Skip the navigation

Duqu malware resurfaces after four-month holiday

'These guys are still working,' says security expert of gang behind Trojan aimed at Iran

March 28, 2012 04:06 PM ET

Computerworld - Duqu, the malware that has been compared to 2010's notorious Stuxnet, is back, security researchers said today.

After a several-month sabbatical, the Duqu makers recompiled one of the Trojan's components in late February, said Liam O Murchu, manager of operations at Symantec's security response team.

The system driver, which is installed by the malware's dropper agent, is responsible for decrypting the rest of the already-downloaded package, then loading those pieces into the PC's memory.

Symantec has captured a single sample of the driver, which was compiled Feb. 23, 2012. Before that, the last time the Duqu gang updated the driver was Oct. 17, 2011.

Duqu has been characterized by Symantec -- the first to extensively analyze the Trojan last year -- and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that sabotaged Iran's nuclear fuel enrichment program by crippling critical gas centrifuges.

O Murchu said that the functionality of the new driver was "more or less the same" as earlier versions, including the one spotted last October and another from late 2010 that later surfaced. "The functionality hasn't changed," said O Murchu.

While O Murchu was hesitant to speculate on why the hackers had returned to action or why they took a five-month break, security researchers at Moscow-based Kaspersky Lab were not as reluctant.

Alexander Gostev, who leads Kaspersky's global research and analysis team, said Tuesday that the Duqu driver was probably modified to slip past security software and Duqu-sniffing programs like the open-source Duqu Detection Toolkit.

The detection tool was created by the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics last November. CrySys was credited with finding Duqu.

CrySys updated its Duqu toolkit two weeks ago after Symantec passed along its sample of the malware's new system driver.

According to Gostev, the Duqu system driver sample was found in Iran, where the majority of publicly-known attacks have taken place.

Duqu's Iran focus has been one reason experts have suspected it is a successor to Stuxnet. By Kaspersky's count, there have been 21 known Duqu infections, with 52% of them traced to Iranian victims.

The low number of infections is one of the biggest hurdles security researchers face when they try to piece together the Duqu puzzle.

"It's hard to tell whether they really did take several months off, and if so, why," said O Murchu of Symantec in an interview today. "It's installed on a very small number of computers, and that low, low distribution number means that they could have released more attacks between November and February, but everyone missed that. Or it could mean that they have been quiet."

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!