Categories: SecurityWorkspace

Symantec Warns Of New Duqu Variant In Wild

The Duqu worm, which is widely believed to be a close cousin to the Stuxnet worm, could still be active after a new version was found in the wild.

According to Symantec security officials, the new coding indicates the attackers behind the Trojan horse program are still at work.

Mystery Code

That discovery comes just as researchers from Kaspersky Lab and elsewhere said they’d finally identified mysterious code in Duqu that Kaspersky had discovered only weeks earlier. The Duqu worm reportedly had been in relative dormancy for the past five months or so, but now appears to be active once again.

According to researchers, Duqu appears to be closely related to Stuxnet, a Trojan apparently designed specifically to attack Iran’s nuclear facilities and equipment. Many believe that either the United States, Israel, or both were behind the Stuxnet worm, hoping to slow or cripple Iran’s controversial nuclear ambitions.

The Duqu software appears to have been designed and created using the same tools as the ones behind Stuxnet. However, there are some differences from Stuxnet. Where Stuxnet was designed to attack Iran’s facilities with hopes of hobbling them or shutting them down, Duqu appears to be aimed at stealing data, such as authentication certificates.

The Trojan has been found in a number of countries, including Iran, Sudan, France, Switzerland and India. Thanks to researchers at both Symantec and Kaspersky, the command and control servers were discovered and shut down in October 2011.

Researchers on March 19 announced that they had finally cracked Duqu’s mystery code. Kaspersky Lab researchers earlier this month asked for help in identifying particular unknown code that controlled the Trojan’s command and control function. Kaspersky got responses from researchers around the world, and a week later, Kaspersky Lab said the mystery had been solved.

In a blog post on the Kaspersky-run Threat Post site, blogger Paul Roberts wrote that the “language identifying the mystery language as ‘C’ source code compiled with Microsoft Visual Studio 2008 and special options for optimizing code size and inline expansion. The code was also written with a customized extension for combining object-oriented programming with C, generally referred to as ‘OO C.’”

New Variant

A day later, Symantec researchers announced that they had discovered a variant of the Duqu worm after receiving a small component of the overall attack code. In a blog post 20 March, the researchers said they had received a file that turned out to be the loader file that loads the rest of the Duqu malware when the computer restarts. The rest of the threat is stored encrypted on disk, the Symantec researchers said.

The researchers said the compile date on the Duqu component is 23 February, signifying that the new version of the Trojan has not been out very long. In addition, they said, the creators had changed some of the coding in Duqu to help it get around some security product detections. A key change to the code was in the encryption algorithm the creators used to encrypt the other components that are on the disk, Symantec said.

Other changes include the fact that while the old driver file was signed with a stolen certificate, the new version wasn’t.

“Also the version information is different in this new version compared to the previous version we have seen,” the researchers wrote. “In this case, the Duqu file is pretending to be a Microsoft Class driver.”

The evidence shows that Duqu isn’t going away, they said.

“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active,” the Symantec researchers said. “Without the other components of the attack, it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”

How well do you know Internet security? Try our quiz and find out!

Jeffrey Burt

Jeffrey Burt is a senior editor for eWEEK and contributor to TechWeekEurope

Recent Posts

Reddit Introduces AI Search Tool

AI-powered Reddit Answers allows users to access information based on Reddit posts, in move to…

10 hours ago

Former OpenAI Researcher Raises $40m For AI Voice Start-Up

Former co-developer of voice mode for OpenAI's ChatGPT launches WaveForms AI to make AI voice…

10 hours ago

OpenAI Releases Sora Video-Generation Tool

OpenAI releases Sora AI video-generation tool to ChatGPT Plus and Pro subscription users amidst concern…

11 hours ago

Tesla To Use Human Back-Up Drivers For Cybercab Fleet

Tesla to initially use human back-up controllers for company-owned robotaxi fleet at launch next year,…

11 hours ago

China Opens Nvidia Antitrust Probe After US Sanctions

Chinese government opens antitrust probe into Nvidia's $7bn acquisition of Mellanox, in move seen as…

12 hours ago

Google Announces Quantum Chip Error ‘Breakthrough’

Google Willow quantum chip makes significant improvements in error correction, moving quantum computing closer to…

12 hours ago