Duqu
Kaspersky Lab reports:
Experts at Kaspersky Lab are continuing their ongoing investigation into the new malicious program Duqu, which shares some characteristics with the infamous Stuxnet worm that targeted industrial installations in Iran. Though the ultimate objective of the creators of this new cyber threat is still unknown, what is clear already is that Duqu is a universal tool being used for carrying out targeted attacks on a limited number of objects, and one that can be modified depending on the given task.
Several characteristics of the worm were revealed in the first stage of analysis of Duqu by Kaspersky Lab specialists. First, in each discovered modification of the malicious program the drivers used to infect systems had been changed. In one instance the driver used a fake digital signature, in others – the driver wasn’t signed at all. Second, it became obvious that other elements of Duqu were likely to exist, but had yet to be found. Together, these findings allowed one to assume that the workings of this malicious program could be changed depending on the particular target being attacked.
Detection of only a very few infections (there had been just one detected at the moment of publication of the first part of the Kaspersky Lab Duqu investigation) is the one thing that distinguishes Duqu from Stuxnet among the similarities. Since discovering the first samples of the malicious program, four new instances of infection have been detected – thanks to the cloud-based Kaspersky Security Network. One of these was tracked down to a user in Sudan; the other three were located in Iran.
Symantec adds:
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
W32.Duqu is a worm that opens a back door and downloads more files on to the compromised computer. It also has rootkit functionality and may steal information from the compromised computer.
Initial analysis of this threat has shown that it is closely related to the W32.Stuxnet worm from 2010.
Reuters reported:
Indian authorities seized computer equipment from a data center in Mumbai as part of an investigation into the Duqu malicious software that some security experts warned could be the next big cyber threat.
Two workers at a web-hosting company called Web Werks told Reuters that officials from India’s Department of Information Technology last week took several hard drives and other components from a server that security firm Symantec Corp told them was communicating with computers infected with Duqu.
…
The equipment seized from Web Werks, a privately held company in Mumbai with about 200 employees, might hold valuable data to help investigators determine who built Duqu and how it can be used. But putting the pieces together is a long and difficult process, experts said.“This one is challenging,” said Marty Edwards, director of the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team. “It’s a very complex piece of software.”
He declined to comment on the investigation by authorities in India, but said that his agency was working with counterparts in other countries to learn more about Duqu.
Two employees at Web Werks said officials from India’s Department of Information Technology came to their office last week to take hard drives and other parts from a server.
They said they did not know how the malware got on to Web Werks’ server. “We couldn’t track down this customer,” said one of the two employees, who did not want to be identified for fear of losing their jobs.
Karela Fry 
Leave a comment