Indian Authorities Seize Suspected Duqu CandC Server

Government officials in India seized equipment from a Web hosting company in Mumbai after Symantec said the server was communicating with Duqu-infected machines, Reuters reported.

Officials from India's Department of Information Technology seized hard drives and other components from the server suspected of being part of the Duqu Trojan's command and control infrastructure, two workers at Mumbai's Web Werks told Reuters Oct. 28. Symantec first publicized the malware earlier this month and security experts have identified infected systems in parts of Europe, United States, Iran and Sudan.

Originally considered a follow-up to the dangerous Stuxnet worm which infected industrial control systems and set back Iran's nuclear program by damaging uranium concentration centrifuges, researchers remain unclear about the Duqu Trojan's intended purpose.

Only a handful of infections have been found thus far, making it difficult to identify the target or purpose. The equipment seized from Web Werks may hold valuable data to help investigators determine who built Duqu and why, according to Reuters.

"This one is challenging," Marty Edwards, director of the United States Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, told Reuters. "It's a very complex piece of software," he said, adding that the agency was working with counterparts in other countries to uncover more information.

The anonymous Web Werks employees were unable to identify the customer who was using the server or explain how Duqu got into the data center.

Symantec researchers raised the alarm regarding Duqu earlier this month because of the code similarities with Stuxnet. Duqu appears to be primarily designed for reconnaissance and doesn't seem to have the destructive capabilities that Stuxnet has. Symantec speculated it was looking for intellectual property to steal from companies that could be used on future attacks against critical infrastructure such as power plants, oil refineries and pipelines. The code similarities were an indicator that the same team behind Stuxnet had a hand in Duqu's development, according to Symantec.

Dell SecureWorks' Counter Threat Unit found many of the common elements between Stuxnet and Duqu that had been "observed in other unrelated threats," the research team wrote in their analysis. The kernel drivers that load encrypted DLL (Dynamic Load Library) files and built-in encryption and stealth capabilities, such as rootkits, were in both Duqu and Stuxnet, but weren't unique to the two pieces of malware, Dell SecureWorks said.

While Stuxnet and Duqu had variants where the kernel driver file was digitally signed using a software signing certificate from Taiwanese company JMicron, that was not proof that there was a link between the two because "compromised signing certificates can be obtained from a number of sources," the team said.

All of the similarities between Duqu and Stuxnet are in the kernel driver's "injection" capabilities and while it's possible the code share a common source, the evidence linking the two is "circumstantial at best and insufficient to form a direct relationship," according to Dell SecureWorks.

BitDefender's Bogdan Botezatu had noted that the Stuxnet code had been reverse engineered and was publicly available for other developers to use as a foundation for other malware.

Since Duqu doesn't appear to target any specific sector or vendor, Dell SecureWorks also downplayed the risk of Duqu as an advanced persistent threat (APT). "While Duqu does provide capabilities used by other tools observed in APT-related intrusions, an assessment of the particular threat requires knowledge of the adversary, targeted organization and assets and the scope of attacks," the team wrote.