Duqu incidents detected in Iran and Sudan

Security vendor Kaspersky Lab has identified infections with the new Duqu malware in Sudan and, more importantly, Iran, the main target of the Trojan’s predecessor, Stuxnet.

Duqu took the security industry by storm last week when the Hungarian research laboratory Crysys shared its analysis of the new threat with the world’s top antivirus vendors.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld’s expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. ]

Believed to be closely related to the Stuxnet industrial sabotage worm, from which it borrows code and functionality, Duqu is a flexible malware delivery framework used for data exfiltration.

The main Trojan module has three components: A kernel driver, which injects a rogue library (DLL) into system processes; the DLL itself, which handles communication with the C&C (command-and-control) server and other system operations, such as writing registry entries or executing files; and a configuration file.

The secondary module is a keylogger with information-stealing capabilities, which was discovered together with the original Duqu version. It’s not known with certainty when the malware appeared in the wild, but the first sample was submitted to the VirusTotal service on Sept. 9 from someone in Hungary.

Since then Kaspersky Lab has identified multiple variants, some of which were created on Oct. 17, and were found on computers in Sudan and Iran. “We know that there are at least 13 different driver files (and we have only six of them),” the Kaspersky researchers said.

Each of the four incidents detected in Iran are interesting in their own way, aside from the fact that they occurred in a country widely believed to have been Stuxnet’s primary target.

One incident involved two infected computers located on the same network, with one containing two separate Duqu drivers. In a separate case, the network where the infected computers resided recently registered two attacks that targeted a vulnerability exploited by both Stuxnet and the Conficker worm.

It’s worth pointing out that researchers still don’t know how Duqu reaches the targeted systems, so these network attacks might serve as an indication of how the infection happens.

“Duqu is used for targeted attacks with carefully selected victims,” Kaspersky’s researchers said. However, so far there is no indication that any of the victims are linked to Iran’s nuclear program, like in Stuxnet’s case; CAs (Certificate Authorities), like in other Iranian attacks; or even specific industries, as suggested by other reports.

Another interesting discovery is that each Duqu infection is unique and results in components with different names and checksums. “Analysis of driver igdkmd16b.sys shows that there is a new encryption key, which means that existing detection methods of known PNF files (main DLL) are useless. It is obvious that the DLL is differently encoded in every single attack,” the antivirus vendor’s researchers said.

Because Duqu’s architecture is very flexible, it can update itself, change C&C servers, and install other components at any time. In fact, Kaspersky didn’t find the original keylogger module on any of the infected systems in Sudan or Iran, meaning that it was either encoded differently or replaced with another one.

“We cannot rule out that the known C&C in India was used only in the first known incident […] and that there are unique C&Cs for every single target, including targets found by us,” Kaspersky’s researchers also noted.

They also believe that the people behind Duqu are reacting to the situation and are not going to stop. As the hunt for new information continues, we’ll likely see more developments in the days to come.