Duqu Cyber Weapons Factory Still Operating

Thursday, March 29, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

We all remember the decision of the western states to prohibit the sale of anti-virus systems to Tehran, a penalty meant to thwart the development of Iran's nuclear program.

It was a predictable decision that hasn't created any problems for Iran, which seems to have developed a new antivirus program to immunize their systems against the notorious Stuxnet virus.

The security application will be distributed for free during the next next weeks, and some experts believe that some instances of the malware may still be present in the systems of the nuclear site of Natanz.

If Stuxnet seems to be beaten, actually the main concerns now are related to all the malware derived from it that have been developed using same platforms and techniques. 

Extremely important is the concept that the virus is an open project, a modular system  designed as a development platform used to assemble deadly cyber weapons in relation to their final targets.

In fact, it has been discovered that the platform behind Stuxnet - called a “Tilded Platform“ - may have been used also for the development of Duqu malware, and that it also makes possible the development of a set of reusable tools.

It's a true innovation that make the composition of ever new and enhanced agents with modules developed to fulfill specific functions against clearly defined targets.

Duqu is quite different from its relative, as it has a modular structure like Stuxnet but it isn't equipped with modules for SCADA systems attacks, it is only able to steal information from the host system. Experts suppose that a team of specialists with high technical skills has been engaged in this this innovative cyber weapons program.

The first sightings of Duqu date back to last year, when its creators tried to erase any evidence of their operations by deleting all the information on the servers used in the past years.

During the last few weeks a new instance of Duqu has been isolated in a variant designed to evade detection mechanism of antivirus products and other security systems.

Vikram Thakur, principal security response manager at Symantec, announced that the new Duqu Driver had been identified,and remeber that the driver module is used for loading the malware’s encrypted body to be stored on targeted systems. The driver is called mcd9x86.sys and it was compiled on Feb. 23.

The source code appears to be reshuffled and compiled with a different set of options, and it also contains a different subroutine for decrypting the configuration block and loading the malware’s body. A similar operation had been already observed in October 2011. Of course, the references to C&C server have been changed because all old structures were shut down on Oct. 20, 2011.

Unfortunately, the addresses of the new C&C servers are not known because the principal security firm don’t have the full Duqu body, only the loader in the form of the driver. The loader does not contact the C&C directly, it only loads the main body which is stored in encrypted form.

The fact that the new driver was found in Iran seems to confirm that behind the development of the malware there are governments interested in disturbing the nuclear program of the Iran.

According Symantec, the number of incidents related to Duqu are at least 21, most of them located in Iran. One of the main problem in the analysis of the agent is that the majority of the infected machines did not contain main Duqu modules but only the files created by these components, with names starting with “~DQ”, “~DF”, “~DO”.

The purpose of the agent was gathering information related for control systems used in different industries in Iran, and for information about trade relationships of particular organizations.

Very interesting is the list of known modifications of Duqu provided by Alexander Gostev of Kaspersky Lab:

"The following table contains information about all the components of Duqu we know about. The files marked with green are known. The files marked with red are missing; they were not found on infected machines, however, we know the names and sizes of some of the missing files indirectly."

(click image to enlarge)

As an exercise, I tried to graph the data supplied by leading teams involved in research on the Duqu malware. Does the fact that the majority of instances have been identified in Sudan and Iran suggest something? Have you still doubts about who may have developed this powerful family of cyber weapons?

(click image to enlarge)

According Gostev, the Duqu driver was probably modified to avoid detection of security software and of other applications able to discover the agent like the open-source Duqu Detection Toolkit. The tool was developed by the Laboratory of Cryptography and System Security (CrySys) in Budapest and updated just two weeks ago.

Forensic stand-alone tools such as CrySys is fundamental for the analysis of Duqu malware because it can give a precious series of data related to the infection of the targeted systems and the mode used during the attacks, like the identification of the data stolen from the computer stored in files ending in "DQ" and in "DF."

Costin Raiu, director of the global research and analysis team for Kaspersky Lab has declared:

"The toolkit released by CrySys Lab is top class... Of course, all of this can be done 'manually,' but these tools make it much easier to spot anomalies in Duqu-infected computers."

There are 7 different versions of the main Duqu module (PNF DLL) in the list set up to interact with five 1st tier C&C servers that have been shut down by Kaspersky Lab and Symantec

What is really interesting is the effort spent for encryption and obfuscation techniques that show the will of the creators of the malware to conduct an undercover operation, typicaly an advantage in the adoption of cyber weapons.

"What we expect from the future?"

The authors of Duqu are back after a 4 months of silence, and this confirms that malware such as Stuxnet and Duqu are children of an ambitious and complex project that wants to be able to provide an “evolutionary” threat. Prepare to have to deal with new modules and new features designed to attack specific targets.

In a my previous article on the topic I wrote:

"Let me raise serious doubts on the immediate effectiveness of preventive measures against this new generation of cyber weapons because the industry in general is still too vulnerable. Possible evolutions of malware could cause serious damage to infrastructures that use the systems in question. The only way to emerge unscathed from this awkward situation is a close collaboration between industry, producers of control systems and governments, hoping that security will become a requirement in the design phase."

Nothing is yet changed! In the malware development much money has been invested and the consequence of this is that the operations will continue for a long time.

New versions of the existing agents equipped with more sophisticated modules that include new features and that are also able to avoid antivirus detection will be developed. W

We will be face with the development of new malware based on these same platforms. Let us prepare for the worst... errors are not allowed!

Cross-posted from Security Affairs

Possibly Related Articles:
6917
Viruses & Malware
Information Security
SCADA virus malware Iran Cyberwar Attacks Stuxnet Cyber Offense cyber weapon DUQU Tilded
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.