Symantec Warns Of New Duqu Variant In Wild

The Duqu worm, which is widely believed to be a close cousin to the Stuxnet worm, could still be active after a new version was found in the wild.

According to Symantec security officials, the new coding indicates the attackers behind the Trojan horse program are still at work.

Mystery Code

That discovery comes just as researchers from Kaspersky Lab and elsewhere said they’d finally identified mysterious code in Duqu that Kaspersky had discovered only weeks earlier. The Duqu worm reportedly had been in relative dormancy for the past five months or so, but now appears to be active once again.

According to researchers, Duqu appears to be closely related to Stuxnet, a Trojan apparently designed specifically to attack Iran’s nuclear facilities and equipment. Many believe that either the United States, Israel, or both were behind the Stuxnet worm, hoping to slow or cripple Iran’s controversial nuclear ambitions.

The Duqu software appears to have been designed and created using the same tools as the ones behind Stuxnet. However, there are some differences from Stuxnet. Where Stuxnet was designed to attack Iran’s facilities with hopes of hobbling them or shutting them down, Duqu appears to be aimed at stealing data, such as authentication certificates.

The Trojan has been found in a number of countries, including Iran, Sudan, France, Switzerland and India. Thanks to researchers at both Symantec and Kaspersky, the command and control servers were discovered and shut down in October 2011.

Researchers on March 19 announced that they had finally cracked Duqu’s mystery code. Kaspersky Lab researchers earlier this month asked for help in identifying particular unknown code that controlled the Trojan’s command and control function. Kaspersky got responses from researchers around the world, and a week later, Kaspersky Lab said the mystery had been solved.

In a blog post on the Kaspersky-run Threat Post site, blogger Paul Roberts wrote that the “language identifying the mystery language as ‘C’ source code compiled with Microsoft Visual Studio 2008 and special options for optimizing code size and inline expansion. The code was also written with a customized extension for combining object-oriented programming with C, generally referred to as ‘OO C.’”

New Variant

A day later, Symantec researchers announced that they had discovered a variant of the Duqu worm after receiving a small component of the overall attack code. In a blog post 20 March, the researchers said they had received a file that turned out to be the loader file that loads the rest of the Duqu malware when the computer restarts. The rest of the threat is stored encrypted on disk, the Symantec researchers said.

The researchers said the compile date on the Duqu component is 23 February, signifying that the new version of the Trojan has not been out very long. In addition, they said, the creators had changed some of the coding in Duqu to help it get around some security product detections. A key change to the code was in the encryption algorithm the creators used to encrypt the other components that are on the disk, Symantec said.

Other changes include the fact that while the old driver file was signed with a stolen certificate, the new version wasn’t.

“Also the version information is different in this new version compared to the previous version we have seen,” the researchers wrote. “In this case, the Duqu file is pretending to be a Microsoft Class driver.”

The evidence shows that Duqu isn’t going away, they said.

“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active,” the Symantec researchers said. “Without the other components of the attack, it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”

How well do you know Internet security? Try our quiz and find out!