Duqu malware resurfaces after four-month holiday
'These guys are still working,' says security expert of gang behind Trojan aimed at Iran
Computerworld - Duqu, the malware that has been compared to 2010's notorious Stuxnet, is back, security researchers said today.
After a several-month sabbatical, the Duqu makers recompiled one of the Trojan's components in late February, said Liam O Murchu, manager of operations at Symantec's security response team.
The system driver, which is installed by the malware's dropper agent, is responsible for decrypting the rest of the already-downloaded package, then loading those pieces into the PC's memory.
Symantec has captured a single sample of the driver, which was compiled Feb. 23, 2012. Before that, the last time the Duqu gang updated the driver was Oct. 17, 2011.
Duqu has been characterized by Symantec -- the first to extensively analyze the Trojan last year -- and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that sabotaged Iran's nuclear fuel enrichment program by crippling critical gas centrifuges.
O Murchu said that the functionality of the new driver was "more or less the same" as earlier versions, including the one spotted last October and another from late 2010 that later surfaced. "The functionality hasn't changed," said O Murchu.
While O Murchu was hesitant to speculate on why the hackers had returned to action or why they took a five-month break, security researchers at Moscow-based Kaspersky Lab were not as reluctant.
Alexander Gostev, who leads Kaspersky's global research and analysis team, said Tuesday that the Duqu driver was probably modified to slip past security software and Duqu-sniffing programs like the open-source Duqu Detection Toolkit.
The detection tool was created by the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics last November. CrySys was credited with finding Duqu.
CrySys updated its Duqu toolkit two weeks ago after Symantec passed along its sample of the malware's new system driver.
According to Gostev, the Duqu system driver sample was found in Iran, where the majority of publicly-known attacks have taken place.
Duqu's Iran focus has been one reason experts have suspected it is a successor to Stuxnet. By Kaspersky's count, there have been 21 known Duqu infections, with 52% of them traced to Iranian victims.
The low number of infections is one of the biggest hurdles security researchers face when they try to piece together the Duqu puzzle.
"It's hard to tell whether they really did take several months off, and if so, why," said O Murchu of Symantec in an interview today. "It's installed on a very small number of computers, and that low, low distribution number means that they could have released more attacks between November and February, but everyone missed that. Or it could mean that they have been quiet."
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts