This is an active investigation by Kaspersky Lab’s Global Research & Analysis Team. We will be updating this FAQ document as necessary.
What exactly is Duqu? How is it related to Stuxnet?
Duqu is a sophisticated Trojan which seems to have been written by the same people who created the infamous Stuxnet worm. Its main purpose is to act as a backdoor into the system and facilitate the theft of private information. This is the main difference when compared to Stuxnet, which was created to conduct industrial sabotage. It’s also important to point out that while Stuxnet is able to replicate from one computer to another using various mechanisms, Duqu is a Trojan that doesn’t seem to replicate on its own.
Does this target any PLC/SCADA equipment? Exactly who/what are the targets? Do we know?
Unlike Stuxnet, Duqu doesn’t target PLC/SCADA equipment directly, although some of its subroutines could be used to steal information related to industrial installations. It appears that Duqu was created in order to collect intelligence about its targets, which can include pretty much anything that is available in digital format on the victim’s PC.
How does Duqu infect computers? Can it spread via USB devices?
So far, we’ve only seen traces from infected systems, not the main replication component. It seems there is a dropper, “mothership” for Duqu, which infects the computers, however, we do not have a sample yet.
Is there any exploit, especially zero-day in Duqu?
So far, we haven’t found any zero-day vulnerabilities attached to this malware, but the investigation continues. The malicious code is rather complex and the analysis is very-time consuming.
How did AV vendors become aware of this threat? Who reported it?
The first public mention that we are aware of is a blogpost from a Hungarian blogger, who seemed to be a victim of the attack. He later posted more information about the certificate used to sign the Duqu driver, however, he ended up deleting the respective posts.
When was this threat first spotted?
We’ve added detection for the main infostealer component on September 14th, as “Trojan.Win32.Inject.bjyg.” Later, we found an earlier record of a sample on September 1, 2011.
How many variants of Duqu are there? Are there any major differences in the variants?
It appears that there are at least three variants of the Duqu drivers, together with a few other components. These are all detected with different names by various anti-virus companies, creating the impression that there are multiple different variants. At the time of writing, we are aware of one Infostealer component and three different drivers.
There is talk that this specifically targets Certificate Authorities. Is this true?
While there are indeed reports indicating that the main goal of Duqu is to steal information from CAs, there is no clear evidence at this time to support this claim.
Symantec says this is targeted to specific organizations, possibly with a view to collecting specific information that could be used for future attacks. What kinds of data are they looking for and what kinds of future attacks are possible?
One suspicion is that Duqu was used to steal certificates from CAs that can be used to sign malicious code in order to make it harder to catch. The functionality of the backdoor in Duqu is actually rather complex and it can be used for a lot more. Basically, it can steal everything.
Is the command-and-control server used by Duqu still active? What happens when an infected machine contacts the C&C?
The Duqu C&C server, which was hosted in India is no longer active. Just like in the case of Stuxnet, it was pulled offline pretty quickly once the news broke.
Why is Duqu configured to run for 36 days?
Maybe the author was a fan of round numbers, such as 6×6?
Who is behind this attack?
The same gang who was behind Stuxnet. Curiously, they seem to have picked up an interest in astronomy; the infostealer executable has a portion of a JPEG file picked up by the Hubble telescope (“Interacting Galaxy System NGC 6745”):
The picture portrays the aftermath of direct collision of two galaxies(!), several million of years ago. You can read the story here.
More to come…
* Research by Kaspersky Lab Global Research & Analysis Team.
Leave a reply