Analysis: The not-so-lost son of Stuxnet

What Duqu means for the infosec scene.

When the Duqu trojan was discovered late last year, it was said to be a modified version of the well-publicised Stuxnet worm used to attack Iran's nuclear program.

Analysis by Budapest University of Technology and Economics in Hungary gave rise to the possibility that Duqu may have been developed either by the Stuxnet authors or by developers who had access to the source code.

But before we draw on the similarities or argue the differences between and Duqu and Stuxnet, it's important to first understand what's behind each of the malware programs and explore how they're infecting computers.

Stuxnet was designed to target certain industrial control systems developed by Siemens. The type of control systems that were targeted generated speculation that US and Israeli intelligence services worked together in an attempt to attack Iran's nuclear program.

Stuxnet's modular structure, exploitation of zero-day vulnerabilities, driver containing a valid digital certificate and injection mechanisms set it apart from “garden-variety” malware -- if there is such a thing.

Duqu seems to continue in the same vein, blending a wide variety of features such as anti-virus recognition, key logging, DLL injection, RPC communication and kernel rootkit technology.

Intent is everything

Stuxnet and Duqu's use of valid digital signatures is significant. Code signing is used to provide assurances as to the identity and integrity of the software's publisher in order to establish a high level of trust toward the software.

Duqu's driver, cm14432.sys, is signed by Taiwanese company C-Media Electronic, which suggests the company's private key has been compromised. Coupled with anti-virus recognition and rootkit technology, code signing significantly helps reduce the likelihood of being discovered.

However, despite sharing similarities in terms of code, structure and other technical elements, Stuxnet and Duqu have different objectives.

Rather than being used for potentially destructive purposes, Duqu is employed as a remote access trojan (RAT) to allow attackers to gain entry to compromised systems as a means of siphoning off sensitive information and gathering intelligence, potentially for use in future attacks.

To infiltrate systems, Duqu exploits a vulnerability in T2EMBED.DLL, the Win32k TrueType font parsing engine.

In this case, an exploit is launched via specially crafted font data within a Word document, allowing for the escalation of privilege and enabling the attacker to execute arbitrary code in kernel mode. Microsoft patched the vulnerability in December.

When installed, Duqu disguises itself as a device driver that loads when the system boots, upon which further components are injected into running programs. Once established on the target system, Duqu communicates with a command-and-control (C&C) server, allowing further information-harvesting programs to be installed.

Harvested information, such as stolen digital certificates, is recorded in encrypted logs for the attackers to smuggle out, back to the C&C server.

To propagate around the target network, Duqu makes attempts to take advantage of the P2P SMB protocol to move from system to system via local shares. In a twist, Duqu will run on the infected system for 36 days before deleting itself, in an effort to remain under the radar.

Protecting against Duqu

The malware was unearthed by CrySyS (Laboratory of Cryptography and Systems Security at Budapest University of Technology and Economics) which, in an effort to mitigate the threat, released the CrySyS Duqu Detector Toolkit that detects suspicious files which are likely to denote the presence of Duqu.

Duqu is a low-prevalence, highly targeted threat against specific organizations, and it is unlikely that home users will find themselves victim to this malware.

Instead, its discovery is likely to be of particular concern to corporations and other organizations that seek to protect themselves against sensitive and valuable data leaks.

However, while Duqu is still relatively new and details on the program continue to emerge daily, the fact is that it represents a significantly evolved threat that leverages myriad techniques to infect computers. The notion that Duqu evolved from the Stuxnet worm certainly gives it credibility and indicates a level of sophistication.

This article originally appeared at scmagazineus.com