Hackers may have spent years crafting Duqu
Gang customized attack files for each target, says Kaspersky Lab
Computerworld - The hacker group behind Duqu may have been working on its attack code for more than four years, new analysis of the Trojan revealed Friday.
Moscow-based Kaspersky Lab published some findings today from a recent rooting through Duqu samples provided by researchers in the Sudan, saying that one driver included with the attack payload was compiled in August 2007, extending the timeline of the gang's work.
"We can't be 100% sure [of that date], but all the compiled dates of other files seem to match to attacks," said Roel Schouwenberg, a senior researcher with Kaspersky, in an interview today. "So we're leaning towards that date as correct."
Schouwenberg added that the August 2007 driver was most likely created specifically for Duqu by the group responsible for the attacks, and was not an off-the-shelf file built by others, because the driver has not been spotted elsewhere.
Other researchers have found files amongst those used by Duqu that carry build dates of February 2008, but actual attacks have been tracked back only to April 2011.
That was also the month that the Sudan-provided samples indicated attacks took place against an unnamed target in that country, according to Kaspersky, which reported two separate attempts -- one on April 17, the second on April 21 -- to plant malware on Windows PCs.
The first attack failed because the email message carrying a malicious Word document was blocked by a spam filter; the second was successful.
Microsoft has confirmed that the Duqu campaign exploits a vulnerability in a Windows kernel-mode driver -- specifically "W32k.sys," and its TrueType font parsing engine -- to gain rights on the compromised PC sufficient to install the malware.
Although Microsoft has yet to patch the bug, it has urged customers to disable the font parser to protect themselves.
Kaspersky's other notable discovery was that each of the dozen Duqu attacks it knows of used a custom-created set of files compiled immediately before the malware was aimed at a target.
"The differences are pretty minor, but they are using unique files tailor-made for each operation," said Schouwenberg. "Each and every attack had its own command-and-control [C&C] server, with its location embedded in the files," he explained.
"That hints that they're very business oriented," Schouwenberg said. "They're very professional, very polished."
Although Kaspersky's newest analysis differs in some ways from that conducted by other security firms -- notably Symantec, which was the first to disclose Duqu's existence -- neither Schouwenberg or a Symantec director saw a conflict.
"Each security firm has different clients, different contacts, and with the limited sharing of samples, we may have just found the earliest [Duqu code]," said Schouwenberg.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Cybersecurity for Dummies eBook This book provides an in-depth examination of real-world attacks and APTs, the shortcomings of legacy security solutions, the capabilities of next-generation firewalls, and...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency... All Cybercrime and Hacking White Papers | Webcasts