DUQU::Son of Stuxnet

4 12 2011

Duqu,a remote access trojan was designed to steal critical data from infected PCs.The first signs of this trojan were detected and recorded by the Laboratory of Cryptography and Systems Security at Budapest University.Kaspersky spokesperson said,”It is used for targeted attacks with carefully selected victims.”[2]Considering the fact that there are hundreds of other Remote access trojans(RAT)in the market what makes duqu special is the fact that it is believed to have been created by the same group of people who made Stuxnet.Also called ‘precursor to the next Stuxnet’,it can prove to be quite a menace for industrial control systems.[1]

They do have a lot of things in common with stuxnet like some common code and functions used in both.Since Stuxnet’s code was never publicly available,the creator of both is believed to be the same.Also,both install a driver which has a stolen or sometimes even forged digital certificate issued by the same Taiwanese company JMicron.[1]

Duqu’s primary target is not yet entirely clear due to the fact that not much documentation is available in its unfledged stage.We do know that it does affect industrial systems,just not in the same way as Stuxnet.Duqu appears to be more of an ‘intelligence gathering agent’ rather than causing actual damage to the systems like Stuxnet did.Symantec and the other security companies believe that the data stolen by Duqu will eventually be used to craft another Stuxnet.[1]

Different companies have different opinions on the seriousness of the threat posed by Duqu.Symantec and Kaspersky consider it to be a piece of highly wised up software made only for stealing information which will later be used to exploit industrial control systems[1].This belief is also fuelled by the news that computers in Iran are affected by Duqu[4].A lot many people also believe that the threat is highly overstated.

Duqu’s Modus Operandi is not exactly understood.In one particular case, it took advantage of a kernel level zero day vulnerability in Microsoft Win32k Truetype  Font Parsing engine to install the malware.This malware was sent to the target via an infected email attachment.Once installed .the infected PC can connect and share information with a command and control server(C & C server).This C&C server can ask the PC to download other malware or spread it to other computers on the same network[1].Each Duqu infection varies from the other.Each results in end results with different names and check sums[2].Stolen data is sent out in encrypted form to the C&C servers as JPG files.Another feature of Duqu is that it is programmed to delete itself after 36 days from an infected computer[1].

Another major argument surfacing regarding Duqu is that it is not similar to Stuxnet.Dell very strongly suggests that this might be true.According to them there is not enough convincing evidence to make a claim that Stuxnet and Duqu are  allied.Compromised digital certificates can be obtained from a number of sources and can not exactly be considered as proof.Although the injection component implemented are similar,the ultimate payloads in both these cases vary.Bit Defender’s Bogdan Botezatu agrees that the rootkit driver used in both cases is similar,but that in no way means that the same source code was used in both cases.He also reasons that,the fact that Stuxnet’s rootkit code has been reverse engineered,this could have led to the similarities between the two rootkits.Reusing the same code,according to Mr. Botezatu,will not be a very smart proposition.[3]

Whether it is similar to Stuxnet or not,Duqu looks to be threatening enough to need more awareness about its far reaching consequences .


[1] Jaikumar Vijayan.” FAQ: What’s the big deal about Duqu?” 15 November 2011

< http://www.computerworld.com/s/article/9221817/FAQ_What_s_the_big_deal_about_Duqu_/&gt;

[2]Lucian Constantin.” Duqu incidents detected in Iran and Sudan” 26 October 2011

< http://www.networkworld.com/news/2011/102611-duqu-incidents-detected-in-iran-252435.html/&gt;

[3]Jon Brodkin.” Spotted in Iran, trojan Duqu may not be “son of Stuxnet” after all 26 October 2011

< http://arstechnica.com/business/news/2011/10/spotted-in-iran-trojan-duqu-may-not-be-son-of-stuxnet-after-all.ars/>

[4]John Leyden.” Iran wrestles Duqu malware infestation” 14 November 2011

< http://www.theregister.co.uk/2011/11/14/duqu_malware_infestation/>


Is Duqu Looking to Build Off of Stuxnet’s Success?

21 11 2011

In October of 2011, a laboratory notified the Symantec Corporation of a piece of malware that had some similarities to the Stuxnet worm that gained worldwide attention in 2010. Given the massive attention and allegations that the Stuxnet worm was a state funded operation, Symantec and other security experts began launching a full investigation into this new piece of malware. The malware was eventually given the name Duqu as a result of the software creating files with the prefix “~DQ” on an infected machine.

