Cyberattacks October 2011 – Malware Duqu
A backdoor named ‘Duqu’. Duqu contains a backdoor that record keystrokes and collect other system information. Symantec reported that attackers behind this Trojan Duqu are searching for information assets that could be useful to launch attacks in future.
Analysis & Impacts:
Duqu is a sophisticated Trojan which seems to be written by same people behind Stuxnet worm since there are similarities in source code between Duqu & Stuxnet. The difference between Duqu and Stuxnet is, Stuxnet was created to sabotage Industrial Control Systems (ICS) whereas Duqu’s main purpose is to act as a backdoor into the system and collect private information. Duqu doesn’t seem to be replicate on its own compared to Stuxnet.
Duqu uses HTTP and HTTPS to communicate to a Command & Control (C&C) server at 188.8.131.52. Duqu hides its traffic by pretending to be like normal web traffic. Duqu sends back a JPG file called ‘dsc00001.jpg’ and includes stolen information encrypted with AES.
Detailed analysis of Duqu’s components are as follows:
- Duqu consists of a driver file(DLL) which contains other embedded files and a configuration file.
- These files needs to be installed by another executable.
- The installer lists the driver file as a service so it starts at system power-on.
- The driver then injects the main DLL into service.exe. From here, the main DLL begins extracting other embedded components and these components are injected into other processes.
- One of the variant’s driver files was signed with a valid digital certificate which was set to expire on August 2, 2012. The certificate belonged to a company in Taipei, Taiwan. Which was revoked since October 14, 2011.
- Duqu will automatically remove itself from the system after 36 days. However, there are possibility of additional downloaded components that will extend the number of days.
- Ensure Antivirus software is updated since some of the Antivirus vendors can detect this malware and immediately block them.
- It is also advisable to educate users to take extra caution while opening any emails and verify their authenticity before clicking on any link which will redirect to certain websites or downloading attachments.