The recently discovered Duqu Trojan has received considerable attention from the security research community. Here’s why. What is Duqu? It’s a Remote Access Trojan (RAT) that is designed to steal data from computers it infects. It was discovered by the Laboratory of Cryptography and Systems Security (CrySys) at Budapest University.
RATs are pretty common these days. Why is so much attention to Duqu? Duqu is believed to have been created by the same people who wrote Stuxnet , the worm that was used to disrupt operations at Iran’s Natanz nuclear facility last year. A lot of security analysts believe that it is a precursor to the next Stuxnet and poses a grave threat to the industrial control systems that manage equipment at critical infrastructure facilities such as power plants and water treatment facilities.
What exactly is the link between Stuxnet and Duqu? Duqu and Stuxnet share a lot of common code and functions. While Stuxnet binaries have been floating around for some time, the actual source code itself has not been publicly available. The fact that Duqu contains Stuxnet code has led some to believe that Duqu’s authors either have direct access to Stuxnet code — or were the authors of Stuxnet. Duqu also uses an installation driver that is signed using a stolen or forged digital certificate belonging to a Taiwanese company called JMicron. Stuxnet used certificates belonging to the same company.
So, Duqu is targeted at industrial control systems then? Sort of, but not quite in the same manner as Stuxnet. Duqu appears designed to steal information from vendors of industrial control systems. It is an intelligence-gathering agent. Stuxnet on the other hand was designed to cause actual physical damage to industrial control systems. Security vendor Symantec and others believe that Duqu is being used to steal information that can eventually be used to craft another Stuxnet.
How serious a threat does Duqu really pose? That depends on whom you ask. Companies such as Symantec and Kaspersky have described Duqu as a highly sophisticated piece of malware likely created by a nation state for the specific purpose of going after industrial control systems . Those fears are likely to be fueled by news emerging from Iran that computers in the country have been targeted by Duqu.
But not everyone shares this opinion right? Correct. Some believe the fears are overstated . The U.S. ICS Computer Emergency Response Team initially issued a warning for critical infrastructure owners to be on the alert for Duqu. Later, however, it issued an update saying that neither industrial control systems (ICSs) nor vendors/manufacturers were targeted by Duqu.
How many systems has Duqu infected? That remains unclear, but the actual number of companies that have been victimized by Duqu is thought to be small. Symantec claims it has found Duqu on computers belonging to at least six organizations in eight countries including France, India, Iran, Sudan and Vietnam. Duqu sightings have also been reported in Hungary, Indonesia and the U.K. Based on available estimates from security vendors, the number of infected systems appears to be less than 50, for now, at least.
How exactly does it infect systems? Duqu infects systems in ways that are not entirely understood yet. In one instance, a Duqu installer took advantage of a zero-day kernel-level vulnerability in Microsoft’s Win32k TrueType font parsing engine to install the malware on a vulnerable computer. The malware was delivered via a malformed Word document that was sent to the target organization as an email attachment. Clicking on the document causes the exploit to be triggered.
Once installed, the malware communicates with a command-and-control server, which then instructs it to download additional data stealing malware or to spread itself via network shares to other computers on the same network. Duqu is not designed to propagate on its own. It is also programmed to delete itself from an infected computer after 36 days.
Has Microsoft released a patch for the zero-day flaw Duqu exploits? Not yet. But the company is working on a fix. Until a patch is available, companies can get around the threat by blocking access to T2EMBED.DLL, the dynamic link library associated with embedded font technology.
How does it pass along stolen data from a system? Stolen data is encrypted and then sent out to the C&C servers as JPG image files.
Who is behind Duqu? That really is the big question. The level of sophistication evident in Duqu and the fact that it exploits a Windows kernel-level flaw suggests that its authors are either very well funded or are very highly skilled, or both. Most people think it was created by a nation state; which one is anyone’s guess.
How do I know if my hardware is infected? CrySys has released a free, downloadable toolkit for finding Duqu infections on a system or an entire network. The tool is designed to look for suspicious files and certain known indicators of Duqu. For the most part though, Duqu is highly targeted at ICS vendors, so unless your company is one, you should be okay.