Skip the navigation

Security researcher says Iran to blame for its own Duqu infections

Country's refusal to share 'Stars' sample in April gave attackers half-year head start, says expert

November 14, 2011 02:09 PM ET

Computerworld - An Iranian government official yesterday acknowledged that the Duqu attacks had infected computers in the country but claimed that the Trojan was "under control," according to a report by a state-run news agency.

In response, an antivirus researcher blamed Iran for giving hackers a half-year's free hand with Duqu, saying that Iran's policy of not sharing samples delayed the detection of the malware and the patching of the Windows zero-day it exploited.

On Sunday, Brigadier General Gholamreza Jalali told the official IRNA news agency that some computers in Iran had been infected with Duqu, that possible targets were being checked for infections, and that the country's specialists had crafted defenses against the Trojan.

Jalali heads Iran's Passive Defense Organization, a military unit responsible for constructing and defending the country's nuclear enrichment facilities. He is a former commander in Iran's Revolutionary Guard.

"The software to control the (Duqu) virus has been developed and made available to organizations and corporations [in Iran]," Jalali told IRNA, according to translations of the original story by Western news outlets. "The elimination (process) was carried out and the organizations penetrated by the virus are under control."

Iranian officials made similar statements last year about the Stuxnet worm, an ultra-advanced piece of malware that most analysts believe was aimed at Iran's budding nuclear program.

Some security experts, including researchers at Symantec, have said that Duqu may be a precursor to another Stuxnet -- the two share several similarities -- although the former seems designed for reconnaissance and data theft, not for an attack on physical facilities.

Moscow-based Kaspersky Lab suspects that Iran was hit with Duqu in April 2011.

In a recent analysis of Duqu, Kaspersky said that the "Stars" malware -- which Jalali confirmed had targeted Iranian machines in April -- was likely a part of Duqu.

"Most probably, the Iranians found a keylogger module that had been loaded onto a system ... [and] it's possible that the Iranian specialists found just the keylogger, while the main Duqu module and the dropper, including the documents that contained the then-unknown vulnerability, may have gone undetected," Kaspersky noted last Friday.

Like most malware, Duqu is composed of several pieces, including an exploit of a Windows kernel-mode driver vulnerability, a "dropper" that loads additional malicious code, a keylogger -- which harvests usernames and passwords -- and a data theft component.

The keylogger bundled with a Duqu variant that Kaspersky obtained from Sudanese researchers contained a photograph of a far-away galaxy, which may have been the genesis of Iran's naming the malware as Stars. The attack against the Sudanese target was also conducted in April 2011.



Our Commenting Policies