New variant of Duqu detected

News by Dan Raywood

A new version of the complex malware Duqu has been detected.

A new version of the complex malware Duqu has been detected.

According to Kaspersky Lab, despite efforts by the authors of Duqu and Stuxnet to eliminate all traces of their activity in October last year, a new ‘in-the-wild' driver was detected this week, with similar traits to Duqu.

The detection by Symantec was announced last week, which it said had only one component of Duqu; however, this was the file used to load the rest of the threat (stored encrypted on disk) when the computer restarts.

Symantec said the compile date on the new Duqu component was 23 February 2012 and the code shows enough change to evade some security product detections, although this appears to have been only partially successful. Previous unique versions of Duqu were released in November 2010 and October 2011.

“Another difference is that the old driver file was signed with a stolen certificate, and this one is not. Also the version information is different in this new version compared with the previous version we have seen. In this case, the Duqu file is pretending to be a Microsoft Class driver,” it said.

“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active. Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”

Kaspersky Lab noted that this is a return after a four-month break and that coding changes have been designed to evade detection by anti-virus programs and tools such as the CrySyS Duqu Toolkit.

It said information collected by Kaspersky and Symantec suggested there had been 21 incidents related to Duqu, with more than one modification of Duqu per incident.

Alex Gostev, chief security expert at Kaspersky Lab, said: “When you invest as much money as was invested in Duqu and Stuxnet, it's impossible to simply shut down the operation. Instead, you do what cyber criminals have learned to do through long experience – change the code to evade detection and carry on as usual.

“With a total of fewer than 50 victims around the world, Duqu remains one of the most mysterious Trojans ever spotted in the wild. Its focus on Iran indicates a persistent attacker with a strong, clear agenda. Its complexity and multiple layers of encryption and obfuscation indicate how important it is for the project to remain under the radar. It can be assumed that future developments will focus on this direction.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews