Duqu is a collection of computer

malware Malware (a portmanteau of ''malicious software'')Tahir, R. (2018)A study on malware and malware detection techniques . ''International Journal of Education and Management Engineering'', ''8''(2), 20. is any software intentionally designed to caus ...

discovered on 1 September 2011, thought by

Kaspersky Labs Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and ...

to be related to the

Stuxnet Stuxnet is a Malware, malicious computer worm first uncovered on June 17, 2010, and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsibl ...

worm and to have been created by

Unit 8200 Unit 8200 (, ''Yehida shmone matayim'' "Unit eight two-hundred") is an Israeli Intelligence Corps unit of the Israel Defense Forces responsible for clandestine operation, collecting signal intelligence (SIGINT) and code decryption, counteri ...

. The Laboratory of Cryptography and System Security (

CrySyS Lab CrySyS Lab () is part of the Department of Telecommunications at the Budapest University of Technology and Economics. The name is derived from "Laboratory of Cryptography and System Security", the full Hungarian name is . History CrySyS Lab. w ...

) of the

Budapest University of Technology and Economics The Budapest University of Technology and Economics ( or in short ), official abbreviation BME, is a public research university located in Budapest, Hungary. It is the most significant university of technology in the country and is considered ...

Hungary Hungary is a landlocked country in Central Europe. Spanning much of the Pannonian Basin, Carpathian Basin, it is bordered by Slovakia to the north, Ukraine to the northeast, Romania to the east and southeast, Serbia to the south, Croatia and ...

discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.

Nomenclature

The term Duqu is used in a variety of ways: * Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools. Part of this malware is written in unknown high-level programming language, dubbed "Duqu framework". It is not C++, Python, Ada, Lua and many other checked languages. However, it is suggested that Duqu may have been written in C with a custom

object oriented Object-oriented programming (OOP) is a programming paradigm based on the concept of '' objects''. Objects can contain data (called fields, attributes or properties) and have actions they can perform (called procedures or methods and impleme ...

framework and compiled in Microsoft Visual Studio 2008. * Duqu flaw is the flaw in Microsoft Windows that is used in malicious files to execute malware components of Duqu. Currently one flaw is known, a

TrueType TrueType is an Computer font#Outline fonts, outline font standardization, standard developed by Apple Inc., Apple in the late 1980s as a competitor to Adobe Inc., Adobe's PostScript fonts#Type 1, Type 1 fonts used in PostScript. It has become the ...

-font related problem in . * Operation Duqu is the process of only using Duqu for unknown goals. The operation might be related to Operation Stuxnet.

Relationship to Stuxnet

Symantec Symantec may refer to: * Gen Digital, an American consumer software company formerly known as Symantec * Symantec Security, a brand of enterprise security software purchased by Broadcom Broadcom Inc. is an American multinational corporation, ...

, based on the CrySyS team managed by Dr Thibault Gainche report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix. Symantec believes that Duqu was created by the same authors as

, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a valid, but abused digital signature, and collects information to prepare for future attacks.

Mikko Hyppönen Mikko Hyppönen (; born 13 October 1969) is a Finnish computer security expert, speaker and author. He is known for the Hyppönen Law of IoT security, which states that whenever an appliance is described as being "smart", it is vulnerable. He wo ...

, Chief Research Officer for

F-Secure F-Secure Corporation is a global cyber security and privacy company, which has its headquarters in Helsinki, Finland. The company has offices in Denmark, Finland, France, Germany, India, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Swed ...

, said that Duqu's kernel driver, , was so similar to Stuxnet's that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that the key used to make Duqu's own digital signature (only observed in one case) was stolen from

C-Media C-Media Electronics, Inc. () is a Taiwan computer hardware company that manufactures processors for PC audio and USB storage, and wireless audio devices. Many of their PCI audio solutions can be found in the Xonar sound cards developed by A ...

, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec. Another source,

Dell SecureWorks Secureworks Inc. is an American cybersecurity company. The company has approximately 4,000 customers in more than 50 countries, ranging from Fortune 100 companies to mid-sized businesses in a variety of industries. It became part of Dell Techn ...

