Symantec Identifies New Duqu Trojan Driver Variant

Tuesday, March 20, 2012



According to a report from ZDNet's Ryan Naraine, Symantec researchers have identified a new variant of the Duqu Trojan, giving reason to believe the malware is very much alive and kicking.

Symantec noted the discovery of a previously unseen driver (mcd9×86.sys) for Duqu that was apparently compiled as recently as February of this year. Symantec's Security Response unit announced the discovery via Twitter message:

Symantec's analysis showed that the variant did not represent any new functionality in the malware.

Naraine reports that "Kaspersky Lab’s Costin Raiu says the latest variant has been engineered to escape detection by the open-source Duqu detector toolkit released by CrySyS Lab."

On October 14th, 2011, Symantec was originally sent a sample of the malware which caused quite a stir because of the similarity to the infamous Stuxnet virus, yet the payload and purpose showed that Duqu was a totally new creation.

Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks, and the initial attacks are thought to have caused severe damage to Iranian uranium enrichment facilities.

While Duqu is similar in may respects to Stuxnet, research teams have concluded that its main purpose is to harvest data, not affect physical control systems such as those impacted by Stuxnet.

Researchers from the Dell SecureWorks Counter Threat Unit concluded in October of 2011 that Duqu was designed primarily as a data harvesting tool meant to collect sensitive information and keystrokes on infected systems, and that the malware lacks any code similar to that found in Stuxnet which allowed for the physical manipulation of Programmable Logic Controllers (PLC) used in various industrial control systems (ICS).

The Dell researchers went on to state that while there are multiple simularities between the two malware variants, the differing payloads and intended results of the two viruses led the team to conclude that the two trojans were in all likelihood probably not related, and were most likely not produced by the same authors.

NSS researchers Mohamed Saher and Matthew Molinyawe asserted in November 2011 that Duqu is the first modular plugin rootkit ever identified in the wild, and the sophisticated nature of the malware code leads them to believe that development would have required a significant amount of resource.

NSS researchers are working under the assumption that Duqu is still in development, and that the authors are working to perfect the malware prior to unleashing its full potential - such as the delivery of a potentially devastating payload.

In December of 2011, the European Network and Information Security Agency (ENISA) released analysis of Duqu which included a warning that industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks are ill prepared to cope with such threats.

ICS-SCADA systems provide operations control for critical infrastructure and production networks including manufacturing facilities, refineries, hydroelectric and nuclear power plants.

Possibly Related Articles:
Viruses & Malware
SCADA malware Symantec Stuxnet Headlines keylogger Drivers variants trojan DUQU
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked