This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

New variant of Duqu detected

Share this article:

A new version of the complex malware Duqu has been detected.

According to Kaspersky Lab, despite efforts by the authors of Duqu and Stuxnet to eliminate all traces of their activity in October last year, a new ‘in-the-wild' driver was detected this week, with similar traits to Duqu.

The detection by Symantec was announced last week, which it said had only one component of Duqu; however, this was the file used to load the rest of the threat (stored encrypted on disk) when the computer restarts.

Symantec said the compile date on the new Duqu component was 23 February 2012 and the code shows enough change to evade some security product detections, although this appears to have been only partially successful. Previous unique versions of Duqu were released in November 2010 and October 2011.

“Another difference is that the old driver file was signed with a stolen certificate, and this one is not. Also the version information is different in this new version compared with the previous version we have seen. In this case, the Duqu file is pretending to be a Microsoft Class driver,” it said.

“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active. Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”

Kaspersky Lab noted that this is a return after a four-month break and that coding changes have been designed to evade detection by anti-virus programs and tools such as the CrySyS Duqu Toolkit.

It said information collected by Kaspersky and Symantec suggested there had been 21 incidents related to Duqu, with more than one modification of Duqu per incident.

Alex Gostev, chief security expert at Kaspersky Lab, said: “When you invest as much money as was invested in Duqu and Stuxnet, it's impossible to simply shut down the operation. Instead, you do what cyber criminals have learned to do through long experience – change the code to evade detection and carry on as usual.

“With a total of fewer than 50 victims around the world, Duqu remains one of the most mysterious Trojans ever spotted in the wild. Its focus on Iran indicates a persistent attacker with a strong, clear agenda. Its complexity and multiple layers of encryption and obfuscation indicate how important it is for the project to remain under the radar. It can be assumed that future developments will focus on this direction.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Microsoft warns on yet another zero-day security flaw

Microsoft warns on yet another zero-day security flaw

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google launches FIDO-compliant 2FA USB key for Chrome ...

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a ...

Evolving TorrentLocker ransomware generating big money

Evolving TorrentLocker ransomware generating big money

The TorrentLocker ransomware has returned with a vengeance and is starting to bring in big money for its operators.