Duqu
Encyclopedia
Duqu is a computer worm
discovered on 1 September 2011, thought to be related to the Stuxnet
worm. The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics
in Hungary
, which discovered the threat, analyzed the malware
and wrote a 60-page report, naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.
, based on the CrySyS report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix. Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a forged digital certificate, and collects information to prepare for future attacks. Mikko Hyppönen
, Chief Research Officer for F-Secure
, said that Duqu's kernel driver, JMINET7.SYS, was so similar to Stuxnet's MRXCLS.SYS that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that Duqu's own digital certificate was stolen from C-Media
, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.
Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet.
Experts compared the similarities and found three most intriguing factors. 1. The installer exploits zero-day Windows kernel vulnerability(ies). 2. Components are signed with stolen certificates. 3. DUQU is Highly targeted in a way that suggests advanced intelligence.
, Duqu attacks Windows systems using a zero-day vulnerability. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a Microsoft Word
(.doc) that exploits the Win32k TrueType font parsing engine and allows execution. Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine.
"Microsoft is collaborating with our partners to provide protection for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process", Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement on 3 November 2011. However, Microsoft did not include a patch for the vulnerability in the batch of patches issued on 8 November 2011.
SMB protocol to move in secure networks from less secure areas to the secure zone. According to McAfee
, one of Duqu's actions is to steal digital certificates from attacked computers to help future viruses appear as secure software. Duqu uses a 54×54 pixel jpeg file (364.5 bytes) and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing code to determine what information the communications contain. Initial research indicates that the virus automatically removes itself after 36 days, which would limit its detection.
Key points are:
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
discovered on 1 September 2011, thought to be related to the Stuxnet
Stuxnet
Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment...
worm. The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics
Budapest University of Technology and Economics
The Budapest University of Technology and Economics , in hungarian abbreviated as BME, English official abbreviation BUTE, is the most significant University of Technology in Hungary and is also one of the oldest Institutes of Technology in the world, having been founded in 1782.-History:BME is...
in Hungary
Hungary
Hungary , officially the Republic of Hungary , is a landlocked country in Central Europe. It is situated in the Carpathian Basin and is bordered by Slovakia to the north, Ukraine and Romania to the east, Serbia and Croatia to the south, Slovenia to the southwest and Austria to the west. The...
, which discovered the threat, analyzed the malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
and wrote a 60-page report, naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.
The Duqu term
The Duqu term identifies several different meanings:- Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools.
- Duqu flaw is the flaw in Microsoft Windows that is used in malicious files to execute malware components of Duqu. Currently one flaw is known, a TTF related problem in win32k.sys.
- Operation Duqu is the process of using Duqu for unknown goals. The operation might be related to Operation Stuxnet.
Relationship to Stuxnet
SymantecSymantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
, based on the CrySyS report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix. Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a forged digital certificate, and collects information to prepare for future attacks. Mikko Hyppönen
Mikko Hyppönen
Mikko Hermanni Hyppönen is a computer security expert and columnist.-Career:Mikko Hyppönen is the Chief Research Officer for F-Secure. He has worked with F-Secure in Finland since 1991....
, Chief Research Officer for F-Secure
F-Secure
F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
, said that Duqu's kernel driver, JMINET7.SYS, was so similar to Stuxnet's MRXCLS.SYS that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that Duqu's own digital certificate was stolen from C-Media
C-Media
C-Media Electronics, Inc. is a Taiwanese computer hardware company that manufactures processors for PC audio and USB storage, and wireless audio devices.-Products:-PCI audio:*CMI8338*CMI8738-SX*CMI8738-LX*CMI8738-MX*CMI8768...
, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.
Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet.
Experts compared the similarities and found three most intriguing factors. 1. The installer exploits zero-day Windows kernel vulnerability(ies). 2. Components are signed with stolen certificates. 3. DUQU is Highly targeted in a way that suggests advanced intelligence.
Microsoft Word zero-day exploit
Like StuxnetStuxnet
Stuxnet is a computer worm discovered in June 2010. It initially spreads via Microsoft Windows, and targets Siemens industrial software and equipment...
