The security industry is currently buzzing with talks about a threat dubbed as the precursor to the next STUXNET.
According to a Symantec analysis, portions of the code are very similar to STUXNET, and was likely written by the same cybercriminals as the well-known threat. Unlike STUXNET, however, Duqu does not have code that suggests it was developed to access SCADA systems. Instead, its final payload appears to be inclined toward information theft.
Duqu is made up of several components. The SYS file, which is detected as RTKT_DUQU.A, is responsible for activating the malware, and triggering the execution of its other routines. Based on analysis, however, the main goal of the said files is to establish a connection with its C&C server. It is said that Duqu delivered an information-stealing malware, detected as TROJ_SHADOW.AF, into the affected systems through this connection. We have also verified that its codes are very similar to that of STUXNET.
Upon execution, TROJ_SHADOW.AF enumerates the processes currently running on the system. It also checks if it matches any of the following security-related processes:
- avp.exe (Kaspersky)
- Mcshield.exe (McAfee)
- avguard.exe (Avira)
- bdagent.exe (Bitdefender)
- UmxCfg.exe (CA)
- fsdfwd.exe (F-Secure)
- rtvscan.exe and ccSvcHst.exe (Symantec)
- ekrn.exe (ESET)
- RavMonD.exe (Rising)
If found, TROJ_SHADOW.AF launches the same process in a suspended state, then patches the malware code before resuming the execution. In effect, there will be two AV processes; the first being the original, and the second being the patched one.
TROJ_SHADOW.AF requires command lines in order to execute properly. Available commands include: collecting information on the affected system, terminating malware processes, and deleting itself. It can steal a wide array of information on any affected system, such as:
1. Drive information such as:
- Drive device name
3. Running Processes and Owner of Running Processes
4. Network Information such as
- IP address
- IP routing table
- TCP and UDP table
- DNS Cache table
- Local Shares
5. Local shared folders and connected users
6. Removable drives serial number
7. Window Names
8. Information on open files on local computer using NetFileEnum
We will be updating this blog entry for further developments. While our investigation is currently ongoing, preliminary information indicates that Trend Micro’s products protect against TROJ_SHADOW.AF. Smart Feedback from the the Smart Protection NetworkT indicates that no Trend customers have been affected by this threat. Trend Support has not received any infection notifications.
Trend Micro products have been updated to provide protections against this latest threat through updated signature as well as by blocking access to malicious control servers with Web Reputation Services.
Users may refer to our Knowledge Base page to read up on how to protect systems from this threat.
Leave a reply