This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

New variant of Duqu detected

Share this article:

A new version of the complex malware Duqu has been detected.

According to Kaspersky Lab, despite efforts by the authors of Duqu and Stuxnet to eliminate all traces of their activity in October last year, a new ‘in-the-wild' driver was detected this week, with similar traits to Duqu.

The detection by Symantec was announced last week, which it said had only one component of Duqu; however, this was the file used to load the rest of the threat (stored encrypted on disk) when the computer restarts.

Symantec said the compile date on the new Duqu component was 23 February 2012 and the code shows enough change to evade some security product detections, although this appears to have been only partially successful. Previous unique versions of Duqu were released in November 2010 and October 2011.

“Another difference is that the old driver file was signed with a stolen certificate, and this one is not. Also the version information is different in this new version compared with the previous version we have seen. In this case, the Duqu file is pretending to be a Microsoft Class driver,” it said.

“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active. Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”

Kaspersky Lab noted that this is a return after a four-month break and that coding changes have been designed to evade detection by anti-virus programs and tools such as the CrySyS Duqu Toolkit.

It said information collected by Kaspersky and Symantec suggested there had been 21 incidents related to Duqu, with more than one modification of Duqu per incident.

Alex Gostev, chief security expert at Kaspersky Lab, said: “When you invest as much money as was invested in Duqu and Stuxnet, it's impossible to simply shut down the operation. Instead, you do what cyber criminals have learned to do through long experience – change the code to evade detection and carry on as usual.

“With a total of fewer than 50 victims around the world, Duqu remains one of the most mysterious Trojans ever spotted in the wild. Its focus on Iran indicates a persistent attacker with a strong, clear agenda. Its complexity and multiple layers of encryption and obfuscation indicate how important it is for the project to remain under the radar. It can be assumed that future developments will focus on this direction.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.

Hackers smuggle out stolen data disguised as videos

Hackers smuggle out stolen data disguised as videos

Around a dozen organisations, including at least one financial sector company, have been hit by a new form of hacking where attackers hide stolen corporate data inside video files that ...