, Duqu attacks Windows systems using a zero-day vulnerability. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a Microsoft Word
Microsoft Word
Microsoft Word is a word processor designed by Microsoft. It was first released in 1983 under the name Multi-Tool Word for Xenix systems. Subsequent versions were later written for several other platforms including IBM PCs running DOS , the Apple Macintosh , the AT&T Unix PC , Atari ST , SCO UNIX,...
(.doc) that exploits the Win32k TrueType font parsing engine and allows execution. Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine.
"Microsoft is collaborating with our partners to provide protection for a vulnerability used in targeted attempts to infect computers with the Duqu malware. We are working diligently to address this issue and will release a security update for customers through our security bulletin process", Jerry Bryant, group manager of response communications in Microsoft's Trustworthy Computing group said in a statement on 3 November 2011. However, Microsoft did not include a patch for the vulnerability in the batch of patches issued on 8 November 2011.
Purpose
Duqu uses the peer-to-peerPeer-to-peer
Peer-to-peer computing or networking is a distributed application architecture that partitions tasks or workloads among peers. Peers are equally privileged, equipotent participants in the application...
SMB protocol to move in secure networks from less secure areas to the secure zone. According to McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
, one of Duqu's actions is to steal digital certificates from attacked computers to help future viruses appear as secure software. Duqu uses a 54×54 pixel jpeg file (364.5 bytes) and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing code to determine what information the communications contain. Initial research indicates that the virus automatically removes itself after 36 days, which would limit its detection.
Key points are:
- Executables developed after Stuxnet using the Stuxnet source code have been discovered.
- The executables are designed to capture information such as keystrokes and system information.
- Current analysis shows no code related to industrial control systems, exploits, or self-replication.
- The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
- The exfiltrated data may be used to enable a future Stuxnet-like attack.
Command and control servers
Some of the command and control servers of Duqu have been analysed. It seems that the people running the attack had a predilection for CentOS 5.x servers, leading some researchers to believe that they had a zero-day exploit for it. On the other hand, ssh logs retrieved from compromised servers show multiple failed login attempts, suggesting that the root password had been guessed by brute force attack. Servers are scattered in many different countries, including Germany, Belgium and China.See also
- Stars virusStars virusThe Stars virus is a computer virus discovered by Iran in April 2011. Iran claims it is being used as a tool to commit espionage. The Stars virus is currently being studied in a laboratory in Iran - that means, major vendors of antivirus software do not have access to samples and therefore they...
- Cyber electronic warfareCyber electronic warfareCyber electronic warfare is any military action involving the use of electromagnetic energy to control the domain characterized by the use of electronics and the electromagnetic spectrum to store, modify, and/or exchange data via networked systems and associated physical infrastructures.Cyber EW...
- Cyber security standardsCyber security standardsCyber security standards are security standards which enable organizations to practice safe security techniques to minimize the number of successful cyber security attacks. These guides provide general outlines as well as specific techniques for implementing cyber security. For certain specific...
- Cyberwarfare in the United StatesCyberwarfare in the United StatesCyberwarfare in the United States is the United States Cyber Commands military strategy of proactive cyber defence and the use of cyberwarfare as a platform for attack. The United States Department of Defense sees the use of computers and the Internet to conduct warfare in cyberspace as a threat...
- List of cyber attack threat trends
- Operation MerlinOperation MerlinOperation Merlin is an alleged United States covert operation under the Clinton Administration to provide Iran with a flawed design for building a nuclear weapon in order to delay the alleged Iranian nuclear weapons program.-History:...
- Proactive Cyber DefenceProactive Cyber DefenceProactive Cyber Defence means acting in anticipation to oppose an attack against computers and networks. Proactive cyber defence will most often require additional security from internet service providers....
- United States Cyber CommandUnited States Cyber CommandUnited States Cyber Command is an armed forces sub-unified command subordinate to United States Strategic Command. The command is located in Fort Meade, Maryland and led by General Keith B. Alexander. USCYBERCOM centralizes command of cyberspace operations, organizes existing cyber resources and...
- Moonlight MazeMoonlight MazeThe name Moonlight Maze refers to an incident in which U.S. officials accidentally discovered a pattern of probing of computer systems at The Pentagon, NASA, United States Department of Energy, private universities, and research labs that had begun in March 1998 and had been going on for nearly two...
- Titan RainTitan RainTitan Rain was the designation given by the federal government of the United States to a series of coordinated attacks on American computer systems since 2003...