The Mystery of the DuQu Virus

19 11 2011

By now we have all become familiar with Stuxnet since it has effectively set the stage for the future of cyber attacks.  The virus revealed to the world the importance of information security when in 2010 it methodically infiltrated the controls of industrial facilities, as well of thousands of other computers.  One thing we have noticed is that the worm seemed to be created for the intention of impairing a specific target, though normal computer users, like you and I, don’t have to worry.  Analysis of the program code suggests there is a kill date, which means the virus it will stop spreading by June 24, 2012.[1]  Since the discovery of the worm back in 2010, there have been theories surfacing that indicate the sophisticated code of Stuxnet could be used against others.  And now it appears that those concerns have become a reality.

During mid-October this year, the Symantec Corporation announced it had uncovered instances of malicious code infiltrating Windows based operating systems.  The true origin is unknown but Symantec announced it had been alerted to the existence of a new Trojan virus circulating in Europe.  The lab responsible for first identifying the virus was Hungary’s Laboratory of Cryptography of Systems Security (CrySyS).  Each organization had published a report that stated that they found certain elements of the coding for this new virus had closely resembled the Stuxnet code.  If further investigation confirms what many have already concluded, hackers are now using Stuxnet-like coding to promote their own agenda.[2]

This new worm is now being referred to as the “DuQu” virus, which is in reference to the virus’s trademark to create files with “~DQ” as the prefix.  Microsoft has admitted that the sophisticated attack exploits vulnerabilities in Windows OS and mainly Microsoft Word.  Specifically, the worm manipulates a zero-day flaw in Microsoft Office’s TrueType font parsing engine, the news of which has put into question Microsoft’s ability to perform appropriate risk management for its products.   It has been reported that an estimated nine organizations have officially been compromised.  Some of those firms were located in France, Netherlands, Switzerland, Ukraine, and India. Similar reports indicate Duqu has been able to expand to the United Kingdom, Austria, Hungary, and Indonesia.[3] Many more corporate entities may have been affected as well but have chosen to keep the knowledge of system intrusion from the public.

While observed in the field as an active attack, Duqu would be sent initially in an e-mail, “if a recipient opened the (attached) Word document and infected the PC, the attacker could take control of the machine and reach into an organization’s network to propagate itself and hunt for data,”[4] according to Kevin Haley who is the Director of Symantec’s Security Response division.  Although there has been some debate over whether or not Duqu has been able to propagate successfully or if it just has the potential to do so in the future. Duqu is considered a blended threat since it acts as a worm as well as a Trojan horse. The virus, like Stuxnet, fools the infected PC with a counterfeit digital certificate, and collects information, such as keystrokes and system data, in preparation for possible future attacks.  It is important to note; however, that the Duqu does not contain targeted programmable logic. Another characteristic of the virus is that it has a lifecycle of 36 days; it then removes itself to avoid detection.

Does this Trojan horse affect individual users as well as high profile corporations?  Currently the answer fortunately appears to be no.  Though there are an increasing number of harmful viruses that can operate undetected by average consumer security software.[5] Considering the circumstances of the Duqu virus, so far the infection has at most targeted only a few dozen devices, not nearly the same impact as the Stuxnet virus.[6]  However, the observed capability of the Duqu virus opens the door to the possibility of a new generation of viral attacks that could be used in many different contexts, either against large corporations and banks or individual users.

The potential threat is real and being taken very seriously by government authorities, such as the US Department of Homeland Security, who are aggressively analyzing the virus to identify the source and objective. Currently there seems to be a debate between information security researchers who are attempting to understand where the Duqu virus originated. Symantec has said it believes the Duqu program came from the same entity that launched Stuxnet, indirectly accusing the US.[7]  Other security specialists disagree with the assertion that the US was involved, citing that the virus appears to be targeting allies of the US. Those who do not believe it was the US, assume that whoever designed the Duqu code, borrowed from the architecture of Stuxnet. Amongst the uncertainty and difference of opinion, most analytical sources hint that the complexity of the virus insinuates a government is likely assisting the hackers. Of course more evidence must be collected before this can be confirmed.

Certain media outlets have equated Duqu virus as the “son” of the Stuxnet worm, which should be viewed as indication that we are observing the early stages of hackers researching and developing high-tech cyber weapons that would target the control systems of critical infrastructure and/or steal sensitive and private information.  This also means it will be increasingly difficult to identify and prevent against these attacks.  Most recently, authorities have traced the Duqu virus to a command and control server that was hosted by a Belgian webhosting company, the Combell Group.[8] Though it is doubtful that Belgium or Combell was responsible, mainly because it is not an uncommon practice for hackers to lease servers for malicious purposes. Often leaving the data center operator completely unaware of the activities, which is what happened in this particular instance.

The overall impact of Duqu on the sector of information security is still not entirely evident despite a few analytical reports already published. As a malware, it could be that the actual purpose of the virus is to simply collect financial data illegally instead of being launched with the intention of inciting international cyber warfare.[9]  Only time and further analysis will reveal the truth.  But until then, governments, corporations, and the public at large should learn from this incident so that when/if a cyber superpower does attempt to target and infiltrate our systems, there are protective measures in place.


[1] Elinor Mils, “Stuxnet: Fact vs Theory” http://news.cnet.com/8301-27080_3-20018530-245.html

[3] Jason Mick, “Daily Tech,” Customers Are at High Risk after a Gaping Hole Was Found in MSO’s Security, November 2, 2011, http://www.dailytech.com/Nasty+Duqu+Worm+Exploits+Same+Microsoft+Office+Bug+as+Stuxnet/article23174.htm.

[4] Jim Finkle, “Microsoft Software Bug Linked to ‘Duqu’ Virus” Reuters, November 01, 2011, http://www.reuters.com/article/2011/11/01/microsoft-cyberattack-idUSN1E7A01H620111101.

[5] Joseph Menn, “Threats Pile up in a Cyberwar That Never Ends,” The Globe and Mail, June 2, 2010, http://www.theglobeandmail.com/report-on-business/international-news/global-exchange/threats-pile-up-in-a-cyberwar-that-never-ends/article2044163/.

[6] Jim Finkle, “Duqu computer hackers shift to Belgium after India raid” Reuters, October 28, 2011, http://www.reuters.com/article/2011/10/28/cybersecurity-india-idUSN1E79R1G020111028

[7] W32.Duqu: The Precursor to the next Stuxnet, October/November 2011, Symantec Corp.

[8] Jim Finkle, “Duqu computer hackers shift to Belgium after India raid” Reuters, November 01, 2011, http://www.reuters.com/article/2011/11/03/cyberattack-belgium-idUSN1E7A10Q320111103

[9] Lysa Myers, “The Security Industry That Cried Wolf,” SC Magazine US, November 4, 2011, http://www.scmagazineus.com/the-security-industry-that-cried-wolf/article/216088/?utm_source=dlvr.it.

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: