The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.
Duqu vs Stuxnet
| Attribute | Duqu | Stuxnet |
|---|---|---|
| Infection Methods | Unknown | USB (Universal Serial Bus) PDF (Portable Document Format) |
| Dropper Characteristics | Installs signed kernel drivers to decrypt and load DLL files | Installs signed kernel drivers to decrypt and load DLL files |
Zero-days Used | None yet identified | Four |
Command and Control | HTTP, HTTPS, Custom | HTTP |
| Self Propagation | None yet identified | P2P (Peer to Peer) using RPCs (Remote Procedure Call) Network Shares WinCC Databases (Siemens) |
| Data Exfiltration | Add-on, keystrokelogger for user and systeminfo stealing | Built-in, used for versioning and updates of the malware |
Date triggers to infect or exit | Uninstalls self after 36 days | Hard coded, must be in the following range: 19790509 => 20120624 |
Interaction with Control Systems | None | Highly sophisticated interaction with Siemens SCADA control systems |
Like Stuxnet, Duqu attacks Windows systems using a zero-day vulnerability. The installer file is aMicrosoft Word (.doc) that exploits the Win32k TrueType font parsing engine and allows execution. Duqu Malware targets one of the problems in T2EMBED.DLL, which is a TrueType font parsing engine.
How Does Duqu Spreads ?
Duqu doesn't spread on its own. In one known case, Duqu was installed by a document attachment which was delivered via an e-mail message.
What are indicators of a Duqu infection?
Duqu contains a backdoor that steals information. Infostealers need to send the stolen info back somehow. Careful infostealers try to make the transfer look innocent in case somebody is watching network traffic. Duqu hides its traffic by making it look like normal web traffic. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.
Duqu connects to a server (206.183.111.97 a.k.a. canoyragomez.rapidns.com – which used to be in India) and sends an http request. The server will respond with a blank JPG image. After which Duqu sends back a 56kB JPG file called dsc00001.jpg and appends the stolen information (encrypted with AES) to the end of the image file.Read more about the jpeg here
Duqu connects to a server (206.183.111.97 a.k.a. canoyragomez.rapidns.com – which used to be in India) and sends an http request. The server will respond with a blank JPG image. After which Duqu sends back a 56kB JPG file called dsc00001.jpg and appends the stolen information (encrypted with AES) to the end of the image file.Read more about the jpeg here
| Name | File Size | MD5 |
|---|---|---|
jminet7.sys | 24,960 bytes | 0eecd17c6c215b358b7b872b74bfd80 |
netp191.pnf | 232,448 bytes | b4ac366e24204d821376653279cbad8 |
netp192.pnf | 6,750 bytes | 94c4ef91dfcd0c53a96fdc387f9f9c3 |
cmi4432.sys | 29,568 bytes | 4541e850a228eb69fd0f0e924624b24 |
cmi4432.pnf | 192,512 bytes | 0a566b1616c8afeef214372b1a0580c |
cmi4464.pnf | 6,750 bytes | e8d6b4dadb96ddb58775e6c85b10b6c |
<unknown> (sometimes referred to as keylogger.exe) | 85,504 bytes | 9749d38ae9b9ddd81b50aad679ee87e |
nfred965.sy | 24,960 bytes | c9a31ea148232b201fe7cb7db5c75f5 |
nred961.sys | unknown | f60968908f03372d586e71d87fe795c |
adpu321.sy | 24,960 bytes | 3d83b077d32c422d6c7016b5083b9fc |
iaStor451.sys | 24,960 bytes | bdb562994724a35a1ec5b9e85b8e054f |
(The byproducts in the Table have been collected from multiple Duqu variants and would not be present on a single infected computer.)
The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.
No comments:
Post a Comment