|Home||Switchboard||Unix Administration||Red Hat||TCP/IP Networks||Neoliberalism||Toxic Managers|
May the source be with you, but remember the KISS principle ;-)
Skepticism and critical thinking is not panacea, but can help to understand the world better
Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013
Contents : Foreword : Ch01 : Ch02 : Ch03 : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13
Chapter 11: Data Stealing Trojans
This is info from Wikipedia (Duqu - Wikipedia, the free encyclopedia)
As with the earlier version of Duqu found in September by Hungary's CrySyS lab, the Kaspersky variant used a "dropper" — a separate piece of malware to burrow into PCs via a font embedded in a Word document. (The Windows vulnerability, which had not previously been known of, has not yet been patched, but there is a workaround.)
Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS Lab) of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu.
Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.
The term Duqu is used in a variety of ways:
- Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools. Part of this malware is written in unknown high level programming language, dubbed "Duqu framework". It is not C++, Python, Ada, Lua and many other checked languages. However, recent evidence suggests that Duqu may have been written in Object Oriented C (OO C) and compiled in Microsoft Visual Studio 2008.
- Duqu flaw is the flaw in Microsoft Windows that is used in malicious files to execute malware components of Duqu. Currently one flaw is known, a TTF related problem in win32k.sys.
- Operation Duqu is the process of only using Duqu for unknown goals. The operation might be related to Operation Stuxnet.
Relationship to Stuxnet
Symantec, based on the CrySyS report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix.
Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a valid, but abused digital signature, and collects information to prepare for future attacks.
Mikko Hyppönen, Chief Research Officer for F-Secure, said that Duqu's kernel driver, JMINET7.SYS, was so similar to Stuxnet's MRXCLS.SYS that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that the key used to make Duqu's own digital signature (only observed in one case) was stolen from C-Media, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.
Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet. However, there is considerable and growing evidence that Duqu is closely related to Stuxnet.
Experts compared the similarities and found three of interest:
- The installer exploits zero-day Windows kernel vulnerabilities.
- Components are signed with stolen digital keys.
- Duqu and Stuxnet are both highly targeted and related to the nuclear program of Iran.
Microsoft Word zero-day exploit
Like Stuxnet, Duqu attacks Microsoft Windows systems using a zero-day vulnerability. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a Microsoft Word (.doc) that exploits the Win32k TrueType font parsing engine and allows execution. The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine if the patch released by Microsoft in December, 2011 is not yet installed.
Microsoft identifier for the threat is MS11-087 (first advisory issued on 13 November 2011).
Duqu looks for information that could be useful in attacking industrial control systems. Its purpose is not to be destructive, the known components are trying to gather information. However, based on the modular structure of Duqu, special payload could be used to attack any type of computer systems by any means and thus cyber-physical attacks based on Duqu might be possible.
However, use on personal computer systems has been found to delete all recent information entered on the system, and in some cases total deletion of the computer's hard drive. Internal communications of Duqu are analysed by Symantec , but the actual and exact method how it replicates inside an attacked network is not yet fully known. According to McAfee, one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in public-key cryptography) from attacked computers to help future viruses appear as secure software. Duqu uses a 54×54 pixel jpeg file and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing the code to determine what information the communications contain. Initial research indicates that the original malware sample automatically removes itself after 36 days (the malware stores this setting in configuration files), which would limit its detection.
Key points are:
- Executables developed after Stuxnet using the Stuxnet source code that have been discovered.
- The executables are designed to capture information such as keystrokes and system information.
- Current analysis shows no code related to industrial control systems, exploits, or self-replication.
- The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
- The exfiltrated data may be used to enable a future Stuxnet-like attack or might already have been used as basis for the Stuxnet attack.
Command and control servers
Some of the command and control servers of Duqu have been analysed. It seems that the people running the attack had a predilection for CentOS 5.x servers, leading some researchers to believe that they had a zero-day exploit for it. Servers are scattered in many different countries, including Germany, Belgium, Philippines, India and China. Kaspersky published multiple blogposts on the command and control servers.
