Kaspersky Lab Identifies New Version of Duqu Worm

Telecoms, electronics and the information security sectors are being warned of potential threat from a new version of the Duqu worm, the existence of which has been confirmed by a successful attack on Kaspersky Lab.

Technical analysis carried out by the security firm has indicated a new round of attacks from an updated version of the 2011 Duqu malware, which it called Duqu 2.0.

Kaspersky has confirmed that an attack took place, taking advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. It added that analysis of the attack has revealed that the main goal of the attackers was to spy on the company’s technologies, ongoing research and internal processes.

Kaspersky assured that no interference with processes or systems was detected and has released details of the attack in a technical paper.

The attack has also been recognised by fellow security provider Symantec which says that that it has also found evidence that Duqu has been used in a number of different attack campaigns against a limited number of selected targets including a European telecoms operator, a North African telecoms operator and a South East Asian electronic equipment manufacturer.

Infections were also found on computers located in the US, UK, Sweden, India and Hong Kong.  Symantec believes these may have been stepping stone type attacks to infiltrate another organization and eavesdrop on their network.

Talking to Infosecurity Magazine, Tod Beardsley, engineering manager at security data and analytics technology provider Rapid7 said that it was Duqu 2.0 represented both the state of the art and the minimum bar for cyber operations. “Duqu 2.0 is precisely where we should expect any serious national cyber offensive capability to be. If you cannot defend against a Duqu 2.0 style long term campaign, you better not have any data or resources that a national offensive cyber organization will care to compromise,” he added.

“Kaspersky has a reputation for being one of the most capable detection and defense organizations in the world, and the fact that [it was] compromised is a sobering reminder that the gap between offense and defense is, today, massively lopsided in favor of the attacker. I’m very happy to see that Kaspersky is publishing their findings in depth…these detection techniques are what CISOs at critical infrastructure networks need to defend and remediate against similar attacks.”

What’s Hot on Infosecurity Magazine?