, reports that Duqu may not be related to Stuxnet. However, there is considerable and growing evidence that Duqu is closely related to Stuxnet. Experts compared the similarities and found three points of interest: * The installer exploits zero-day Windows kernel vulnerabilities. * Components are signed with stolen digital keys. * Duqu and Stuxnet are both highly targeted and related to the nuclear program of Iran.

Microsoft Word zero-day exploit

, Duqu attacks

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

systems using a

zero-day vulnerability A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or z ...

. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a

Microsoft Word Microsoft Word is a word processor program, word processing program developed by Microsoft. It was first released on October 25, 1983, under the name Multi-Tool Word for Xenix systems. Subsequent versions were later written for several other platf ...

document that exploits the Win32k

TrueType font TrueType is an outline font standard developed by Apple in the late 1980s as a competitor to Adobe's Type 1 fonts used in PostScript. It has become the most common format for fonts on the classic Mac OS, macOS, and Microsoft Windows operating syst ...

parsing engine and allows execution. The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to , which is a TrueType font parsing engine if the patch released by Microsoft in December 2011 is not yet installed. Microsoft identifier for the threat is MS11-087 (first advisory issued on 13 November 2011).

Purpose

Duqu looks for information that could be useful in attacking

industrial control systems An industrial control system (ICS) is an electronic control system and associated instrumentation used for industrial process control. Control systems can range in size from a few modular panel-mounted controllers to large interconnected and int ...

. Its purpose is not to be destructive; the known components are trying to gather information. However, based on the modular structure of Duqu, special payload could be used to attack any type of computer system by any means and thus cyber-physical attacks based on Duqu might be possible. However, use of personal computer systems has been found to delete all recent information entered on the system, and in some cases total deletion of the computer's hard drive. Internal communications of Duqu are analysed by Symantec, but the actual and exact method how it replicates inside an attacked network is not yet fully known. According to

McAfee McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American proprietary software company focused on online ...

, one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in

public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

) from attacked computers to help future viruses appear as secure software. Duqu uses a 54×54 pixel

JPEG JPEG ( , short for Joint Photographic Experts Group and sometimes retroactively referred to as JPEG 1) is a commonly used method of lossy compression for digital images, particularly for those images produced by digital photography. The degr ...

file and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing the code to determine what information the communications contain. Initial research indicates that the original malware sample automatically removes itself after 36 days (the malware stores this setting in configuration files), which would limit its detection. Key points are: * Executables developed after Stuxnet using the Stuxnet source code that have been discovered. * The executables are designed to capture information such as keystrokes and system information. * Current analysis shows no code related to industrial control systems, exploits, or self-replication. * The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems. * The exfiltrated data may be used to enable a future Stuxnet-like attack, or might already have been used as the basis for the Stuxnet attack.

Command and control servers

Some of the

command and control server A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its conne ...

s of Duqu have been analysed. It seems that the people running the attack had a predilection for

CentOS CentOS (, from Community Enterprise Operating System; also known as CentOS Linux) is a discontinued Linux distribution that provided a free and open-source community-supported computing platform, functionally compatible with its upstream (softw ...

5.x servers, leading some researchers to believe that they had a

zero-day exploit A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or z ...

for it. Servers are scattered in many different countries, including

Germany Germany, officially the Federal Republic of Germany, is a country in Central Europe. It lies between the Baltic Sea and the North Sea to the north and the Alps to the south. Its sixteen States of Germany, constituent states have a total popu ...

Belgium Belgium, officially the Kingdom of Belgium, is a country in Northwestern Europe. Situated in a coastal lowland region known as the Low Countries, it is bordered by the Netherlands to the north, Germany to the east, Luxembourg to the southeas ...

Philippines The Philippines, officially the Republic of the Philippines, is an Archipelagic state, archipelagic country in Southeast Asia. Located in the western Pacific Ocean, it consists of List of islands of the Philippines, 7,641 islands, with a tot ...

India India, officially the Republic of India, is a country in South Asia. It is the List of countries and dependencies by area, seventh-largest country by area; the List of countries by population (United Nations), most populous country since ...

and

China China, officially the People's Republic of China (PRC), is a country in East Asia. With population of China, a population exceeding 1.4 billion, it is the list of countries by population (United Nations), second-most populous country after ...

Kaspersky Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and A ...

has published multiple blogposts on the command and control servers.

References