11/11/2011 | NBC News
Security analysts have found more mysterious but fascinating details in the Duqu Trojan, the so-called "son of Stuxnet" discovered just two months ago.
Moscow's Kaspersky Lab got hold of a different variant of Duqu than the original, and found that the Trojan's creators not only may have been working on Duqu since 2007, but seem to have a sense of humor as well.
According to Kaspersky's Alexander Gostev, the Duqu infection vector is customized for each target, and its code contains a joking reference to "Dexter," the long-running Showtime TV series about a morally ambiguous serial killer.
Kaspersky analyzed a spear-phishing email directed at an undisclosed company, which was attacked by Duqu twice in mid-April of this year but did not realize what hit it until recently.
As with the earlier version of Duqu found in September by Hungary's CrySyS lab, the Kaspersky variant used a "dropper" - a separate piece of malware to burrow into PCs via a font embedded in a Word document. (The Windows vulnerability, which had not previously been known of, has not yet been patched, but there is a workaround.)
The fictitious font is named "Dexter Regular." Buried in the dropper code is the text string, "Copyright 2003 Showtime Inc. All rights reserved. Dexter Regular version 1.00. Dexter is a registered trademark of Showtime Inc." ("Dexter" actually was first broadcast in 2006. None of this implies that Showtime is behind the Duqu Trojan.)
The next step in the Duqu infection pattern is to load a driver into the Windows kernel. Kaspersky found that its driver was compiled in August 2007, while the one found by Crysys was dated March 2008.
"If this information is correct, then the authors of Duqu must have been working on this project for over four years!" Gostev wrote.
If that's true, then Duqu, dubbed the "son of Stuxnet " because of its startling similarity to the military-grade worm that infected and disrupted Iranian nuclear facilities in 2010, may actually be the father of the more famous bug.
There's another Iranian connection as well, according to Gostev. The April attacks on the unnamed company took place just before Iran announced that it had been attacked by a second piece of malware, which Iranian researchers called the "Stars" worm.
Unfortunately, Iran never shared samples of the Stars worm, which led some in the West to suspect it was mere propaganda from the Islamic Republic. (Samples of Stuxnet were distributed worldwide because an Iranian security researcher emailed a copy to a former colleague in the Ukraine.)
But Gostev thinks the Iranians might have found Duqu without realizing it.
"Most probably, the Iranians found a keylogger module that had been loaded onto a system," he wrote. "It's possible that the Iranian specialists found just the keylogger, while the main Duqu module and the dropper (including the documents that contained the then-unknown vulnerability) may have gone undetected."
Perhaps most ominously, there are enough differences among the known variants of Duqu to lead Gostev to suspect that the Trojan's creators are carefully tailoring the malware package for each specific target as needed, if the compilation dates on the main Trojan component are accurate.
"This fact shows that the authors build a separate set of files for each specific victim, and do so right before the attack," Gostev wrote.
Such fine-tuning would make Duqu and its creators more sophisticated and persistent that the so-called "advanced persistent threat" attacks - widely assumed to be coming from China - that have penetrated Western companies over the past few years.
In those cases, spear-phishing emails also provide the infection vector, but the installed malware does not vary from one target to the next.
Trojan:Win32/Duqu.B is a detection for malicious code that has been injected into running processes, such as "lsass.exe", by Trojan:Win32/Duqu.A.
InstallationTrojan:Win32/Duqu.B is injected into running processes, such as "lsass.exe", by Trojan:Win32/Duqu.A. This trojan could create a new instance of the default web browser, as defined by this registry subkey:
The newly launched browser has the same privilege as the Windows shell "explorer.exe" and the trojan may inject additional payload code into the process, detected as Trojan:Win32/Duqu.C.
Trojan:Win32/Duqu.B may launch new instances of the following processes and inject payload code into the process:
Additional InformationFor more information about Trojan:Win32/Duqu.C, see the description elsewhere in the encyclopedia.
Analysis by Shawn Wang
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info|
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: March, 12, 2019