Duqu developers still active, researchers say

Duqu, the infamous remote access Trojan first discovered in November 2011 and thought to have been created by the same authors as Stuxnet, is still getting modified by its developers and, obviously, used in attacks.

A newly found variant of the loader file used to load the rest of the Duqu payload has been forwarded to and analyzed by Symantec researchers, who discovered that this component was compiled on February 23, 2012.

The main changes in the loader are a new encryption algorithm used to encrypt the other components, the lack of a signature with a stolen certificate and, according to Kaspersky Lab’s Costin Raiu, changes that aim to foil its detection by the Duqu detector toolkit released by CrySyS Lab, the Budapest-based Laboratory of Cryptography and Systems Security who first spotted the malware.

“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active. Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011,” comment Symantec’s researchers.

Duqu is believed to have been created by the same authors as Stuxnet, or by developers that had access to its source code. It also seems to have been developed on the same platform.

But while Stuxnet’s primary purpose is though to be to disrupt operations at Iran’s Natanz nuclear facility, Duqu is geared towards compromising industrial control systems in order to gather information from them. Typical home and office computer users have nothing to fear from those two threats, as they are definitely written with bigger targets in mind.

This conclusion has also been recently validated when Kaspersky Lab experts asked and received help from outside malware experts and programmers in identifying the language in which Duqu’s C&C communications module was written.

With the help of a lot of comments and emails sent their way, the language was finally identified as a custom object-oriented C dialect (OO C) with special extensions compiled with the Microsoft Visual Studio Compiler 2008.

As the rest of the Duqu components were written in C++ and compiled with Microsoft’s Visual C++ 2008, the question that the discovery has raised is why weren’t all components written and compiled with it.

Two possible answers were given by the helpful programmers: the authors of the component wanted to be sure that it would work as it should (and C++ code, when compiled, is somewhat unpredictable) and that it would always compile with any compiler on any platform.

“If you wanted to go for extreme portability and target every existing platform out there, you’d go with C,” commented the researchers. Taking all that in consideration, they believe that Duqu is the work of a professional team of developers that reuses old-school code.

“Such techniques are normally seen in professional software and almost never in today’s malware,” they point out. “Once again, these indicate that Duqu, just like Stuxnet, is a ‘one of a kind’ piece of malware which stands out like a gem from the large mass of ‘dumb’ malicious program we normally see.”




Share this