As reported previously, Symantec discovered the malware threat – which has strong similarities to the Stuxnet malware that hit the headlines this time last year. Several industry commentators have dubbed the malware – known as W32.Duqu by the IT security vendor – as the Son of Stuxnet.
As with the original Stuxnet code, Symantec has published an in-depth report on the malware, which bears a strong similarity to the original and may have been developed using the Stuxnet source code.
According to the report, Duqu – which comes in 300 kilobytes of code versus 500Kb seen in Stuxnet – could be a precursor to the “next Stuxnet” and, while it is similar to the original malware, it appears to have a different purpose, namely the gathering of intelligence on industrial control systems.
Commenting on this research – and adding its own to the mix – Dell SecureWorks says that Duqu does share some similar code to Stuxnet, but also notes that this code has been observed in other unrelated threats.
The Duqu trojan, says Dell's security division, consists of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT) which allows an adversary to gather information from a compromised computer and to download and run additional programs.
In addition to the RAT, another piece of malware was recovered with Duqu in one instance. This malware is an information stealer designed to log user keystrokes and other information about the infected system. This piece of malware is believed to be related due to programming similarities with the main Duqu executables.
Duqu and Stuxnet, says Dell, both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an `injection' engine to load these DLLs into a specific process. This technique is not, however, unique to either Duqu or Stuxnet and has been observed in other unrelated threats.
The kernel drivers for both Stuxnet and Duqu, meanwhile, use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, says Dell, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats.
Unlike Stuxnet, however, Dell reports that Duqu does not contain specific code that pertains to supervisory control and data acquisition (SCADA) components such as programmable logic controllers (PLCs).
“Duqu's primary purpose is to provide an attacker with remote access to a compromised computer, including the ability to run arbitrary programs. It can theoretically be used to target any organization”, says the firm's report.
So what is the bottom line?
Dell SecureWorks says that, since its discovery, security vendors have worked to improve their ability to detect the malware, but it notes that the author may simply release newer variants that are no longer detected by anti-virus and anti-malware products.
Solutions to Duqu, adds Dell, include admins using host-based protection measures - including anti-virus and anti-malware - as part of a holistic security process that includes network-based monitoring and controls, network segmentation and policies, user access, and controls to help mitigate the threat of malware like Duqu.
One useful marker, says the report, is that a computer infected with Duqu may have files beginning with "~DQ" in its Windows temporary directories.