Duqu

Last updated

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm [1] and to have been created by Unit 8200. [2] [3] Duqu has exploited Microsoft Windows's zero-day vulnerability. The Laboratory of Cryptography and System Security (CrySyS Lab) [4] of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report [5] naming the threat Duqu. [6] Duqu got its name from the prefix "~DQ" it gives to the names of files it creates. [7]

Contents

Nomenclature

The term Duqu is used in a variety of ways:

Relationship to Stuxnet

Symantec, based on the CrySyS team managed by Dr Thibault Gainche report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix. [7] [10] Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a valid, but abused digital signature, and collects information to prepare for future attacks. [7] [11] Mikko Hyppönen, Chief Research Officer for F-Secure, said that Duqu's kernel driver, JMINET7.SYS, was so similar to Stuxnet's MRXCLS.SYS that F-Secure's back-end system thought it was Stuxnet. Hyppönen further said that the key used to make Duqu's own digital signature (only observed in one case) was stolen from C-Media, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec. [10]

Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet. [12] However, there is considerable and growing evidence that Duqu is closely related to Stuxnet.

Experts compared the similarities and found three points of interest:

Microsoft Word zero-day exploit

Like Stuxnet, Duqu attacks Microsoft Windows systems using a zero-day vulnerability. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a Microsoft Word document that exploits the Win32k TrueType font parsing engine and allows execution. [13] The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine if the patch released by Microsoft in December 2011 is not yet installed. [14] Microsoft identifier for the threat is MS11-087 (first advisory issued on 13 November 2011). [15]

Purpose

Duqu looks for information that could be useful in attacking industrial control systems. Its purpose is not to be destructive; the known components are trying to gather information. [16] However, based on the modular structure of Duqu, special payload could be used to attack any type of computer system by any means and thus cyber-physical attacks based on Duqu might be possible. However, use of personal computer systems has been found to delete all recent information entered on the system, and in some cases total deletion of the computer's hard drive. Internal communications of Duqu are analysed by Symantec, [7] but the actual and exact method how it replicates inside an attacked network is not yet fully known. According to McAfee, one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in public-key cryptography) from attacked computers to help future viruses appear as secure software. [17] Duqu uses a 54×54 pixel JPEG file and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing the code to determine what information the communications contain. Initial research indicates that the original malware sample automatically removes itself after 36 days (the malware stores this setting in configuration files), which would limit its detection. [10]

Key points are:

Command and control servers

Some of the command and control servers of Duqu have been analysed. It seems that the people running the attack had a predilection for CentOS 5.x servers, leading some researchers to believe that they had a [18] zero-day exploit for it. Servers are scattered in many different countries, including Germany, Belgium, Philippines, India and China. Kaspersky has published multiple blogposts on the command and control servers. [19]

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

The Central Intelligence Agency (CIA) has repeatedly intervened in the internal affairs of Iran, from the Mosaddegh coup of 1953 to the present day. The CIA is said to have collaborated with the last Shah, Mohammad Reza Pahlavi. Its personnel may have been involved in the Iran-Contra affair of the 1980s. More recently in 2007-8 CIA operatives were claimed to be supporting the Sunni terrorist group Jundallah against Iran, but these claims were refuted by a later investigation.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

The Stars virus is a computer virus which infects computers running Microsoft Windows. It was named and discovered by Iranian authorities in April 2011. Iran claimed it was used as a tool to commit espionage. Western researchers came to believe it is probably the same thing as the Duqu virus, part of the Stuxnet attack on Iran.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

CrySyS Lab is part of the Department of Telecommunications at the Budapest University of Technology and Economics. The name is derived from "Laboratory of Cryptography and System Security", the full Hungarian name is CrySys Adat- és Rendszerbiztonság Laboratórium.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

Regin is a sophisticated malware and hacking toolkit used by United States' National Security Agency (NSA) and its British counterpart, the Government Communications Headquarters (GCHQ). It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. The malware targets specific users of Microsoft Windows-based computers and has been linked to the US intelligence-gathering agency NSA and its British counterpart, the GCHQ. The Intercept provided samples of Regin for download, including malware discovered at a Belgian telecommunications provider, Belgacom. Kaspersky Lab says it first became aware of Regin in spring 2012, but some of the earliest samples date from 2003. Among computers infected worldwide by Regin, 28 percent were in Russia, 24 percent in Saudi Arabia, 9 percent each in Mexico and Ireland, and 5 percent in each of India, Afghanistan, Iran, Belgium, Austria, and Pakistan.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

