March 21, 2012, 2:02 PM — Just as Kaspersky Labs solved the previous big mystery about the industrial espionage software known as Duqu, Symantec caught an update that uses new techniques to penetrate its targets and accomplish the same mission as before.
The update makes itself look legitimate using a valid security certificate rather than the stolen one the previous version used, and uses a new algorithm to decrypt, unpack and load the body of the virus once the stealth version lodges itself in a new machine.
The new encryption algorithm makes the Duqu loader module harder to identify, as does its use of a Microsoft security certificate it uses to pose as a Microsoft "High changer class driver FileVersion 2.1.0.14" that uses the file name "mcd9x86.sys," according to Symantec.
Unfortunately, Symantec caught only the driver file, not the shell code, installation code, main drivers and configuration file. The fragment verifies that a new version with significant new capabilities is loose in the wild, but doesn't provide any information on the names or locations of the command-and-control servers that give the malware its orders and send it new configuration or installation modules to match conditions the loader finds.
Symantec and Kaspersky researchers were able to find C&C servers for the previous versions of Duqu; they were shut down in October, 2011.
Duqu is a new piece of software apparently developed using the same development tools as Stuxnet – a Trojan Horse designed specifically to infect and sabotage sensitive equipment used in nuclear-fuel-refinement facilities in Iran.
While similar in many ways, Duqu's purpose is not sabotage but espionage. The C&C servers that supply its orders can direct Duqu much more precisely at picked targets than is usual for viruses, and alter it so gather different types of information.
The first versions were found last October in corporate systems in Iran and Sudan, though not in organizations linked by a single industry or that are all involved in nuclear development.
Why is Duqu unique?
Duqu differs from most malware in the flexibility of its modular design, which makes it more a malware framework than a simple virus or Trojan.
PCWorld
