DUQU::Son of Stuxnet

4 12 2011

Duqu,a remote access trojan was designed to steal critical data from infected PCs.The first signs of this trojan were detected and recorded by the Laboratory of Cryptography and Systems Security at Budapest University.Kaspersky spokesperson said,”It is used for targeted attacks with carefully selected victims.”[2]Considering the fact that there are hundreds of other Remote access trojans(RAT)in the market what makes duqu special is the fact that it is believed to have been created by the same group of people who made Stuxnet.Also called ‘precursor to the next Stuxnet’,it can prove to be quite a menace for industrial control systems.[1]

They do have a lot of things in common with stuxnet like some common code and functions used in both.Since Stuxnet’s code was never publicly available,the creator of both is believed to be the same.Also,both install a driver which has a stolen or sometimes even forged digital certificate issued by the same Taiwanese company JMicron.[1]

Duqu’s primary target is not yet entirely clear due to the fact that not much documentation is available in its unfledged stage.We do know that it does affect industrial systems,just not in the same way as Stuxnet.Duqu appears to be more of an ‘intelligence gathering agent’ rather than causing actual damage to the systems like Stuxnet did.Symantec and the other security companies believe that the data stolen by Duqu will eventually be used to craft another Stuxnet.[1]

Different companies have different opinions on the seriousness of the threat posed by Duqu.Symantec and Kaspersky consider it to be a piece of highly wised up software made only for stealing information which will later be used to exploit industrial control systems[1].This belief is also fuelled by the news that computers in Iran are affected by Duqu[4].A lot many people also believe that the threat is highly overstated.

Duqu’s Modus Operandi is not exactly understood.In one particular case, it took advantage of a kernel level zero day vulnerability in Microsoft Win32k Truetype  Font Parsing engine to install the malware.This malware was sent to the target via an infected email attachment.Once installed .the infected PC can connect and share information with a command and control server(C & C server).This C&C server can ask the PC to download other malware or spread it to other computers on the same network[1].Each Duqu infection varies from the other.Each results in end results with different names and check sums[2].Stolen data is sent out in encrypted form to the C&C servers as JPG files.Another feature of Duqu is that it is programmed to delete itself after 36 days from an infected computer[1].

Another major argument surfacing regarding Duqu is that it is not similar to Stuxnet.Dell very strongly suggests that this might be true.According to them there is not enough convincing evidence to make a claim that Stuxnet and Duqu are  allied.Compromised digital certificates can be obtained from a number of sources and can not exactly be considered as proof.Although the injection component implemented are similar,the ultimate payloads in both these cases vary.Bit Defender’s Bogdan Botezatu agrees that the rootkit driver used in both cases is similar,but that in no way means that the same source code was used in both cases.He also reasons that,the fact that Stuxnet’s rootkit code has been reverse engineered,this could have led to the similarities between the two rootkits.Reusing the same code,according to Mr. Botezatu,will not be a very smart proposition.[3]

Whether it is similar to Stuxnet or not,Duqu looks to be threatening enough to need more awareness about its far reaching consequences .


[1] Jaikumar Vijayan.” FAQ: What’s the big deal about Duqu?” 15 November 2011

< http://www.computerworld.com/s/article/9221817/FAQ_What_s_the_big_deal_about_Duqu_/&gt;

[2]Lucian Constantin.” Duqu incidents detected in Iran and Sudan” 26 October 2011

< http://www.networkworld.com/news/2011/102611-duqu-incidents-detected-in-iran-252435.html/&gt;

[3]Jon Brodkin.” Spotted in Iran, trojan Duqu may not be “son of Stuxnet” after all 26 October 2011

< http://arstechnica.com/business/news/2011/10/spotted-in-iran-trojan-duqu-may-not-be-son-of-stuxnet-after-all.ars/>

[4]John Leyden.” Iran wrestles Duqu malware infestation” 14 November 2011

< http://www.theregister.co.uk/2011/11/14/duqu_malware_infestation/>




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: