Hacker Group Spends Years Developing Sophisticated Duqu Trojan

The Duqu Trojan, which is also known as son of Stuxnet, was discovered just two months ago and is getting headlines for the sense of humor that its creators have revealed in the code. According to Kaspersky Lab, the hacker group behind the Duqu Trojan may have been working on the code for more than four years.

by / November 13, 2011

The new Duqu malware is a sophisticated Trojan that appears to be similar to the more well known Stuxnet code. Headlines over the weekend were telling stories about both the effects in Iran, as well as offering reports that the malware was now “under control.”

According to Kaspersky Lab, the hacker group behind the Duqu Trojan may have been working on the code for more than four years. The article describes the stages of attack and actions at each stage. Here’s an excerpt, but the entire article is worth reading:

“Our main achievement has been in the investigation of the incident deemed No.#1, described in my second post about Duqu. We managed to not only locate all the previously undiscovered files of this variant of Duqu, but also to find both the source of the infection and the file dropper that contains the vulnerability exploit in win32k.sys (CVE-2011-3402).

Comparing the data we uncovered with that obtained by other researchers and antivirus companies, we’ve elicited various common traits that have revealed the approximate timeline and overall methods used by Duqu’s authors.”

Computerworld ran this piece as their headline story, and summarized the malware’s history to date. Here’s part of that Computerworld article:

Microsoft has confirmed that the Duqu campaign exploits a vulnerability in a Windows kernel-mode driver -- specifically "W32k.sys," and its TrueType font parsing engine -- to gain rights on the compromised PC sufficient to install the malware.

Although Microsoft has yet to patch the bug, it has urged customers to disable the font parser to protect themselves.”

The Duqu Trojan, which is also known as “son of Stuxnet,” was discovered just two months ago and is getting headlines for the sense of humor that its creators have revealed in the code.

“According to Kaspersky's Alexander Gostev, the Duqu infection vector is customized for each target, and its code contains a joking reference to "Dexter," the long-running Showtime TV series about a morally ambiguous serial killer.”

MSNBC wrote, “Perhaps most ominously, there are enough differences among the known variants of Duqu to lead Gostev to suspect that the Trojan's creators are carefully tailoring the malware package for each specific target as needed, if the compilation dates on the main Trojan component are accurate….

… Such fine-tuning would make Duqu and its creators more sophisticated and persistent that the so-called "advanced persistent threat" attacks — widely assumed to be coming from China — that have penetrated Western companies over the past few years.

In those cases, spear-phishing emails also provide the infection vector, but the installed malware does not vary from one target to the next.”


Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso

Platforms & Programs