Wednesday, October 19, 2011
DuQu: a new APT Malware (from StuxNet authors?)
Symantec, McAfee and F-Secure released information about what appears to be a new WarWare (info-warfare level malware), which they named "DuQu" (since it creates many files beginning with ~DQ). This time, the attack may have been exposed already at an early stage.
DuQu is an advanced Trojan RAT (Remote Administration Tool) - like Gh0st RAT and BlackShades RAT, but apparently more advanced.
Few more reports on it: Pedro Bueno at ISC diary, Kim Zetter at Wired,
From Symantec's report:
Duqu shares a great deal of code with Stuxnet; however, the payload is completely different.
... Duqu's purpose is to gather intelligence data and assets from entities, such as industrial control system manufacturers, in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility...
Two variants were recovered, ...based on file compile times, attacks using these variants may have been conducted as early as December 2010.
One of the variant’s driver files was signed with a valid digital certificate that expires August 2, 2012. The digital certificate belongs to a company headquartered in Taipei, Taiwan. The certificate was revoked on October 14, 2011.
Duqu uses HTTP and HTTPS to communicate with a command-and-control (C&C) server that at the time of writing is still operational. The attackers were able to download additional executables through the C&C server, including an infostealer that can perform actions such as enumerating the network, recording keystrokes, and gathering system information.