New Duqu Version Discovered in Wild by Symantec

The discovery of new coding of the Stuxnet-related Trojan comes a day after Kaspersky researchers and others crack mystery code in Duqu.

The Duqu worm, the close cousin to the Stuxnet worm that was first discovered in September 2011, is back in the wild with some new coding that Symantec security officials say indicates the attackers behind the Trojan horse program are still at work.

That discovery comes just as researchers from Kaspersky Lab and elsewhere said they€™d finally identified mysterious code in Duqu that Kaspersky had discovered only weeks earlier. The Duqu worm reportedly had been in relative dormancy for the past five months or so, but now appears to be active once again.

According to researchers, Duqu appears to be closely related to Stuxnet, a Trojan apparently designed specifically to attack Iran€™s nuclear facilities and equipment. Many believe that either the United States, Israel or both were behind the Stuxnet worm, hoping to slow or cripple Iran€™s controversial nuclear ambitions.

The Duqu software appears to have been designed and created using the same tools as the ones behind Stuxnet. However, there are some differences from Stuxnet. Where Stuxnet was designed to attack Iran€™s facilities with hopes of hobbling them or shutting them down, Duqu appears to be aimed at stealing data, such as authentication certificates.

The Trojan has been found in a number of countries, including Iran, Sudan, France, Switzerland and India. Thanks to researchers at both Symantec and Kaspersky, the command and control servers were discovered and shut down in October 2011.

Researchers on March 19 announced that they had finally cracked Duqu€™s mystery code. Kaspersky Lab researchers earlier this month asked for help in identifying particular unknown code that controlled the Trojan€™s command and control function. Kaspersky got responses from researchers around the world, and a week later, Kaspersky Lab said the mystery had been solved.

In a blog post on the Kaspersky-run Threat Post site, blogger Paul Roberts wrote that the €œlanguage identifying the mystery language as €˜C€™ source code compiled with Microsoft Visual Studio 2008 and special options for optimizing code size and inline expansion. The code was also written with a customized extension for combining object-oriented programming with C, generally referred to as €˜OO C.€™€

A day later, Symantec researchers announced that they had discovered a variant of the Duqu worm after receiving a small component of the overall attack code. In a blog post March 20, the researchers said they had received a file that turned out to be the loader file that loads the rest of the Duqu malware when the computer restarts. The rest of the threat is stored encrypted on disk, the Symantec researchers said.

The researchers said the compile date on the Duqu component is Feb. 23, signifying that the new version of the Trojan has not been out very long. In addition, they said, the creators had changed some of the coding in Duqu to help it get around some security product detections. A key change to the code was in the encryption algorithm the creators used to encrypt the other components that are on the disk, Symantec said.

Other changes include the fact that while the old driver file was signed with a stolen certificate, the new version wasn€™t.

€œAlso the version information is different in this new version compared to the previous version we have seen,€ the researchers wrote. €œIn this case, the Duqu file is pretending to be a Microsoft Class driver.€

The evidence shows that Duqu isn€™t going away, they said.

€œAlthough we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active,€ the Symantec researchers said. €œWithout the other components of the attack, it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.€