Duqu: The next tale in the Stuxnet files
Stuxnet was possibly the most complex attack of this decade, and we expected that similar attacks would appear in the near future. One thing for sure is that the Stuxnet team is still active – as recent evidence has revealed.
McAfee Labs received a kit from an independent team of researchers that is closely related to the original Stuxnet worm, but with a different goal-to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs).
How do we know it was the Stuxnet team? To start with, the attacks are targeting CAs in regions occupied by “Canis Aureus,” the Golden Jackal, to execute professional targeted attacks, against sites such as CAs. The Stuxnet worm utilized two “stolen” digital certificates belonging to two companies from Taiwan that operated in the same business district.
Yet, the Stuxnet-related code, named Duqu, which McAfee Labs received as part of an on-going investigation, was signed with yet another key belonging to the company C-Media Electronics, in Taipei. It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack.
The threat that we call Duqu is based on Stuxnet and is very similar. Only a few sites so far are known to have been attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code, delivered via exploitation, installs drivers and encrypted DLLs that function very similarly to the original Stuxnet code. In fact, the new driver’s code used for the injection attack is very similar to Stuxnet, as are several encryption keys and techniques that were used in Stuxnet.
Duqu is very time sensitive, and is controlled by an extended, encrypted configuration file. It communicates with a command server in India. This IP address has since been blacklisted at the ISP and no longer functions. Yet it was specially crafted to execute sophisticated attacks against key targets and has remote control functionality to install new code on the target. These include keyloggers, which can monitor all actions on systems: running processes, window messages, and so on. Furthermore, the keylogger component also contains functionality to hide files with a user-mode rootkit.
The file names of the SYS drivers can be cmi4432.sys and jminet7.sys. They relate to two groups of files that have similar functionality. A third file implements the keylogging functions.
McAfee detects the packages as PWS-Duqu, PWS-Duqu.dr, and PWS-Duqu!rootkit.
Both SYS files have almost the exact same code, with a few differences. The main difference is the fact that one of them is digitally signed with a certificate belonging to C-Media, while the other is not. Here is an example of the certificate that seemingly belongs to C-Media:
Since the discovery of this malware, the certificate above has been revoked by VeriSign as we can see in the image below:
The purpose of the SYS file seems to be only to decrypt and execute the primary payload DLL. Each SYS file works with a different set of files that in turn generate different DLLs. The graph below shows the connections found between the samples so far:
As we can see above, the method used by both SYS files is very similar. The PNF file is an encrypted DLL that is decrypted and injected into arbitrary system processes. This DLL in turn decrypts another DLL that contains the malicious code used to hide the presence of the malware in memory.
Both groups above also contain another module, sortXXXX.nls (where XXXX can be any hexadecimal character), shown in red above. It seems to be responsible for the malware’s malicious activities, such as command and control communications.
The keylogger module works a little differently from the SYS files, but it also uses a module with the same name as the other components. This file is hidden using the same method as the other modules. Although the files are different, both rootkits work more or less in the same way.
Another relationship among the keylogger and the other two modules is that each uses the same decryption key for the strings stored in its data section. The strings indicate these modules have the capability to disable security tools, targeting some specific antivirus products.
McAfee Labs advises Certificate Authorities to carefully verify if their systems might have been affected by this threat or any variations. As we publish this article, McAfee Labs has also identified a likely variation of this attack at another site.
Authors: Guilherme Venere and Peter Szor, McAfee.