Malware in November: Parallels Between Duqu and Stuxnet and a Lack of Trust in Certificate Authorities

13 Dec 2011
Virus News

Topic of the month
DUQU – the investigation continues

The analysis carried out by Kaspersky Lab experts has revealed yet another parallel between Duqu and the Stuxnet worm – both made use of previously unknown vulnerabilities to launch attacks. In the case of Duqu, attacks took place via email with the help of a Microsoft Word document that contained an exploit for a previously unknown vulnerability in Windows. Importantly, by early December Microsoft still hadn’t released a patch to fix this vulnerability, meaning there’s a high risk of it being used in an attack. Kaspersky Lab immediately added a signature for this particular exploit to its product databases. The company’s experts also came to the conclusion that Duqu’s main aim is to gather data on the activities of a series of Iranian companies and government agencies. There are numerous indications that earlier versions of Duqu could have been around since 2007-2008, and that the Stuxnet worm was created on the basis of a platform that was also used during the creation of Duqu.

Out of the box activity

The first instance of Latin American Trojans using steganography in image files was recorded in November. The family of Trojan programs targeted customers of Brazilian banks. This technique allowed the virus creators to kill several birds with one stone. “Firstly, it can cause automatic malware analysis systems to function incorrectly: antivirus programs will give an all-clear to the file after analysis, and in time the link will be exempted from checks altogether,” explains Dmitry Bestuzhev, Head of Kaspersky Lab’s Global Research and Analysis Team for Latin America. “Secondly, the administrators of the sites where the encrypted malicious files are hosted won’t be able to identify them as malicious and will leave them as they are. Thirdly, some malware researchers may not have the time or expertise to deal with them. All of this obviously plays into the hands of the cybercriminals.”

Mobile threats

In the middle of July ‘porn SMS senders’ were targeting users from the US, Malaysia, the Netherlands, the UK, Kenya and South Africa. The apps covertly subscribed users to a range of premium-rate services with the promise of raunchy images, and resulted in the user’s mobile account being cleaned out. Now this problem has evolved to SMS Trojans targeting users from a number of European countries plus Canada.

Mac OS threats

Mac users are increasingly feeling the effects of malicious programs being spread in pirated Mac software on torrent trackers. The recently detected Backdoor.OSX.Miner, for example, has several malicious functions: it establishes remote access to an infected computer; gathers information about browsing history in Safari; captures screenshots; steals the wallet.dat file from BitCoin clients; and launches BitCoin miner without user authorization.

This particular malicious program spreads via a number of torrent trackers, including publicbt.com, openbittorrent.com and thepiratebay.org.

Attacks on state and corporate networks More problems with certificates

November saw yet another Dutch certificate authority – KPN – announce that it had been targeted by hackers and forced to halt the issuing of certificates. The breach was discovered on a KPN web server related to Public Key Infrastructure (PKI). The attack dates back no less than four years, raising questions as to how a DDoS tool went undetected for so long.

Like Diginotar, KPN is allowed to issue 'special' certificates for the Dutch government and public services. In fact, many organizations affected by the DigiNotar incident switched to KPN certificates.

However, the Malaysian certificate authority Digicert (CA Digicert Malaysia) was involved in an even more serious incident. It has been removed from the list of trusted authorities by all browser manufacturers and by Microsoft. Such extreme measures were deemed necessary after the authority issued 22 certificates with weak 512-bit keys, and certificates without the appropriate usage extensions or revocation information.

November ratings,
Top 10 threats on the Internet

1Malicious URL81.41%0
2Trojan.Script.Iframer4.57%0
3Trojan.Script.Generic1.67%1
4Trojan.Win32.Generic0.74%-1
5Trojan-Downloader.Script.Generic0.61%2
6Trojan.JS.Popupper.aw0.37%3
7Exploit.Script.Generic0.36%-2
8Trojan.JS.Agent.bwi0.24%New
9Exploit.Java.CVE-2010-4452.a0.21%New
10AdWare.Win32.Screensaver.i0.16%New

More detailed information about the IT threats detected by Kaspersky Lab on the Internet and on users' computers in November 2011 is available at: www.securelist.com/en.

© 1997 – 2014 Kaspersky Lab ZAO

All Rights Reserved. Industry-leading Antivirus Software