Hackers may have spent years crafting Duqu

Gang customized attack files for each target, says Kaspersky Lab

The hacker group behind Duqu may have been working on its attack code for more than four years, new analysis of the Trojan revealed Friday.

Moscow-based Kaspersky Lab published some findings today from a recent rooting through Duqu samples provided by researchers in the Sudan, saying that one driver included with the attack payload was compiled in August 2007, extending the timeline of the gang's work.

"We can't be 100% sure [of that date], but all the compiled dates of other files seem to match to attacks," said Roel Schouwenberg, a senior researcher with Kaspersky, in an interview today. "So we're leaning towards that date as correct."

Schouwenberg added that the August 2007 driver was most likely created specifically for Duqu by the group responsible for the attacks, and was not an off-the-shelf file built by others, because the driver has not been spotted elsewhere.

Other researchers have found files amongst those used by Duqu that carry build dates of February 2008, but actual attacks have been tracked back only to April 2011.

That was also the month that the Sudan-provided samples indicated attacks took place against an unnamed target in that country, according to Kaspersky, which reported two separate attempts -- one on April 17, the second on April 21 -- to plant malware on Windows PCs.

The first attack failed because the email message carrying a malicious Word document was blocked by a spam filter; the second was successful.

Microsoft has confirmed that the Duqu campaign exploits a vulnerability in a Windows kernel-mode driver -- specifically "W32k.sys," and its TrueType font parsing engine -- to gain rights on the compromised PC sufficient to install the malware.

Although Microsoft has yet to patch the bug, it has urged customers to disable the font parser to protect themselves.

Kaspersky's other notable discovery was that each of the dozen Duqu attacks it knows of used a custom-created set of files compiled immediately before the malware was aimed at a target.

"The differences are pretty minor, but they are using unique files tailor-made for each operation," said Schouwenberg. "Each and every attack had its own command-and-control [C&C] server, with its location embedded in the files," he explained.

"That hints that they're very business oriented," Schouwenberg said. "They're very professional, very polished."

Although Kaspersky's newest analysis differs in some ways from that conducted by other security firms -- notably Symantec, which was the first to disclose Duqu's existence -- neither Schouwenberg or a Symantec director saw a conflict.

"Each security firm has different clients, different contacts, and with the limited sharing of samples, we may have just found the earliest [Duqu code]," said Schouwenberg.

Symantec echoed that.

"There are multiple variants of Duqu and the samples Kaspersky have analyzed simply reflect this fact," said Eric Chien, technical director of Symantec's security response group, in an email reply to questions today. "Thus, we have no reason to believe there are conflicts between our analysis and the analysis published by Kaspersky. Their analysis is based on earlier versions, which would account for the earlier date."

Duqu has been characterized by Symantec and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that last year sabotaged Iran's nuclear program.

While some have disputed that, Kaspersky is firmly in the Stuxnet-connection camp.

"This new analysis has made us more confident that Duqu was created by the same people behind Stuxnet," said Schouwenberg.

There are certainly differences -- Stuxnet was an attack tool, Duqu seems designed to be part of an intelligence-gathering operation -- but Schouwenberg said there were even more similarities. One such similarity: a line between Stuxnet and Duqu's infection process that, he said, showed the authors of the former learned important lessons that they then applied to the latter.

"They learned from Stuxnet, which was very 'noisy,'" said Schouwenberg, referring to the widespread infections of the worm that many believe was due to over-eager attackers who had been stymied in an earlier attempt to infiltrate Iran's nuclear facilities. Duqu takes a much more cautious approach; It exploits only one unpatched, or "zero-day" Windows vulnerability, not the unprecedented four used by the Stuxnet shotgun.

"Duqu is very sophisticated," said Schouwenberg. "Some mistakes were made in Stuxnet, but all those mistakes are gone now [in Duqu]."

More information about Duqu ( download PDF ) can be found on the website of U.S.-CERT, the cyber-defense agency that's part of the Department of Homeland Security, and in an updated report from Symantec ( download PDF ).

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

See more articles by Gregg Keizer .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecurityMalware and Vulnerabilitieskaspersky lab

More about AppleCERT AustraliaGoogleKasperskyKasperskyMicrosoftSymantecTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place