Duqu Still at Work

Wednesday, March 21, 2012 @ 02:03 PM gHale

A newly compiled driver for Duqu was unearthed within the last couple of days, researchers said.

Duqu is unique because rather than writing one piece of malware and spreading it out to a large base, the malware masterminds had a small, specially selected group of targets, each of which got its own specifically crafted components and drivers. Researchers said the number of known victims of Duqu is less than 50.

Duqu Report: Code is Old School
Stuxnet, Duqu Link Grows Stronger
Stuxnet to Duqu: The Waiting Begins
Duqu and Rumors of War
A New and Frightening Stuxnet

“There are a number of different drivers and different modules which are responsible for extracting the Duqu components to disk. And basically, there are three files which get created on disk. There is one SYS driver file. There is a small PNF file, a configuration file. There is a big PNF file, so the extension is .PNF. And by the way, Stuxnet used the same extensions and this kind of similar mechanism to infect computers and install – basically, to install itself in computers,” Costin Raiu, one of the researchers who did the initial analysis of Duqu at Kaspersky Lab.

Researchers spent a good chunk of time analyzing and poring over the drivers and the individual components of Duqu and think they have a pretty good handle on the way the malware works. But that doesn’t mean they fully understand it yet.

Another piece of the puzzle came together when researchers found an odd programming language used in one part of Duqu was heavily modified C combined with some object-oriented programming components.

On top of that, Symantec researchers found a newly compiled driver for Duqu, leading researcher to believe attackers are still tweaking and modifying their original work.

“Found newly compiled #Duqu driver (Feb 2012) mcd9x86.sys, no new functionality, Stuxnet attackers very much still at it,” Symantec’s Security Response team said on Twitter Monday.

Early Tuesday Raiu said that while the new driver didn’t have any new functionality, there are indications that it’s not just new but aimed at evading existing detection techniques for Duqu.

Leave a Reply

You must be logged in to post a comment.