Security researcher says Iran to blame for its own Duqu infections

Country's refusal to share 'Stars' sample in April gave attackers half-year head start, says expert

An Iranian government official yesterday acknowledged that the Duqu attacks had infected computers in the country but claimed that the Trojan was "under control," according to a report by a state-run news agency.

In response, an antivirus researcher blamed Iran for giving hackers a half-year's free hand with Duqu, saying that Iran's policy of not sharing samples delayed the detection of the malware and the patching of the Windows zero-day it exploited.

On Sunday, Brigadier General Gholamreza Jalali told the official IRNA news agency that some computers in Iran had been infected with Duqu, that possible targets were being checked for infections, and that the country's specialists had crafted defenses against the Trojan.

Jalali heads Iran's Passive Defense Organization, a military unit responsible for constructing and defending the country's nuclear enrichment facilities. He is a former commander in Iran's Revolutionary Guard.

"The software to control the (Duqu) virus has been developed and made available to organizations and corporations [in Iran]," Jalali told IRNA, according to translations of the original story by Western news outlets. "The elimination (process) was carried out and the organizations penetrated by the virus are under control."

Iranian officials made similar statements last year about the Stuxnet worm, an ultra-advanced piece of malware that most analysts believe was aimed at Iran's budding nuclear program .

Some security experts, including researchers at Symantec, have said that Duqu may be a precursor to another Stuxnet -- the two share several similarities -- although the former seems designed for reconnaissance and data theft, not for an attack on physical facilities.

Moscow-based Kaspersky Lab suspects that Iran was hit with Duqu in April 2011.

In a recent analysis of Duqu, Kaspersky said that the "Stars" malware -- which Jalali confirmed had targeted Iranian machines in April -- was likely a part of Duqu.

"Most probably, the Iranians found a keylogger module that had been loaded onto a system ... [and] it's possible that the Iranian specialists found just the keylogger, while the main Duqu module and the dropper, including the documents that contained the then-unknown vulnerability, may have gone undetected," Kaspersky noted last Friday.

Like most malware, Duqu is composed of several pieces, including an exploit of a Windows kernel-mode driver vulnerability, a "dropper" that loads additional malicious code, a keylogger -- which harvests usernames and passwords -- and a data theft component.

The keylogger bundled with a Duqu variant that Kaspersky obtained from Sudanese researchers contained a photograph of a far-away galaxy, which may have been the genesis of Iran's naming the malware as Stars. The attack against the Sudanese target was also conducted in April 2011.

"We're convinced, in at least one of these Duqu attacks, that the keylogger Iran identified as Stars was actually the same as the one included with Duqu," said Roel Schouwenberg, a senior researcher with Kaspersky, in an interview today.

Kaspersky blamed Iran for not sharing the Stars malware with other countries' security researchers, a move that delayed the detection and subsequent public disclosure of the threat.

"We can't be sure what they detected, only the keylogger or if they traced everything back to the dropper that used the Windows zero-day," said Schouwenberg. "Obviously, if they had found the Word document [used to plant the malware] and shared that, we would have detected the zero-day and presumably Microsoft would have patched that a long time ago."

Microsoft has confirmed that Duqu relies on an exploit of a yet-unpatched, or "zero-day," bug in the TrueType parsing engine tucked into the "W32k.sys" kernel-mode driver. The Redmond, Wash. company has issued instructions for a temporary defense , but has not yet patched the vulnerability.

Last April, security analysts expressed frustration that they were unable to verify Iran's claims about Stars because the country would not share samples of the malware .

Calling Iran's refusal to share the samples "not a smart move," Schouwenberg argued that it "gave attackers a half-year head start."

Even if all Iran had was Stars -- in other words, the keylogger -- sharing it would have been valuable to those who have been targeted and infected since April.

"Just having the keylogger would not have been as beneficial, but even if all we had was that, we could have created detections for the keylogger, which would have deflected some attacks," said Schouwenberg.

And with all the attention paid to Stuxnet by Western researchers, researchers would have dug into the keylogger in earnest, and perhaps managed to connect it with malicious Word documents that exploited the Windows kernel bug.

"With the way it was positioned at the time by Iran, as a possible Stuxnet, it would have piqued the interest of researchers," Schouwenberg said. "There would have been a lot of reasons for people to start digging."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer , on Google+ or subscribe to Gregg's RSS feed . His e-mail address is .

See more articles by Gregg Keizer .

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Copyright © 2011 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon