This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

New variant of Duqu detected

Share this article:

A new version of the complex malware Duqu has been detected.

According to Kaspersky Lab, despite efforts by the authors of Duqu and Stuxnet to eliminate all traces of their activity in October last year, a new ‘in-the-wild' driver was detected this week, with similar traits to Duqu.

The detection by Symantec was announced last week, which it said had only one component of Duqu; however, this was the file used to load the rest of the threat (stored encrypted on disk) when the computer restarts.

Symantec said the compile date on the new Duqu component was 23 February 2012 and the code shows enough change to evade some security product detections, although this appears to have been only partially successful. Previous unique versions of Duqu were released in November 2010 and October 2011.

“Another difference is that the old driver file was signed with a stolen certificate, and this one is not. Also the version information is different in this new version compared with the previous version we have seen. In this case, the Duqu file is pretending to be a Microsoft Class driver,” it said.

“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active. Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”

Kaspersky Lab noted that this is a return after a four-month break and that coding changes have been designed to evade detection by anti-virus programs and tools such as the CrySyS Duqu Toolkit.

It said information collected by Kaspersky and Symantec suggested there had been 21 incidents related to Duqu, with more than one modification of Duqu per incident.

Alex Gostev, chief security expert at Kaspersky Lab, said: “When you invest as much money as was invested in Duqu and Stuxnet, it's impossible to simply shut down the operation. Instead, you do what cyber criminals have learned to do through long experience – change the code to evade detection and carry on as usual.

“With a total of fewer than 50 victims around the world, Duqu remains one of the most mysterious Trojans ever spotted in the wild. Its focus on Iran indicates a persistent attacker with a strong, clear agenda. Its complexity and multiple layers of encryption and obfuscation indicate how important it is for the project to remain under the radar. It can be assumed that future developments will focus on this direction.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Chinese hackers steal confidential documents on Israeli missile defence system

Chinese hackers steal confidential documents on Israeli missile ...

Chinese hackers comprised the computer systems of three Israeli defence contractors between 10 October 2011 and 13 August 2012 in order to steal hundreds on confidential documents on Israel's Iron ...

Security researcher finds exploitable flaws in 14 antivirus engines

Security researcher finds exploitable flaws in 14 antivirus ...

Joxean Koret, a security researcher at Singapore-based consultancy COSEINC, has found exploitable local and remote flaws in 14 of the 17 major antivirus (AV) engines used by most major AV ...

Russian government promises £60k bounty to Tor hackers

Russian government promises £60k bounty to Tor hackers

The Russian Ministry of Internal Affairs (MVD) is offering a 3.9 million ruble (approximately £64,600) reward to anyone who can find a way of identifying and tracking users of the ...