The Mystery of Duqu

Duqu is a sophisticated malware that was discovered on September 1^st, 2011. Some experts claim that Duqu could only have been created by creators of the Stuxnet because nobody else could have the source code to create such a sophisticated malware that is identical to Stuxnet but serves an entirely different purpose as a malware. The three major similarities that have been come to attention between Stuxnet and Duqu are firstly, the components that are signed is done through stolen certificates. Secondly, similar to Stuxnet, Duqu uses a zero-day vulnerability to attack Windows system and lastly, the way Duqu is targeted it requires advanced intelligence to operate it again similar to Stuxnet.

Highlighted few weeks ago by Symantec, researchers have discovered how Duque infects the targeted computers. The malware hides in a Word file (. doc) sent through email to the victims. Once opened, it exploits an 0-day vulnerability in the Windows kernel to execute code and infects the system through service.exe. The infected computers can then be remotely controlled by attackers, who can spread the malware on the network and retrieve data in the process. Symantec issued a diagram summarizing the performance of the intrusion.

With this new discovery, security researchers are now confident that Duqu is designed to address specific high profile critical infrastructures via Word documents designed to look legitimate. Symantec has identified six organizations contaminated in 8 countries: Iran, Sudan, Vietnam, India, France, the Netherlands, Switzerland and Ukraine. To which is added a list of identifications made by other experts in Austria, Hungary, Indonesia and the United Kingdom.

If Duqu starts attacking Pakistani networks, Pakistan would face a huge threat regardless of the existing on-going cyber war between Pakistan and India. Duqu, on the other hand, is a much more powerful malware which if targeted towards Pakistani networks, it could collect intelligence data and assets from high profile entities, with the purpose of conducting a future attack without much effort against additional third parties.

Today remains to be seen whether future changes made by Microsoft will be sufficient to stem the problem. At present, the source of Duqu has not yet been identified. Many measures may be taken to prevent this situation from reaching a system. It is important to have a backup of all exiting data but even more importantly since Duqu is a powerful malware the best way to prevent any potential attacks from it is by protecting and securing critical infrastructure networks from such threats. Microsoft has finally patched the flaw being exploited by the Duqu.

Moreover, a recent discovery was made which states that Duqu has shut down all operations and has cleaned up all their commands leaving security experts almost no evidence for their further research. According to Kaspersky Lab, Duqu has been active since 2007 and was only discovered in October 2011 which proves that several systems might have been infected with the Duqu since years and possibly still not detected.

A further discovery was made that Duqu undertook a global clean on October 20^th which cleaned up all their activities since the year 2009 as a result leaving almost no trace of their existence throughout these years. This goes to prove that the aim of attackers behind Duqu was to keep it a secret and as soon as the word got out it was banished. Even now the command & control (C&C) servers behind Duqu remain undiscovered which only goes to show the capability and power of the attackers behind this malware.

Experts were able to point out that servers were hacked through brute-forcing the root password rather than the believed zero-day theory and as soon as the attackers gained control over the servers they upgraded OpenSSH 4.3 to version 5.8 which explains that the newer version of the software must hold such importance.