This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

New variant of Duqu detected

Share this article:

A new version of the complex malware Duqu has been detected.

According to Kaspersky Lab, despite efforts by the authors of Duqu and Stuxnet to eliminate all traces of their activity in October last year, a new ‘in-the-wild' driver was detected this week, with similar traits to Duqu.

The detection by Symantec was announced last week, which it said had only one component of Duqu; however, this was the file used to load the rest of the threat (stored encrypted on disk) when the computer restarts.

Symantec said the compile date on the new Duqu component was 23 February 2012 and the code shows enough change to evade some security product detections, although this appears to have been only partially successful. Previous unique versions of Duqu were released in November 2010 and October 2011.

“Another difference is that the old driver file was signed with a stolen certificate, and this one is not. Also the version information is different in this new version compared with the previous version we have seen. In this case, the Duqu file is pretending to be a Microsoft Class driver,” it said.

“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active. Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”

Kaspersky Lab noted that this is a return after a four-month break and that coding changes have been designed to evade detection by anti-virus programs and tools such as the CrySyS Duqu Toolkit.

It said information collected by Kaspersky and Symantec suggested there had been 21 incidents related to Duqu, with more than one modification of Duqu per incident.

Alex Gostev, chief security expert at Kaspersky Lab, said: “When you invest as much money as was invested in Duqu and Stuxnet, it's impossible to simply shut down the operation. Instead, you do what cyber criminals have learned to do through long experience – change the code to evade detection and carry on as usual.

“With a total of fewer than 50 victims around the world, Duqu remains one of the most mysterious Trojans ever spotted in the wild. Its focus on Iran indicates a persistent attacker with a strong, clear agenda. Its complexity and multiple layers of encryption and obfuscation indicate how important it is for the project to remain under the radar. It can be assumed that future developments will focus on this direction.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.