Indian government officials seized the hard drives of a suspected command and control server at a Mumbai Web hosting company as researchers continued their analysis of the Duqu Trojan.
Government officials in India seized equipment from a Web hosting
company in Mumbai after Symantec said the server was communicating with
Duqu-infected machines, Reuters reported.
Officials from India's Department of Information Technology
seized hard drives and other components from the server suspected of
being part of the Duqu Trojan's
command and control infrastructure, two workers at Mumbai's Web Werks
told Reuters Oct. 28. Symantec first publicized the malware earlier
this month and security experts have identified infected systems in
parts of Europe, United States, Iran and Sudan.
Originally considered a follow-up to the dangerous Stuxnet
worm which infected industrial control systems and set back Iran's
nuclear program by damaging uranium concentration centrifuges,
researchers remain unclear about the Duqu Trojan's intended purpose.
Only a handful of infections have been found thus far,
making it difficult to identify the target or purpose. The equipment
seized from Web Werks may hold valuable data to help investigators
determine who built Duqu and why, according to Reuters.
"This one is challenging," Marty Edwards, director of the
United States Department of Homeland Security's Industrial Control
Systems Cyber Emergency Response Team, told Reuters. "It's a very
complex piece of software," he said, adding that the agency was working
with counterparts in other countries to uncover more information.
The anonymous Web Werks employees were unable to identify the
customer who was using the server or explain how Duqu got into the data
Symantec researchers raised the alarm regarding Duqu earlier
this month because of the code similarities with Stuxnet. Duqu appears
to be primarily designed for reconnaissance and doesn't seem to have
the destructive capabilities that Stuxnet has. Symantec speculated it
was looking for intellectual property to steal from companies that
could be used on future attacks against critical infrastructure such as
power plants, oil refineries and pipelines. The code similarities were
an indicator that the same team behind Stuxnet had a hand in Duqu's
development, according to Symantec.
Dell SecureWorks' Counter Threat Unit
found many of the common elements between Stuxnet and Duqu that had
been "observed in other unrelated threats," the research team wrote in
their analysis. The kernel drivers that load encrypted DLL (Dynamic
Load Library) files and built-in encryption and stealth capabilities,
such as rootkits, were in both Duqu and Stuxnet, but weren't unique to
the two pieces of malware, Dell SecureWorks said.
While Stuxnet and Duqu had variants where the kernel driver file was digitally signed using a software signing certificate
from Taiwanese company JMicron, that was not proof that there was a
link between the two because "compromised signing certificates can be
obtained from a number of sources," the team said.
All of the similarities between Duqu and Stuxnet are in the
kernel driver's "injection" capabilities and while it's possible the
code share a common source, the evidence linking the two is
"circumstantial at best and insufficient to form a direct
relationship," according to Dell SecureWorks.
BitDefender's Bogdan Botezatu
had noted that the Stuxnet code had been reverse engineered and was
publicly available for other developers to use as a foundation for
Since Duqu doesn't appear to target any specific sector or
vendor, Dell SecureWorks also downplayed the risk of Duqu as an
advanced persistent threat (APT). "While Duqu does provide capabilities
used by other tools observed in APT-related intrusions, an assessment
of the particular threat requires knowledge of the adversary, targeted
organization and assets and the scope of attacks," the team wrote.