Kaspersky Reveals Duqu Origins, Claims Iran Knew

Iran’s version of events of how it successfully ‘controlled’ a recent Duqu worm attack are starting to look a little thin after security researchers said the country may have known about it for months but did not share the information with the global security research community.

Kaspersky Lab researchers said that the team behind the Duqu Trojan may have been working on it for at least four years, according to the latest analysis of the sophisticated malware.

Sudan Link

Kaspersky Lab researchers have identified the overall methods used by the authors of the Duqu Trojan and an approximate timeline of the attack, Alexander Gostev, chief security expert at Kaspersky Lab, wrote on the Securelist blog. The analysis was based on samples provided by the Computer Emergency Response Team. The samples were from the African country of Sudan that were used in at least three attacks against unidentified targets in that country.

“We managed to not only locate all the previously undiscovered files of this variant of Duqu, but also to find both the source of the infection and the file dropper” containing the exploit targeting a zero-day vulnerability in the Windows kernel, Gostev said.

In an analysis of an attack against an unidentified Sudanese company, Gostev said the initial attack vector was a targeted email from an individual requesting a joint business venture. The recipient was asked to open a Microsoft Word attachment that contained the company’s name in the title.

The sample provided to Kaspersky Lab by Sudanese researchers was used in at least two separate attempts, the first on 17 April and the second on 21 April. The first attack was successfully blocked by a spam filter, he said.

Gostev said the gang behind Duqu created a separate attack file and used a different control server for each victim. It happened at least 12 times, according to Gostev.

When the victim opened the malicious Word document, which used the font Dexter Regular, the malware exploited a zero-day vulnerability in the Truetype font to become active. However, it did nothing until it detected there had been no keyboard or mouse activity for 10 minutes, at which time it loaded a driver onto the system, according to Gostev. The driver would then install additional modules to infect other computers, collect information and capture keystrokes.

The analysis suggests the “authors of Duqu must have been working on this project for over four years,” the report said.

Iranian officials said 13 November that Duqu was the “third virus” to hit Iran, after Stuxnet and a keylogger virus that was discovered in April. The keylogger, dubbed Stars, was most likely the keylogger module for Duqu, according to Gostev.

At the time Iran did not share the samples of the Stars virus with the greater security community, which “was a serious mistake,” and likely gave the attackers an extra six months to fine-tune the malware, he said.

Duqu Detection

Iranian specialists said some of its systems had been infected with Duqu but said the infection was under control, according to Iran’s official news agency, IRNA. The country’s cyber-defense unit has developed software to control the virus and made it available to organisations and corporations, IRNA quoted Brigadier General Gholamreza Jalali, the head of Passive Defense Organisation.

For organisations and users concerned they may be infected, researchers at the Laboratory of Cryptography and System Security (CrySyS) at Hungary’s Budapest University of Technology and Economics released a free downloadable toolkit for detecting Duqu.

The tool is designed to look for suspicious files and certain known indicators of Duqu. However, since the gang appear to be specifically targeting industrial control systems manufacturers, other organisations may not need to worry about Duqu beyond making sure their antivirus tools are up-to-date with the latest definitions.