It appears that Duqu keeps evolving even as researchers an experts continue to capture and research it. A new variant has been uncovered by experts slumming around Iran, hiding its veteran authorship in a saboteur’s shell as it works its way through computer networks.
History of the bug (recap):
- Duqu is a worm identified last year that opens a back door and downloads more files onto a compromised computer which also features rootkit functionality and has the ability to steal information, from a compromised machine, which can be used to launch another Stuxnet-like attack.
- Stuxnet is a malicious program released in 2009 that hindered Tehran’s goal of making nuclear weapons as the malware was precisely calibrated to in order for nuclear centrifuges to go haywire.
- Duqu also exposed a previously unknown vulnerability in Microsoft Word Office app.
What we know now (updates):
Kaspersky Identifies Unknown Duqu Language
Kaspersky Labs recently identified the language used in Duqu stating it was based from a custom object-oriented C dialect, generally called “OO C” and that it was developed by a “team of veteran ‘old-school’ coders who found themselves comfortable with an older version of a Microsoft C++ compiler.”
“This model makes sure that any form of communication can still occur even when some communications are already happening and could be taking a long time,” Roel Schouwenberg, senior researcher at Kaspersky Lab told SecurityWeek earlier this month. “Most programs out there hang or freeze if a certain operation is taking too long, much like your browser or email client may do at times. Using this asynchronous model means there’s no chance of that happening with Duqu.”
“The authors built an extremely resilient platform for that, ensuring Duqu, for instance, can still receive C&C commands while waiting for a response from another infected machine,” he added.
Symantec Identifies New Duqu
Symantec, the largest maker of security software for computers, best known for its Norton brand, received a file that resembles Duqu but upon initial examination, the security company identified the file as a new version of Duqu but the file sent to them was only a loader file used to load the rest of the threat when the computer restarts (the rest of the threat is stored encrypted on disk).
There are some notable changes when the old and new Duqu are compared such as changes to the code is the encryption algorithm they use to encrypt the other components on disk; the old driver file was signed with a stolen certificate, the new one is not; and different version information.
“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active.,” said the Symantec blog. “Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”
Countries such as Iran, Sudan, India, Vietnam, Ukraine, Switzerland, France and the Netherlands already confirmed infection with Duqu.