Kaspersky Lab Continues Its Duqu Investigation: From Jason Bourne to Dexter
11 Nov 2011
Experts at Kaspersky Lab are continuing their ongoing investigation into the Duqu trojan, and can report that they have discovered yet more details of the complex workings of the trojan itself, as well as of the methods and tactics used by its creators. Also revealed have been dubious attempts at humor, even though this is far from a laughing matter.
Among the findings is the fact that the trojan’s penetration method was use of carefully tailor-made, socially-engineered e-mails. These e-mails contained a .doc file with a vulnerability and Trojan installer and also featured a cunning delayed-action exploit dropper. One such e-mail was sent to one of the victims as far back as in April 2011.
The exploit in the .doc file was found to be in an embedded font called Dexter Regular, falsely indicated by the authors to have been registered by Showtime Inc., which broadcasts Dexter, a TV series about a CSI who is also a part-time serial killer.
The new published findings also show how each instance of Duqu is unique and prepared specially for a particular target just before an attack, and uses a separate control server.
The new report concludes that there are at least 12 unique sets of Duqu files presently known to Kaspersky Lab. Not all findings have been released due to the ongoing nature of the investigation, but expect more information soon.
The full post report, authored by Aleks Gostev, Kaspersky Lab’s Chief Security Expert, can be found here at Securelist.