7 Facts On Duqu Malware Attacks

  /     /     /  
Publicated : 22/11/2024   Category : security


7 Facts On Duqu Malware Attacks


Research into Duqu malware finds a component compiled in 2007, but identified successful attacks that occurred as recent as April 2011.



(click image for larger view)
Slideshow: 10 Massive Security Breaches
New information continues to emerge about the Duqu malware that was designed to steal information relating to industrial control systems.
The latest analysis of the Duqu malware has found that one of the components used in the attack was compiled in 2007. But Duqu was used in a targeted attack as recently as April 2011, pointing to a possible four-year attack campaign by Duqus authors, whose identities and affiliations remain unknown.
What is known, however, is that to date, Duqu infected organizations in at least eight countries--including Iran--in part by using a still-unpatched
Windows zero-day vulnerability
. Furthermore, as researchers continue to study Duqu variants, these findings have emerged:
1. Duqu was a boutique exploit.
To date, researchers have discovered 12 unique sets of Duqu files, said Alexander Gostev, chief security expert at Kaspersky Lab and author of a recent
Duqu report
. Thats significant, since for every victim, a separate set of attack files was created, he said via email.
2. Duqu relates to Stars
.
According to a Duqu timeline assembled by Kaspersky Lab, Duqu appeared at the same time as the
Stars virus hit Iran
. At that time Iranian specialists didnt share samples of the discovered virus with any of the antivirus companies, and this, it has to be said, was a serious mistake, which gave rise to all subsequent events in this saga, said Gostev. Most probably, the Iranians found a keylogger module that had been loaded onto a system and which contained a photo of the NGC 6745 galaxy. This could explain the title Stars given to it.
[ Security clearly can be improved. Read
DARPA Seeks New Methods For Biometric Authentication
. ]
3. Attackers covered their tracks.
Pointing to the difficulty of
tracing attacks back
to the actual people who launched them, Gostev said that the Duqu exploits, which used malicious .doc files attached to emails, took place from anonymous mailboxes, probably via compromised computers. In the case of one particular attack, dubbed variant F by Kaspersky, attackers used a computer--again, likely compromised--in South Korea to send attack emails on April 17, 2011, followed by another attack four days later. The first attack ended up in a junk mail folder. The second attack turned out successful: the addressee opened the attached .doc file that contained the vulnerability exploit and Trojan installer, said Gostev.
4. Exploit used Dexter font
.
How did Duqu attack? For the Duqu-F variant at least, the vulnerability exploit was contained in the font called Dexter Regular, said Gostev. But that attack code was only a
dropper or installer program
, which then downloaded further attack code onto the targeted PC. After penetration into a system the attackers installed extra modules and infected neighboring computers, he said.
5. Duqu used a ruse.
Interestingly, after infecting a PC, Duqu did nothing--at least initially--except residing in memory and staying put even if the .doc file was closed. This period of inactivity lasted around 10 minutes, after which the exploit waited for the users activity to stop--no keyboard or mouse activity. Only then did the dropper kick into action, said Gostev.
6. Attackers used disposable control servers
.
Each Duqu variant had its own, separate control server, which provides further evidence that it was a
highly targeted attack
. Having a disposable infrastructure, furthermore, helped ensure that the discovery of one Duqu variant or attack wouldnt give away any of the others. Unlike
Shady RATs masterminds
, the Duqu attackers also appear to have left the control servers active only for as long as they were required. Indeed, for a control server used to launch the Duqu-F attack, we think that it is not functioning now and all critical information on it has already been deleted by the attackers, said Gostev. Kaspersky likewise found an identical data-wipe after researching another Duqu variant.
7. Duqu contained communication backups.
Duqu can connect not just to command-and-control (C&C) servers, but also function as a server itself. There are two lists of C&C servers, one can contain domain names, IP addresses, or names of network shares, and the other contains IP addresses in binary format and is used to connect using Windows HTTP (winhttp) services, according to a
report
published by Kasperksy Lab expert Igor Soumenkov. Although the configuration blocks we have found so far are similar and are set up to connect to its C&C using HTTP and HTTPS, the payload .dll [file] is able to connect to a network share and even become a server. In other words, while Duqu may have only attacked a handful of organizations, it was engineered to succeed.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
7 Facts On Duqu Malware Attacks