Duqu 2.0 is a version of malware reported in 2015 to have infected computers in hotels of Austria and Switzerland that were sites of the international negotiations with Iran over its nuclear program and economic sanctions. The malware, which infected Kaspersky Lab for months without their knowledge, is believed to be the work of Unit 8200, an Israeli Intelligence Corps unit of the Israel Defense Forces. The New York Times alleges this breach of Kaspersky in 2014 is what allowed Israel to notify the US of Russian hackers using Kaspersky software to retrieve sensitive data.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It does not write any part of its activity to the computer's hard drive, thus increasing its ability to evade antivirus software that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaving very little evidence that could be used by digital forensic investigators to identify illegitimate activity. Malware of this type is designed to work in memory, so its existence on the system lasts only until the system is rebooted.

Havex malware, also known as Backdoor.Oldrea, is a Remote Access Trojan (RAT) employed by the Russian attributed APT group "Energetic Bear" or "Dragonfly". Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

This is a list of cybersecurity information technology. Cybersecurity is security as it is applied to information technology. This includes all technology that stores, manipulates, or moves data, such as computers, data networks, and all devices connected to or included in networks, such as routers and switches. All information technology devices and facilities need to be secured against intrusion, unauthorized use, and vandalism. Additionally, the users of information technology should be protected from theft of assets, extortion, identity theft, loss of privacy and confidentiality of personal information, malicious mischief, damage to equipment, business process compromise, and the general activity of cybercriminals. The public should be protected against acts of cyberterrorism, such as the compromise or loss of the electric power grid.

References

  1. How Israel Caught Russian Hackers Scouring the World for U.S. Secrets, New York Times
  2. NSA, Unit 8200, and Malware Proliferation Archived 25 October 2017 at the Wayback Machine Jeffrey Carr, Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011), medium.com, Aug 25, 2016
  3. Cornish, Paul (4 November 2021). The Oxford Handbook of Cyber Security. Oxford University Press. ISBN   978-0-19-252101-9. Foreign sources routinely assert that Unit 8200 contribured to Stuxnet, Flame, Duqu and other sophisticated cyber campaigns.
  4. "Laboratory of Cryptography and System Security (CrySyS)" . Retrieved 4 November 2011.
  5. "Duqu: A Stuxnet-like malware found in the wild, technical report" (PDF). Laboratory of Cryptography of Systems Security (CrySyS). 14 October 2011.
  6. "Statement on Duqu's initial analysis". Laboratory of Cryptography of Systems Security (CrySyS). 21 October 2011. Archived from the original on 4 October 2012. Retrieved 25 October 2011.
  7. 1 2 3 4 "W32.Duqu – The precursor to the next Stuxnet (Version 1.4)" (PDF). Symantec. 23 November 2011. Archived from the original (PDF) on 13 December 2011. Retrieved 30 December 2011.
  8. Shawn Knight (2012) Duqu Trojan contains mystery programming language in Payload DLL
  9. "Securelist | Kaspersky's threat research and reports". 12 September 2023.
  10. 1 2 3 Zetter, Kim (18 October 2011). "Son of Stuxnet Found in the Wild on Systems in Europe". Wired. Retrieved 21 October 2011.
  11. "Virus Duqu alarmiert IT-Sicherheitsexperten". Die Zeit . 19 October 2011. Retrieved 19 October 2011.
  12. "Spotted in Iran, trojan Duqu may not be "son of Stuxnet" after all". 27 October 2011. Retrieved 27 October 2011.
  13. "Microsoft issues temporary 'fix-it' for Duqu zero-day". ZDNet . Archived from the original on 6 November 2011. Retrieved 5 November 2011.
  14. "Microsoft Security Advisory (2639658)". Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. 3 November 2011. Retrieved 5 November 2011.
  15. "Microsoft Security Bulletin MS11-087 - Critical" . Retrieved 13 November 2011.
  16. Steven Cherry, with Larry Constantine (14 December 2011). "Sons of Stuxnet". IEEE Spectrum. Archived from the original on 19 July 2012.
  17. Venere, Guilherme; Szor, Peter (18 October 2011). "The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu". McAfee. Archived from the original on 31 May 2016. Retrieved 19 October 2011.
  18. Garmon, Matthew. "In Command & Out of Control". Matt Garmon. DIG.
  19. Kamluk, Vitaly (30 November 2011). "The Mystery of Duqu: Part Six (The Command and Control servers)". Securelist by Kaspersky. Archived from the original on 7 June 2022. Retrieved 7 June 2022.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.