According to analyses by Symantec, Crysys and Kaspersky Labs, Duqu is a sophisticated, autonomic attack framework that can expand and load the parts of itself that fit a particular set of conditions, find the best service or process on which to attach themselves and phone home for additional drivers or other modules to help it adapt its attack even more drastically.
Duqu: Well-mannered malware
It doesn't just try to copy itself as many times as it cane, take up as much space as possible and spread mindlessly as fast as it can in any direction.
It attacks only companies or facilities at which it has been aimed.
It establishes itself in a way that is far more akin to infiltration than virus infection.
It copies itself onto other machines selectively and, apparently, evaluates how secure each new machine is in order to install and establish itself in a way that is as covert as possible.
It even creates local-area and wide-area networks among its spawn to keep from being too indiscreet or promiscuous in the way it communicates with the command-and-control servers that control it in a way much more similar to a botnet than of a typical virus, even one with keyloggers or other data-stealing functions that have to send stolen data back home.
By default, like most malware, Duqu is designed to use the local network to talk to its command-and-control servers directly. Infecting 100 machines in a secure facility and let them all try to phone home separately is like a burglar jumping up and down in front of a motion detector to see how hard it is to turn on the intruder alert.
Duqu uses the peer-to-peer communications protocol to pass messages hand to hand from infected machines in a secure zone to infected machines in a less secure area of the network, where one machine phoning command-and-control for instructions would be a lot less conspicuous.
Even its installation procedure is as intricate as most commercial software.
The entire installation process is quite involved. During the process seven different files are decrypted, at least three processes are injected into, and ntdll.dll is hooked multiple times to allow dynamic loading of decrypted components into memory. In fact, during the entire process every part of Duqu resides decrypted only in memory.
Symantec: Duqu: the precursor to the next Stuxnet, flowchart of Duqu installation procedure.