November 13, 2011 /
Hacker Group Spends Years Developing Sophisticated Duqu Trojan
The new Duqu malware is a sophisticated Trojan that appears to be similar to the more well known Stuxnet code. Headlines over the weekend were telling stories about both the effects in Iran, as well as offering reports that the malware was now “under control.”
According to Kaspersky Lab, the hacker group behind the Duqu Trojan may have been working on the code for more than four years. The article describes the stages of attack and actions at each stage. Here’s an excerpt, but the entire article is worth reading:
“Our main achievement has been in the investigation of the incident deemed No.#1, described in my second post about Duqu. We managed to not only locate all the previously undiscovered files of this variant of Duqu, but also to find both the source of the infection and the file dropper that contains the vulnerability exploit in win32k.sys (CVE-2011-3402).
Comparing the data we uncovered with that obtained by other researchers and antivirus companies, we’ve elicited various common traits that have revealed the approximate timeline and overall methods used by Duqu’s authors.”
Computerworld ran this piece as their headline story, and summarized the malware’s history to date. Here’s part of that Computerworld article:
“Microsoft has confirmed that the Duqu campaign exploits a vulnerability in a Windows kernel-mode driver -- specifically "W32k.sys," and its TrueType font parsing engine -- to gain rights on the compromised PC sufficient to install the malware.
Although Microsoft has yet to patch the bug, it has urged customers to disable the font parser to protect themselves.”
The Duqu Trojan, which is also known as “son of Stuxnet,” was discovered just two months ago and is getting headlines for the sense of humor that its creators have revealed in the code.
“According to Kaspersky's Alexander Gostev, the Duqu infection vector is customized for each target, and its code contains a joking reference to "Dexter," the long-running Showtime TV series about a morally ambiguous serial killer.”
MSNBC wrote, “Perhaps most ominously, there are enough differences among the known variants of Duqu to lead Gostev to suspect that the Trojan's creators are carefully tailoring the malware package for each specific target as needed, if the compilation dates on the main Trojan component are accurate….
… Such fine-tuning would make Duqu and its creators more sophisticated and persistent that the so-called "advanced persistent threat" attacks — widely assumed to be coming from China — that have penetrated Western companies over the past few years.
In those cases, spear-phishing emails also provide the infection vector, but the installed malware does not vary from one target to the next.”