Security researcher says Iran to blame for its own Duqu infections
Country's refusal to share 'Stars' sample in April gave attackers half-year head start, says expert
Computerworld - An Iranian government official yesterday acknowledged that the Duqu attacks had infected computers in the country but claimed that the Trojan was "under control," according to a report by a state-run news agency.
In response, an antivirus researcher blamed Iran for giving hackers a half-year's free hand with Duqu, saying that Iran's policy of not sharing samples delayed the detection of the malware and the patching of the Windows zero-day it exploited.
On Sunday, Brigadier General Gholamreza Jalali told the official IRNA news agency that some computers in Iran had been infected with Duqu, that possible targets were being checked for infections, and that the country's specialists had crafted defenses against the Trojan.
Jalali heads Iran's Passive Defense Organization, a military unit responsible for constructing and defending the country's nuclear enrichment facilities. He is a former commander in Iran's Revolutionary Guard.
"The software to control the (Duqu) virus has been developed and made available to organizations and corporations [in Iran]," Jalali told IRNA, according to translations of the original story by Western news outlets. "The elimination (process) was carried out and the organizations penetrated by the virus are under control."
Iranian officials made similar statements last year about the Stuxnet worm, an ultra-advanced piece of malware that most analysts believe was aimed at Iran's budding nuclear program.
Some security experts, including researchers at Symantec, have said that Duqu may be a precursor to another Stuxnet -- the two share several similarities -- although the former seems designed for reconnaissance and data theft, not for an attack on physical facilities.
Moscow-based Kaspersky Lab suspects that Iran was hit with Duqu in April 2011.
"Most probably, the Iranians found a keylogger module that had been loaded onto a system ... [and] it's possible that the Iranian specialists found just the keylogger, while the main Duqu module and the dropper, including the documents that contained the then-unknown vulnerability, may have gone undetected," Kaspersky noted last Friday.
Like most malware, Duqu is composed of several pieces, including an exploit of a Windows kernel-mode driver vulnerability, a "dropper" that loads additional malicious code, a keylogger -- which harvests usernames and passwords -- and a data theft component.
The keylogger bundled with a Duqu variant that Kaspersky obtained from Sudanese researchers contained a photograph of a far-away galaxy, which may have been the genesis of Iran's naming the malware as Stars. The attack against the Sudanese target was also conducted in April 2011.
- Gartner Magic Quadrant for Client Management Tools The client management tool market is maturing and evolving to adapt to consumerization, desktop virtualization, and an ongoing need to improve efficiency.
- Audit Ready and Asset Optimized: The Solid Promise of an Intelligent Software Asset Management Solution In this paper Frost & Sullivan examines the benefits of enterprise-grade Software Asset Management solutions, and how these solutions serve as the convergence...
- Pragmatic Endpoint Management: Empowering an SMB Workforce in the Age of Mobility Lacking the time for proper training and education, SMB administrators often resort to taking shortcuts to keep their environment running.This paper discusses the...
- Gartner Magic Quadrant for Application Security The market for application security testing is changing rapidly. Technology trends, such as mobile applications, advanced Web applications and dynamic languages, are forcing...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Cybercrime and Hacking White Papers | Webcasts