Before we delve into the details uncovered of the Duqu Trojan, let’s take some time to refresh our memories on what Stuxnet was and how it operates. Stuxnet is a computer worm that was designed to infect Siemens industrial software to disrupt the centrifuges used to enrich uranium. Stuxnet would rapidly increase and decrease the speed of the nuclear centrifuges in order to cause mechanical failures in the industrial equipment. While Stuxnet was doing its duty on the centrifuges it would also send back false information to the monitoring systems so the human operators would have no idea that their equipment was about to fail. It should be noted that while there is no way to be 100% sure, it is widely accepted that Stuxnet was targeting nuclear centrifuges in Iran. The beauty of the Stuxnet worm was that while it infected Microsoft Windows computers it was not designed to negatively impact the client. Unless it was determined that the host was used a piece of Siemens equipment used in nuclear plants, Stuxnet remained relatively dormant. Furthermore, (and even more staggering) was that Stuxnet’s target was a closed system. The worm couldn’t simply access its target via a network connection. So, it was sent out in the wild to infect as many Windows machines as possible with hopes that it was land on a specific laptop that would occasionally be connected to a Siemens PLC and from there it could start working on the centrifuges.

Stuxnet used Adobe PDF files and removable media such as flash drives to infect clients and once on a system used peer to peer connections to propagate itself across a network. Stuxnet was able to exploit four different zero day flaws in Windows to inject a driver into the operating system kernel. This technique is often typical in rootkits which allows the malicious software to operate outside of the realms of typical malware enabling the rootkit to hide itself or resist removal from anti-virus software. A rather brilliant aspect of Stuxnet was its use of digital signatures.  The Stuxnet software, in particular, the kernel driver was signed using a software signing certificate which gave the software a bit of inherited credibility due to trust chain of signed code.

You may be thinking “Ok…well why was Stuxnet so popular? The targets were such a small subset of the global computer world”. That is exactly why it was such a hot topic in the IT Security circles. Stuxnet was the Wayne Gretzky of malware it changed the way the game was played. Stuxnet was the first piece of malware to specially target an industrial asset and therefore single handedly changed the entire threat landscape for security professionals. Now your security stance needs to address industrial control systems as well as your computer systems. Another daunting thought was that the Stuxnet infection was so large it could have had devastating success of negatively impacting clients if they were the desired target.

Enter Duqu.

Duqu is a combination of malicious files that ultimately work together to exploit a specific target. Duqu, like Stuxnet, exploits a zero day flaw in Microsoft Windows to inject a digitally signed kernel driver into the operating system. The malicious driver will then launch a series of DLLs which in turn load a Remote Access Trojan (RAT) onto the infected client. A remote access trojan is malicious software that allows the operator of Duqu to gain information about the client remotely. In addition to the trojan malware Duqu also implement a key logger on the infected machine which will log the keystrokes entered on a client and then ship those logs off to the threat actor. Unlike Stuxnet the actual infection methods of Duqu are unknown as the initial installer or dropper is removed from the client once infected.  Also unlike Stuxnet, Duqu does not appear to be targeting industrial systems like PLCs. Instead, the end goal is to provide the attacker remote access to a client machine to gain information.  In that brief summary you can gather that at face value there appear to be some links between Duqu and Stuxnet. Both pieces of malware use a zero day exploit to inject kernel drivers into the operating system as a rootkit to hide files and possibly for persistence. They both also used digital signed code in their malware.

Here is a great table from Dell comparing some of the major aspects of Stuxnet and Duqu

Credit: Dell Secure Works “Duqu Trojan Questions and Answers”

However as I mentioned earlier, when first reported many security professionals were quick to label Duqu the “Son of Stuxnet”. There was additional speculation that Duqu was written and launched by the creators of Stuxnet or that it was the next evolution in the Stuxnet infection. However, there has been a shift in these speculations recently stating that the similarities while present don’t necessary provide enough evidence to say without a doubt that they are from the same actors. Dell Secure Works has stated that “One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level” (http://www.secureworks.com/research/threats/duqu/) . I should also mention that the Symantec Corporation has also done extensive research into the Duqu Trojan and they have stood by their initial assessment that Duqu is strongly related to Stuxnet and is likely the work of the same attackers.

In my opinion, I am more likely to side with Dell’s conclusion. I feel that Stuxnet was so widely researched and so much knowledge is available on the internet about the fundamental operations of Stuxnet it is within reason to think that someone could have used some portions of Stuxnet to create Duqu while not being involved in the Stuxnet operation. After all, Stuxnet has been completely reverse engineered and the source code is available for download. Whether or not it is related, it appears that Duqu appears to be a very specific attack and if you are in the cross hairs, you should be paying attention.


Dell Secure Works Duqu Trojan Questions and Answers

What is Duqu Up to

Cyber Warfare: A different way to attack Iran’s reactors

Same authors created malware that infected nuclear facilities?

Spotted in Iran, Duqu may not be “son of Stuxnet” after all


Stuxnet Dossier