Duqu malware resurfaces after four-month holiday
'These guys are still working,' says security expert of gang behind Trojan aimed at Iran
Computerworld - Duqu, the malware that has been compared to 2010's notorious Stuxnet, is back, security researchers said today.
After a several-month sabbatical, the Duqu makers recompiled one of the Trojan's components in late February, said Liam O Murchu, manager of operations at Symantec's security response team.
The system driver, which is installed by the malware's dropper agent, is responsible for decrypting the rest of the already-downloaded package, then loading those pieces into the PC's memory.
Symantec has captured a single sample of the driver, which was compiled Feb. 23, 2012. Before that, the last time the Duqu gang updated the driver was Oct. 17, 2011.
Duqu has been characterized by Symantec -- the first to extensively analyze the Trojan last year -- and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that sabotaged Iran's nuclear fuel enrichment program by crippling critical gas centrifuges.
O Murchu said that the functionality of the new driver was "more or less the same" as earlier versions, including the one spotted last October and another from late 2010 that later surfaced. "The functionality hasn't changed," said O Murchu.
While O Murchu was hesitant to speculate on why the hackers had returned to action or why they took a five-month break, security researchers at Moscow-based Kaspersky Lab were not as reluctant.
Alexander Gostev, who leads Kaspersky's global research and analysis team, said Tuesday that the Duqu driver was probably modified to slip past security software and Duqu-sniffing programs like the open-source Duqu Detection Toolkit.
The detection tool was created by the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics last November. CrySys was credited with finding Duqu.
CrySys updated its Duqu toolkit two weeks ago after Symantec passed along its sample of the malware's new system driver.
According to Gostev, the Duqu system driver sample was found in Iran, where the majority of publicly-known attacks have taken place.
Duqu's Iran focus has been one reason experts have suspected it is a successor to Stuxnet. By Kaspersky's count, there have been 21 known Duqu infections, with 52% of them traced to Iranian victims.
The low number of infections is one of the biggest hurdles security researchers face when they try to piece together the Duqu puzzle.
"It's hard to tell whether they really did take several months off, and if so, why," said O Murchu of Symantec in an interview today. "It's installed on a very small number of computers, and that low, low distribution number means that they could have released more attacks between November and February, but everyone missed that. Or it could mean that they have been quiet."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts