Duqu: The Next Stuxnet?
Reports of the recently discovered Duqu trojan have spawned much speculation and even resulted in the trojan being dubbed “the son of Stuxnet” or “Stuxnet 2.0.”
So what is Duqu and how does it compare to Stuxnet?
Duqu is an infostealer trojan designed to sniff out sensitive data and send it to remote attackers. Conversely, Stuxnet was a worm with a malicious payload designed to programmatically alter industrial control systems.
I’ve heard Duqu called Stuxnet 2.0. Why is that?
According to analysis performed by F-Secure, code in the kernel driver used by Duqu (jminet7.sys) is very similar to the code used by Stuxnet in mrxcls.sys. The Duqu kernel driver also uses a stolen certificate, issued in Taiwan to a company named C-Media Electronics. Interestingly, the stolen certificate product name still displays as JMicron. Stuxnet also used stolen certificates issued in the same region of Taiwan – and one of those was a stolen certificate issued to JMicron.
Source code for Stuxnet is not known to be “in the wild.” Absent public source code, the most plausible explanation for the coding similarities is that the author(s) of Stuxnet and Duqu are the same.
When was Duqu discovered?
The first reports of Duqu were from an independent research lab on October 14, 2011. Since that initial discovery, Symantec has reported a sample found in their submission database dates back to September 1, 2011. Additionally, Symantec’s analysis of file compilation times suggests Duqu variants may date back to December 2010.
After initial discovery, a second variant was discovered in the wild on October 17, 2011.
Why is the malware named Duqu?
On infected systems, Duqu leaves behind .tmp files that begin with ~DQ.
What exploits does Duqu use and how does it spread?
Known variants of Duqu do not contain any exploits; likewise, Duqu is a trojan and is not self-propagating. Conversely, Stuxnet employed a very sophisticated system of self-propagation, including the use of the following exploits, four of which were zero-days at the time of discovery:
- Windows Shell .LNK Vulnerability (MS10-046)
- Print Spooler Vulnerability (MS10-061)
- RPC Handling Vulnerability (MS08-067)
- Windows Task Scheduler Vulnerability (MS10-092)
- Win32k.sys Keyboard Layout Vulnerability (MS10-071)
Is Duqu widespread?
Duqu appears to be part of a targeted attack designed to gain intelligence on sensitive systems. Targeted attacks, by nature, are not widespread. Thus far, Duqu has been detected at only a small number of companies, mainly in Europe.
How can I tell if a computer has been infected with Duqu?
For specific symptoms related to known variants of Duqu, please refer to Cisco IntelliShield alert 24425.