Duqu Gang Working on Trojan for Years: Kaspersky

The team behind the Duqu Trojan may have been working on the Trojan for at least four years, according to the latest analysis of the sophisticated malware.

Kaspersky Lab researchers have identified the overall methods used by the authors of the Duqu Trojan and an approximate timeline of the attack, Alexander Gostev, chief security expert at Kaspersky Lab, wrote on the Securelist blog. The analysis was based on samples provided by the Computer Emergency Response Team – Sudan that were used in at least three attacks against unidentified targets in the country.

“We managed to not only locate all the previously undiscovered files of this variant of Duqu, but also to find both the source of the infection and the file dropper” containing the exploit targeting a zero-day vulnerability in the Windows kernel, Gostev said.

In an analysis of an attack against an unidentified Sudanese company, Gostev said the initial attack vector was a targeted email from an individual requesting a joint business venture. The recipient was asked to open a Microsoft Word attachment that contained the company’s name in the title.

The sample provided to Kaspersky Lab by Sudanese researchers was used in at least two separate attempts, the first on April 17 and the second on April 21. The first attack was successfully blocked by a spam filter, he said.

Gostev said the gang behind Duqu created a separate attack file and used a different control server for each victim. It happened at least 12 times, according to Gostev.

When the victim opened the malicious Word document, which used the font Dexter Regular, the malware exploited a zero-day vulnerability in the Truetype font to become active. However, it did nothing until it detected there had been no keyboard or mouse activity for 10 minutes, at which time it loaded a driver onto the system, according to Gostev. The driver would then install additional modules to infect other computers, collect information and capture keystrokes.

The analysis suggests the “authors of Duqu must have been working on this project for over four years,” the report said.

Iranian officials said Nov. 13 that Duqu was the “third virus” to hit Iran, after Stuxnet and a keylogger virus that was discovered in April. The keylogger, dubbed Stars, was most likely the keylogger module for Duqu, according to Gostev. At the time Iran did not share the samples of the Stars virus with the greater security community, which “was a serious mistake,” and likely gave the attackers an extra six months to fine-tune the malware, he said.

Iranian specialists said some of its systems had been infected with Duqu but said the infection was under control, according to Iran’s official news agency, IRNA. The country’s cyber-defense unit has developed software to control the virus and made it available to organizations and corporations, IRNA quoted Brigadier General Gholamreza Jalali, the head of Passive Defense Organization.

“All the organizations and centers that could be susceptible to being contaminated are being controlled,” Jalali said. Iran said the same thing last year after discovering the Stuxnet worm. Despite claiming to have the worm under control, later reports showed that the country had struggled to remove the infection and wound up removing uranium centrifuges from its Natanz nuclear facility that were damaged as a result of the Stuxnet infection.

For organizations and users concerned they may be infected, researchers at the Laboratory of Cryptography and System Security (CrySyS) at Hungary’s Budapest University of Technology and Economics released a free downloadable toolkit for detecting Duqu.

The tool is designed to look for suspicious files and certain known indicators of Duqu. However, since the gang appear to be specifically targeting industrial control systems manufacturers, other organizations may not need to worry about Duqu beyond making sure their antivirus tools are up-to-date with the latest definitions.