Super-spy malware Duqu is back with new tricks, new hints at who wrote it

Duqu authors are professional, 'old school,' and may have worked on civil engineering projects

By  

Just as Kaspersky Labs solved the previous big mystery about the industrial espionage software known as Duqu, Symantec caught an update that uses new techniques to penetrate its targets and accomplish the same mission as before.

The update makes itself look legitimate using a valid security certificate rather than the stolen one the previous version used, and uses a new algorithm to decrypt, unpack and load the body of the virus once the stealth version lodges itself in a new machine.

The new encryption algorithm makes the Duqu loader module harder to identify, as does its use of a Microsoft security certificate it uses to pose as a Microsoft "High changer class driver FileVersion 2.1.0.14" that uses the file name "mcd9x86.sys," according to Symantec.

Unfortunately, Symantec caught only the driver file, not the shell code, installation code, main drivers and configuration file. The fragment verifies that a new version with significant new capabilities is loose in the wild, but doesn't provide any information on the names or locations of the command-and-control servers that give the malware its orders and send it new configuration or installation modules to match conditions the loader finds.

Symantec and Kaspersky researchers were able to find C&C servers for the previous versions of Duqu; they were shut down in October, 2011.

Duqu is a new piece of software apparently developed using the same development tools as Stuxnet – a Trojan Horse designed specifically to infect and sabotage sensitive equipment used in nuclear-fuel-refinement facilities in Iran.

While similar in many ways, Duqu's purpose is not sabotage but espionage. The C&C servers that supply its orders can direct Duqu much more precisely at picked targets than is usual for viruses, and alter it so gather different types of information.

The first versions were found last October in corporate systems in Iran and Sudan, though not in organizations linked by a single industry or that are all involved in nuclear development.

Why is Duqu unique?

Duqu differs from most malware in the flexibility of its modular design, which makes it more a malware framework than a simple virus or Trojan.

Photo Credit: 

PCWorld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question