Experts at Kaspersky Lab are continuing their ongoing investigation into the new malicious program Duqu, which shares some characteristics with the infamous Stuxnet worm that targeted industrial installations in Iran. Though the ultimate objective of the creators of this new cyber threat is still unknown, what is clear already is that Duqu is a universal tool being used for carrying out targeted attacks on a limited number of objects, and one that can be modified depending on the given task.
Several characteristics of the worm were revealed in the first stage of analysis of Duqu by Kaspersky Lab specialists. First, in each discovered modification of the malicious program the drivers used to infect systems had been changed. In one instance the driver used a fake digital signature, in others - the driver wasn’t signed at all. Second, it became obvious that other elements of Duqu were likely to exist, but had yet to be found. Together, these findings allowed one to assume that the workings of this malicious program could be changed depending on the particular target being attacked.
Detection of only a very few infections (there had been just one detected at the moment of publication of the first part of the Kaspersky Lab Duqu investigation) is the one thing that distinguishes Duqu from Stuxnet among the similarities. Since discovering the first samples of the malicious program, four new instances of infection have been detected - thanks to the cloud-based Kaspersky Security Network. One of these was tracked down to a user in Sudan; the other three were located in Iran.
In each of the four instances of Duqu infection a unique modification of the driver necessary for infection was used. More importantly, regarding one of the Iranian infections there were also found to have been two network attack attempts exploiting the MS08-067 vulnerability. This vulnerability was used by Stuxnet too, and also another, older, malicious program, Kido. The first of the two network attack attempts took place on October 4, the other on October 16, and both originated from one and the same IP address - formally belonging to a US Internet provider. If there had been just one such attempt, it could have been written off as typical Kido activity - but there were two consecutive attack attempts: this detail would suggest a targeted attack on an object in Iran. It is also possible that in its operation other vulnerabilities of software were exploited.
Commenting on the new findings, Alexander Gostev, Chief Security Expert at Kaspersky Lab, said: “Despite the fact that the location of the systems attacked by Duqu are located in Iran, to date there is no evidence of their being industrial or nuclear program-related systems. As such, it is impossible to confirm that the target of the new malicious program is the same as that of Stuxnet. Nevertheless, it is clear that every infection by Duqu is unique. This information allows one to say with certainty that Duqu is being used for targeted attacks on pre-determined objects.”
Detailed results of the new investigation on Duqu are available here at Securelist.