Cyber Warning: Duqu’s Back

Friday, March 30, 2012 @ 01:03 PM gHale

Duqu is definitely back.

After a sabbatical, the Duqu makers recompiled one of the Trojan’s components in late February, said Liam O Murchu, manager of operations at Symantec’s security response team.

RELATED STORIES
Duqu Still at Work
Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet

The system driver, installed by the malware’s dropper agent, is responsible for decrypting the rest of the already-downloaded package, then loading those pieces into the PC’s memory.

Symantec has captured a single sample of the driver, compiled Feb. 23, 2012. Before that, the last time Duqu updated the driver was Oct. 17, 2011.

Symantec characterized Duqu as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that sabotaged Iran’s nuclear fuel enrichment program by crippling critical gas centrifuges. Symantec was the first to extensively analyze the Trojan last year.

O Murchu said the functionality of the new driver was “more or less the same” as earlier versions, including the one spotted last October and another from late 2010 that later surfaced. “The functionality hasn’t changed,” said O Murchu.

While O Murchu was hesitant to speculate on Duqu returned to action or why it took a five-month break, security researchers at Moscow-based Kaspersky Lab were not as reluctant.

Alexander Gostev, who leads Kaspersky’s global research and analysis team, said Tuesday Duqu’s creators probably modified it to slip past security software and Duqu-sniffing programs like the open-source Duqu Detection Toolkit.

The Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics created the detection tool last November. CrySys earned the credit for finding Duqu.

CrySys updated its Duqu toolkit two weeks ago after Symantec passed along its sample of the malware’s new system driver.

The Duqu system driver sample was in Iran, where the majority of publicly-known attacks have taken place Gostev said.

Duqu’s Iran focus has been one reason experts have suspected it is a successor to Stuxnet. By Kaspersky’s count, there have been 21 known Duqu infections, with 52% of them traced to Iranian victims.

The low number of infections is one of the biggest hurdles security researchers face when they try to piece together the Duqu puzzle.