1: Duku?
Infection created files with DQ hence the name “Duqu”.
2: What is Duku?
Unlike Stuxnet which had payload for SCADA/PLC systems, 0 day exploits for delivery of the infection, Duku, has the same codebase as that of Stuxnet but doesnt have SCADA/PLC related codebase. A C&C server was incorporated into the code of Stuxnet as an added feature. Mode of delivery is still unknown but stealing information related to keystrokes, network shares passwords and loads of other features as mentioned below:
a: List of running processes, account details, and domain information
b: Drive names and information, including those of shared drives
c: Take a screenshot
d: Network information (interfaces, routing tables, shares list, etc.)
e: Keylogger
f: Window enumerationg: Share enumeration
h: File exploration on all drives, including removable drives
i: Enumerate computers on the domain through NetServerEnum
3: Who wrote Duku?
Due to the similarities in the code base with the Stuxnet code, either its the handiwork of Stuxnet authors or by those who have access to the source code of Stuxnet. But SCADA/PLC related code is missing from Duku, which is a huge relief, as of this moment.
4: How does it spread?
Researchers have found infections but have been unable to lay their hands on the Dropper Application which is responsible for delivery of the secondary payload i.e. the infection.
Since, a lot of time has been utilised by developers of Duku, the probable sources can be phishing mails, usb , network shares. out of the various methods available which method has been utilised to drop the binaries will define the exact purpose and intention of the authors
Attack vector mapping – a few examples
Network shares and USB – targeted attack.
Spear Phishing – email with attachments – targeted attack.
Drive by downloads – mass attacks mostly deployment of botnets or stealing personal information.
SQLi – Injecting JS in multiple sites – exploit, download and execute to infect – botnets or stealing personal information.
In this scenario, according to the primary research paper, certain European organizations were targeted and since the code was very much similar to Stuxnet. In all probability, it wouldnt come as a surprise to us at eScan if these targeted companies were in anyway related to Siemens and secondly, the mode of delivery would have been a Spear Phish email. Most of the AVs have now disabled autorun on the USB drives which effectively means the probability of USB based propagation decreases drastically.
5: Why use the code of Stuxnet to steal information when lots of info stealing malware with their source-code is readily available?
From a software developer’s point of view, it is easy to modify the existing codebase to suit the upcoming requirements/changes rather than incorporating these changes in a different codebase.
This attack also acts as a learning experience for the authors of Duku to :
1: Guage the AV detection rates for the present code and incorporate changes in the codebase vis’a’vis the AV evasion techniques.
2: IT preparedness of these organizations .
3: Fine tuning of the Delivery mechanism.
This attack would also aided the authors of Duku in procuring more Certificates for code signing or other nefarious purposes.
6: If Duku is considered to be an extended part of Stuxnet would there be Duku Deux?
Duku was designed with a lifespan of 36 days after which it is supposed to remove itself from the system. This conforms to our belief that we should expect another wave of attack in the near future based on the information which has been stolen and which can be more devastating than Stuxnet.
If Stuxnet was rumored to have been designed to pull down Iran’s Nuclear program, most of the Duku researchers are still wondering who would it be next.
This was a recon attack with the purpose to steal system and network information and most probably the latest developments by these infected organizations. It is not yet known how much information had reached its intended recipient.
Researchers are not even aware if any of the digital certificates were stolen. In the past we have seen Diginotar and Comodo being hacked and fake certificates were generated. In the case of Stuxnet and Duku, we have seen valid certificates being used for signing the code.
Hence, we at eScan expect in near future from Duku Deux which may not target these organizations but the products developed by these organizations, might be at risk.
We at eScan expect in the near future from Duku Deux
1: AV evasion encoding
2: More stolen Certificates will be revealed.
3: PLC attack or No PLC attack – only time will tell.
4: Due to C&C the payload and target may vary as per the circumstances.
7: Is there any specific reason for 36 day limit?
There is no reason which we can think of but surely its got to do with conducting the recee of the systems, networks and AV detection or maybe they are inspired by lyrics of “36 Days” by Hawk Nelson.
“Now I’ll sing with all this is within me
After thirty-six days on the road”
8: Any other weird things researchers have come across or conspiracy theories?
Malware Authors have a strange way of inserting their motives, or identity. One author inserted his car’s number plate while the writers of the brain virus inserted their address. In the case of Duku, researchers found a part of a JPEG file which was originally from Nasa’s Hubble Imagery section – portraying the merger of galaxies, i.e. when two galaxies collide.
If we let our imagination run wild, then maybe they want to tell the whole world that, Duku is a byproduct of a merger of two different entities/ ideologies?
The story continues…….. We will be following the Duku till its logical conclusion.
[Update]
Indian authorities seized computer equipment from a data center in Mumbai, related with Duku. (Oct 29 2011 Economic Times)
This is good news but raises just one question : Who was late? Were the Indian Authorities late in pulling down the server and confiscating the hard-drives or was this news leaked out late?
If the news was leaked out late then no harm done. But had the Indian Authorities been late in taking effective action then they might be in for a huge surprise and luck may play a huge part in the analysis of Duku by Indian authorities just for the simple reason that – by now everyone knows that Duku came with an expiry date for uninstalling itself from the infected system. If Indian Authorities did their task well before the expiry date then, more news and information is sure to follow.
[UPDATE]
Dropper for Duku has been found, which exploits a 0Day in windows kernel. The dropper itself is a Word Document which when opened gets executed and installs Duku.
So, how does a user receive a word file ? Copy it from USB or Download it from Webserver or Spear Phishing . First two options are way out of question and that leaves Spear Phishing mail as the only viable option.
One more puzzle left to be answered – and that is about C&C, most probably a web-server vulnerability which allows file inclusion/file upload.
