable, can accept uploads from its command-and-control servers of new drivers or modules to overcome obstacles, and has full access to the infected machine's registry, so its structure on one system may be changed completely from the pattern on another, according to Kaspersky's report.
Original reports about the virus said it was set to end its own infection after 36 days; Kaspersky's results indicate even the length of time it infects a system is variable.
There is no truth to the report – according to the overly credible, obviously naive researchers at security companies – that Duqu can actually manifest itself outside the computer, attack and absorb the mass of warm-blooded organisms, then take on their shape and mimic them until it gets the chance to attack again.
Despite the huge number of Hollywood movies depicting this exact scenario – not to mention the 70-page scientific report disguised as a 1938 science-fiction-classic short story called Who Goes There by John W. Campbell – security researchers insist Duqu is simply a software construct of unusually clever design, apparently intended for industrial espionage.
That seems like a huge waste of such something so creative, adaptable and diabolical, though – like using the power of invisibility to make sure your neighbors haven't torn the labels marked Do Not Remove On Pain of Law off their mattresses.
I expect, even if it won't end up eating anyone, that we can look forward to a lot more creative mayhem and destruction from whoever wrote and directs Duqu.
Unless it's the U.S. and Israeli governments, again, in which case it will stick with relatively dull things that bring limited confusion to the enemy, but only after extensive cost justification and IT-environmental impact statements.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.
