Duqu Malware Authors Display Sense of Humor

Monday, November 14, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

On October 14th, Symantec was sent a sample of malware from an organization in Europe.

The malware was subsequently dubbed "Duqu", and caused quite a stir because of its similarity to the infamous Stuxnet virus, yet the payload and purpose showed that Duqu was a totally new creation.

Now new analysis from Kasperky Labs has uncovered a humorous message imbedded in the Duqu code - evidence the authors wanted to display a sense of humor, though no one else is laughing.

The message appears as: "Copyright (c) 2003 Showtime Inc. All rights reserved. DexterRegularDexter."

Aleks Gostev, a senior analyst with Kasperky Labs, wrote in his analysis of the malware that "this is another prank pulled by the Duqu authors, since Showtime Inc. is the cable broadcasting company behind the TV series Dexter, about a CSI doctor who happens also to be a serial killer who avenges criminals in some post-modern perversion of Charles Bronson’s character in Death Wish."

image

According to a 42 page analysis of Duqu previously released, Symantec claimed that the code was written by the same authors who wrote Stuxnet, or at least a group that had access to the source code. But the twist is, this one isn’t made to take out nuclear power plants, this version collects information, possibly for a follow up attack at a later time.

Other researchers have concluded that Duqu was designed primarily as a data harvesting tool meant to collect sensitive information and keystrokes on infected systems, and that the malware lacks any code similar to that found in Stuxnet which allowed for the physical manipulation of Programmable Logic Controllers (PLC) used in various industrial control systems (ICS).

Some malware authors enjoy injecting a little humor into their creations, either to taunt researchers or perhaps merely for self-gratifying levity.

In April of this year, researchers at security solutions provider Avira had identified a Zeus Trojan variant accompanied by a signed digital certificate.

The Avira Techblog stated that "we found a Zbot Trojan variant which tries to evade detection by carrying a digital certificate and therewith looking more legitimate. And this certificate is registered to 'DetectMe!:)', also adding random data behind the certificate."

The presence of a signed digital certificate from a legitimate CA (certificate authority) made the task of identifying and defending against the malware more difficult for antivirus software and file scanners.

The "Detect Me" message  was most definitely a personal jab, and the "Dexter" reference in the Duqu code can be assumed to serve the same purpose.

Possibly Related Articles:
12978
Viruses & Malware
Humor virus malware Stuxnet Headlines Kaspersky Code Analysis DUQU
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.