Researchers from the Dell SecureWorks Counter Threat Unit have released their preliminary analysis of the recently discovered Duqu trojan.
While there are a number of similarities between the Duqu malware and the infamous Stuxnet virus, the analysis shows that Duqu lacks many of the attributes that make Stuxnet a game-changing infection mechanism.
The researchers have concluded that Duqu was designed primarily as a data harvesting tool meant to collect sensitive information and keystrokes on infected systems, and that the malware lacks any code similar to that found in Stuxnet which allowed for the physical manipulation of Programmable Logic Controllers (PLC) used in various industrial control systems (ICS).
Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks, and the initial attacks are thought to have caused severe damage to Iranian uranium enrichment facilities, setting back the nation's nuclear weapons program by as much as several years.
Iran is still struggling with the aftermath of the Stuxnet virus attacks more than a year after the infestation was discovered. The virus specifically targeted Siemens PLCs used to control uranium enrichment centrifuges.
The Dell team identified the following similarities between Stuxnet and Duqu:
- Duqu and Stuxnet both use a kernel driver to decrypt and load encrypted DLL (Dynamic Load Library) files. The kernel drivers serve as an "injection" engine to load these DLLs into a specific process. This technique is not unique to either Duqu or Stuxnet and has been observed in other unrelated threats.
- Encrypted DLL files are stored using the .PNF extension. This is normally the extension Microsoft Windows uses for precompiled setup information files. The commonality exists due to the kernel driver implementation being similar.
- The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files. Again, these techniques are not unique to either Duqu or Stuxnet and have been observed in other unrelated threats.
- Both Stuxnet and Duqu have variants where the kernel driver file is digitally signed using a software signing certificate. One variant of the Duqu kernel driver was signed by a certificate from C-Media Electronics Incorporation. An unsigned Duqu kernel driver claimed to be a driver from the JMicron Technology Company, which was the same company whose software signing certificate was used to sign one of the Stuxnet kernel driver files. The commonality of a software signing certificate is insufficient evidence to conclude the samples are related because compromised signing certificates can be obtained from a number of sources. One would have to prove the sources are common to draw a definitive conclusion.
The researchers went on to state that while there are multiple simularities between the two malware variants, the differing payloads and intended results of the two viruses led the team to conclude that the two trojans were in all likelihood probably not related, and were most likely not produced by the same authors.
"Both Duqu and Stuxnet are highly complex programs with multiple components. All of the similarities from a software point of view are in the "injection" component implemented by the kernel driver. The ultimate payloads of Duqu and Stuxnet are significantly different and unrelated. One could speculate the injection components share a common source, but supporting evidence is circumstantial at best and insufficient to confirm a direct relationship. The facts observed through software analysis are inconclusive at publication time in terms of proving a direct relationship between Duqu and Stuxnet at any other level," the Dell report stated.
The Dell team offered the following suggestions for system administrators concerned about a possible Duqu infection on their networks:
- Administrators should use host-based protection measures, including antivirus and antimalware, as part of a holistic security process that includes network-based monitoring and controls, network segmentation and policies, user access, and controls to help mitigate the threat of malware like Duqu.
- A computer infected with Duqu may have files beginning with "~DQ" in Windows temporary directories.
- Organizations may want to monitor egress traffic through proxy servers or web gateways and investigate network traffic that does not conform to the SSL (Secure Sockets Layer) specification. Non-SSL traffic on port 443 is commonly observed with other threats, and this behavior is not exclusive to Duqu.
- Administrators should monitor their network for systems attempting to resolve Duqu-related domains or connect to Duqu C2 IP addresses for possible infection.