Duqu Damage Will Continue in Unforeseen Ways

By Wayne Rash  |  Posted 2011-11-02 Print this article Print


The Duqu worm, which Symantec calls the precursor to the next Stuxnet, has some unique features, including the ability to remove itself from a system if it loses touch with its command and control computer. It's also designed to communicate through a peer-to-peer command and control system as a way to help avoid detection. This and the ability to remove itself in 30 days or so are highly sophisticated features in what is certainly not your average piece of malware.

Now that both of the known command and control computers have been taken offline, it's not clear what will happen with Duqu. It may be that the peer-to-peer feature will eventually lead its reporting network to a new command and control computer, and it's also possible that Duqu has already accomplished what it was designed to do and will simply be allowed to quietly remove itself.

Clearly, the Duqu worm was the second shot in a war that's quietly raging in the world's networks. While we don't know who is waging the war, it's clear that these attacks are coming from somewhere that has the technology to create and now modify an extremely capable attack.

The Duqu worm's installer is concealed in a Word file. That installer can perform its basic functions and then wait for the chance to transmit the information it's gathered. However, unlike Stuxnet, it needs access to the outside world to reach its command and control computers, and as a way to eventually transmit the intelligence it's gathered.

What's also clear is that a Duqu infection can be prevented, despite its zero-day exploit. The installer is a Word document that has to come from somewhere, perhaps attached in an email, and perhaps stored on a USB memory stick. As I explained in an earlier column, all it takes is a little training to teach employees not to open strange attachments and you'll defeat it.

Meanwhile, this worm is circulating all over some parts of the world creating collateral damage along the way. Unlike a weapon that is controlled by someone responsible for the effects when it fires, this weapon, like Stuxnet that proceeded it, is simply sent out with the hope that it'll find its target and produce the required results. It's unclear whether this has happened. What is clear is that this weapon has caused plenty of other damage in the process.

Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazineÔÇÖs Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel