Security researchers find that some Duqu Trojan components date back to 2007 and Iran may have seen an early variant months ago, but didn't share the information with the global security research community.
team behind the Duqu Trojan may have been working on the Trojan for at least
four years, according to the latest analysis of the sophisticated malware.
Lab researchers have identified the overall methods used by the authors of the
Duqu Trojan and an approximate timeline of the attack, Alexander
Gostev, chief security expert at Kaspersky Lab, wrote on the Securelist
blog. The analysis was based on samples provided by the Computer Emergency
Response Team - Sudan that were used in at least three attacks against
unidentified targets in the country.
managed to not only locate all the previously undiscovered files of this
variant of Duqu, but also to find both the source of the infection and the file
dropper" containing the exploit targeting a zero-day vulnerability in the
Windows kernel, Gostev said.
an analysis of an attack against an unidentified Sudanese company, Gostev said the
initial attack vector was a targeted email from an individual requesting a
joint business venture. The recipient was asked to open a Microsoft Word
attachment that contained the company's name in the title.
sample provided to Kaspersky Lab by Sudanese researchers was used in at least
two separate attempts, the first on April 17 and the second on April 21. The
first attack was successfully blocked by a spam filter, he said.
said the gang behind Duqu created a separate attack file and used a different
control server for each victim. It happened at least 12 times, according to
the victim opened the malicious Word document, which used the font Dexter
Regular, the malware exploited a zero-day vulnerability in the Truetype font to
become active. However, it did nothing until it detected there had been no
keyboard or mouse activity for 10 minutes, at which time it loaded a driver
onto the system, according to Gostev. The driver would then install additional
modules to infect other computers, collect information and capture keystrokes.
analysis suggests the "authors of Duqu must have been working on this
project for over four years," the report said.
officials said Nov. 13 that Duqu was the "third virus" to hit Iran,
after Stuxnet and a keylogger virus that was discovered in April. The
keylogger, dubbed Stars, was most likely the keylogger module for Duqu,
according to Gostev. At the time Iran did not share the samples of the Stars
virus with the greater security community, which "was a serious
mistake," and likely gave the attackers an extra six months to fine-tune
the malware, he said.
specialists said some of its systems had been infected with Duqu but said the
infection was under control, according to Iran's official news agency, IRNA.
The country's cyber-defense unit has developed software to control the virus
and made it available to organizations and corporations, IRNA quoted Brigadier
General Gholamreza Jalali, the head of Passive Defense Organization.
the organizations and centers that could be susceptible to being contaminated
are being controlled," Jalali said. Iran said the same thing last year
after discovering the Stuxnet worm. Despite claiming to have the worm under
control, later reports showed that the country had struggled to remove the
infection and wound up removing uranium centrifuges from its Natanz nuclear
facility that were damaged as a result of the Stuxnet infection.
organizations and users concerned they may be infected, researchers at the
Laboratory of Cryptography and System Security (CrySyS) at Hungary's Budapest
University of Technology and Economics released a free downloadable toolkit for
tool is designed to look for suspicious files and certain known indicators of
Duqu. However, since the gang appear to be specifically targeting industrial
control systems manufacturers, other organizations may not need to worry about
Duqu beyond making sure their antivirus tools are up-to-date with the latest