Analysis: The not-so-lost son of Stuxnet

Powered by SC Magazine
 

What Duqu means for the infosec scene.

When the Duqu trojan was discovered late last year, it was said to be a modified version of the well-publicised Stuxnet worm used to attack Iran's nuclear program.

Analysis by Budapest University of Technology and Economics in Hungary gave rise to the possibility that Duqu may have been developed either by the Stuxnet authors or by developers who had access to the source code.

But before we draw on the similarities or argue the differences between and Duqu and Stuxnet, it's important to first understand what's behind each of the malware programs and explore how they're infecting computers.

Stuxnet was designed to target certain industrial control systems developed by Siemens. The type of control systems that were targeted generated speculation that US and Israeli intelligence services worked together in an attempt to attack Iran's nuclear program.

Stuxnet's modular structure, exploitation of zero-day vulnerabilities, driver containing a valid digital certificate and injection mechanisms set it apart from “garden-variety” malware -- if there is such a thing.

Duqu seems to continue in the same vein, blending a wide variety of features such as anti-virus recognition, key logging, DLL injection, RPC communication and kernel rootkit technology.

Intent is everything

Stuxnet and Duqu's use of valid digital signatures is significant. Code signing is used to provide assurances as to the identity and integrity of the software's publisher in order to establish a high level of trust toward the software.

Duqu's driver, cm14432.sys, is signed by Taiwanese company C-Media Electronic, which suggests the company's private key has been compromised. Coupled with anti-virus recognition and rootkit technology, code signing significantly helps reduce the likelihood of being discovered.

However, despite sharing similarities in terms of code, structure and other technical elements, Stuxnet and Duqu have different objectives.

Rather than being used for potentially destructive purposes, Duqu is employed as a remote access trojan (RAT) to allow attackers to gain entry to compromised systems as a means of siphoning off sensitive information and gathering intelligence, potentially for use in future attacks.

To infiltrate systems, Duqu exploits a vulnerability in T2EMBED.DLL, the Win32k TrueType font parsing engine.

In this case, an exploit is launched via specially crafted font data within a Word document, allowing for the escalation of privilege and enabling the attacker to execute arbitrary code in kernel mode. Microsoft patched the vulnerability in December.

When installed, Duqu disguises itself as a device driver that loads when the system boots, upon which further components are injected into running programs. Once established on the target system, Duqu communicates with a command-and-control (C&C) server, allowing further information-harvesting programs to be installed.

Harvested information, such as stolen digital certificates, is recorded in encrypted logs for the attackers to smuggle out, back to the C&C server.

To propagate around the target network, Duqu makes attempts to take advantage of the P2P SMB protocol to move from system to system via local shares. In a twist, Duqu will run on the infected system for 36 days before deleting itself, in an effort to remain under the radar.

Protecting against Duqu

The malware was unearthed by CrySyS (Laboratory of Cryptography and Systems Security at Budapest University of Technology and Economics) which, in an effort to mitigate the threat, released the CrySyS Duqu Detector Toolkit that detects suspicious files which are likely to denote the presence of Duqu.

Duqu is a low-prevalence, highly targeted threat against specific organizations, and it is unlikely that home users will find themselves victim to this malware.

Instead, its discovery is likely to be of particular concern to corporations and other organizations that seek to protect themselves against sensitive and valuable data leaks.

However, while Duqu is still relatively new and details on the program continue to emerge daily, the fact is that it represents a significantly evolved threat that leverages myriad techniques to infect computers. The notion that Duqu evolved from the Stuxnet worm certainly gives it credibility and indicates a level of sophistication.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Analysis: The not-so-lost son of Stuxnet
 
 
 
Top Stories
Westpac committed to core banking plan
[Blog post] Now with leadership.
 
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1156

Vote