W32.Duqu, the precursor to the next Stuxnet

From Botnets.fr
Revision as of 16:23, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
Jump to navigation Jump to search

(Publication) Google search: [1]

W32.Duqu, the precursor to the next Stuxnet
Duquvariants-Symantec.png
Botnet Duqu
Malware Duqu (bot)
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2011 /
Editor/Conference Symantec
Link http://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/w32 duqu the precursor to the next stuxnet.pdf www.symantec.com (www.symantec.com Archive copy)
Author Collectif
Type

Abstract

On October 14, 2011, we were alerted to a sample by the Laboratory of Cryptography and System Security (CrySyS) at Budapest University of Technology and Economics. The threat appeared very similar to the Stuxnet worm from June of 2010. CrySyS named the threat Duqu [dyü-kyü] because it creates files with the file name prefix “~DQ”. The research lab provided their detailed initial report to us, which we have added as an appendix. The threat was recovered by CrySyS from an organization based in Europe and has since been found in numerous countries. We have confirmed W32.Duqu is a threat nearly identical to Stuxnet, but with a completely different purpose. Duqu is essentially the precursor to a future Stuxnet-like attack. The threat was written by the same authors, or those that have access to the Stuxnet source code, and the recovered samples have been created after the last-discovered version of Stuxnet. Duqu’s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party. The attackers are looking for information

such as design documents that could help them mount a future attack on various industries, including industrial control system facilities. Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants. In one case, the attackers used a specifically targeted email with a Microsoft Word document. The Word document contained a currently undisclosed 0-day kernel exploit that was able to install Duqu. It is unknown whether the attackers used the same methodology and the same 0-day in all other cases. More information regarding the 0-day will be released when the issue has been patched. The attackers used Duqu to install another infostealer that can record keystrokes and collect other system information. The attackers were searching for information assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available on all cases.

Two variants were initially recovered and, in reviewing our archive of submissions, the first recording of an attack occurred in early April 2011. However, based on file-compilation times, attacks using these variants may have been conducted as early as November 2010. Additional variants were created as recently as October 17, 2011 and new payload modules downloaded October 18, 2011. Thus, at the time of discovery, the attackers were still active.

At the time of writing, Duqu infections have been confirmed in eight countries, and unconfirmed reports exist in an additional 4 countries. Duqu consists of a driver file, a DLL (that contains many embedded files), and a configuration file. These files must be installed by another executable—the installer. The installer registers the driver file as a service so it starts at system initialization. The driver then injects the main DLL into services.exe. From here, the main DLL begins extracting other components and these components are injected into other processes. This process injection hides Duqu’s activities and may allow certain behaviors to bypass some security products.

One of the variant’s driver files was signed with a valid digital code signing certificate that expires on August 2, 2012. The digital code signing certificate was issued to a company headquartered in Taipei, Taiwan and was revoked on October 14, 2011. We believe the private keys used to generate the certificate were stolen from the company. Having a legitimate certificate allows Duqu to bypass default restrictions on unknown drivers and common security policies.

Duqu uses HTTP and HTTPS to communicate with a command and control (C&C) server. Duqu also has proxyaware routines, but these do not appear to be used by default. Each attack used one or more different C&C servers. Currently known C&C servers include 206.183.111.97 hosted in India,77.241.93.160 hosted in Belgium, and 123.30.137.117 hosted in Vietnam. All of these IPs are inactive. The C&C servers were configured to simply forward all port 80 and 443 traffic to other servers. These servers may have forwarded traffic to further servers, making identification and recovery of the actual C&C server difficult. The traffic-forwarding C&C servers were scrubbed on October 20, 2011, so limited information was recovered. Even if the servers were not scrubbed, little actionable information would likely have been found due to their limited purpose of simply forwarding traffic. Through the command and control server, the attackers were able to download additional executables, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information. The information is logged to a lightly encrypted and compressed local file, and then must be exfiltrated out. In addition to this infostealer, three more DLLs were pushed out by the C&C server on October 18.

The threat uses a custom command and control protocol, primarily downloading or uploading what appear to be .jpg files. However, in addition to transferring dummy .jpg files, additional encrypted data is appended to the .jpg file for exfiltration, and likewise received. The use of the .jpg flies is simply to obfuscate network transmissions.The threat does not self-replicate, but based on forensic analysis of compromised computers, the threat was instructed, likely using the C&C server, to replicate through network shares to additional computers on the network.


A non-default configuration file was created for those infections, instructing the threat to not use the external C&C server, but instead use a peer-to-peer C&C model. In these cases, the newly compromised computer is instructed to communicate with the infecting computer, which proxies all the C&C traffic back to the external C&C server. Using a peer-to-peer C&C model allows the threat to access computers that may not be connected directly to the external Internet and also avoid the detection of potentially suspicious external traffic from multiple computers. Finally, the threat is configured to run for 30 days by default. After 30 days, the threat will automatically remove itself from the system. However, Duqu has downloaded additional components that can extend the number of days. Thus, if the attackers are discovered and they lose the ability to control compromised computers (for example, if the C&C servers are shutdown), the infections will eventually automatically remove themselves, preventing possible discovery. Duqu shares a great deal of code with Stuxnet; however, the payload is completely different. Instead of a payload designed to sabotage an industrial control system, it has been replaced with general remote access capabilities. The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries. The attackers intend to use this capability to gather intelligence from a private entity that may aid future attacks on a third party.

Also, reports of a similar threat in April, 2011, known as “Stars” by Iranian officials, may in fact be Duqu. While suspected, no similar precursor files have been recovered that date prior to the Stuxnet attacks. CrySys, the original research lab that discovered this threat, has also allowed us to include their detailed initial report, which you can find as an appendix.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR933,
   editor = {Symantec},
   author = {Collectif},
   title = {W32.Duqu, the precursor to the next Stuxnet},
   date = {28},
   month = Apr,
   year = {2011},
   howpublished = {\url{http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf www.symantec.com}},
 }

Retrieved from "https://www.botnets.fr/index.php?title=W32.Duqu,_the_precursor_to_the_next_Stuxnet&oldid=2069"