DuQu pronounced as dyü-kyü is the successor of Stuxnet, which we studied in Comp 527 class. DuQu is fresh and reported to Semantic on October 14^th 2011. It is named so based on the files it creates “~DQ”. DuQu malware is a highly specialized Trojan capable of gathering intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The malware is gathered via an undisclosed research lab with strong international connections.

DuQu is structurally identical to Stuxnet, but its intentions are different. DuQu in the current investigated manifestations in intended to do reconnaissance and deliver malicious payload, but it not intended to harm any systems.

DuQu is similar to Stuxnet in the following aspects:

1. Masks as a legitimate code using a driver file signed with a valid digital certificate.
2. The digital certificate belongs to a company in Taiwan.
3. Hides components in the memory, rather than on the disk, to avoid detection by anti-virus.
4. Kernel driver based rootkit.
5. Uses encrypted configuration files.
6. Injects DLLs into running processes.
7. Uses RPC communication channel.

It is suspected that the authors of DuQu are the same as Stuxnet or at least some of them very closely involved in Stuxnet with the source cod access.

DuQu is different from Stuxnet in the following aspects:

1. Stuxnet primarily used a zero-day vulnerability that allowed it to spread to systems via an infected USB stick but no such data in known about DuQu.
2. The DuQu code does not self-replicate in order to spread itself.
3. DuQu does not contain any destructive payload to damage hardware unlike what Stuxnet did. DuQu instead, is very likely a precursor to a Stuxnet-style attack, designed to conduct reconnaissance on an unknown industrial control system and gather intelligence that can later be used to conduct a targeted attack.
4. Stuxnet was 500Kb, but DuQu is 300kb.
5. DuQu uses a custom protocol to communicate between an infected system and a command-and-control server to steal data from an infected machine and load new components onto it.
6. DuQu disguises its malicious communication by appending encrypted data to a 100 x 100 pixel jpeg file.
7. It is not targeted for any particular industrial control system of any particular region, but found randomly in Europe.
8. DuQu has a key logger module, which was not seen in Stuxnet. The attackers have used DuQu to install another information stealer that could record keystrokes and gain other system information.

Based on the timestamp of the binary files it is inferred that DuQu could be out in the wild for at least one year now. Semantic has investigated at least two variants of DuQu. The data does not show any particular geographical target for DuQu.

In summary, Stuxnet style attacks are changing from one-off-thing to more wide spread. The threat of infecting industrial control systems attached to some form of computers is becoming more practical. An industry with malign intentions can attack its competitor industries. Especially richer industries can wipe out their small competitors! Moreover industries even the sophisticated ones are less likely to be security hardened to immediately handle this threat.

Semantic has published technical details here.

Credits: Semantic, ZdNet.com, wired.com

This entry was posted on Tuesday, October 18th, 2011 at 3:36 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.