PROFESSIONAL TEAM BEHIND CREATION OF THE DUQU WORM
IT security researchers this past week have shed new light on Duqu, a worm discovered last fall that is believed related to Stuxnet, the worm blamed for disabling in 2010 Iranian centrifuges used to enrich uranium that could be used in a nuclear weapon [see New Stuxnet-Like Worm Discovered].
Russian IT security researcher Igor Soumenkov, writing in a blog posted by Kaspersky Lab, characterizes the developers of Duqu as “a rather professional team of developers, which appear to be reusing older code written by top ‘old school’ developers.”
Symantec also reported that its researchers have studied a component of a new version of Duqu that it says was compiled on Feb. 23. “This new version has not been in the wild very long,” the Symantec blog says. “Checking the code, we can see the authors have changed just enough of the threat to evade some security product detections, although this appears to have only been partially successful.”
Symantec said one of the more significant changes to the newer code is the encryption algorithm used to encrypt other components on a disk it received. “Another difference is the old driver file was signed with a stolen certificate and this one is not,” the blog says.
“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active,” the Symantec blog says. “Without the other components of the attack, it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”
A Gem of Malicious Software
Soumekov says the techniques used to develop Duqu are normally seen in professional software and almost never in today’s malware. “These indicate that Duqu, just like Stuxnet, is a one-of-a-kind piece of malware, which stands out like a gem from the large mass of ‘dumb’ malicious program we normally see,” he says.
The Duqu framework consists of the C code programming language, Soumekov says. C was developed in the late 1960s and early 1970s and was popular among programmers in the pre-Internet era, suggesting that Duqu’s authors are veterans of that earlier computing period.
Duqu was compiled with a 2008 version of a Microsoft Visual Compiler using special options known as /O1 and /Ob1, most likely written with a custom extension to C called OO C, Soumekov writes in his blog. The event-driven architecture was developed as part of the Duqu framework or its OO C extension, he says, adding the code could have been reused from an existing software project and integrated into the Duqu Trojan.
All this suggests that Duqu, like Stuxnet, was developed by a highly sophisticated team with extensive resources. Experts believe Stuxnet required massive knowledge and money to develop. Though not proven, Israel – perhaps with the help of the United States – is said to have created Stuxnet as a weapon against Iran’s aspirations to become a nuclear arms power.
Last fall, Symantec researchers said the worm is called Duqu [dyü-kyü] because it creates files with the file-name prefix DQ. It shares a great deal of code with Stuxnet; however, the payload is completely different, Symantec said.
In its blog from last October, Symantec said Duqu contains a payload with general remote access capabilities rather than one designed to cabotage an industrial control system, such as the Iranian centrifuges. “The creators of Duqu had access to the source code of Stuxnet, not just the Stuxnet binaries,” Symantec said last fall. “The attackers intend to use this capability to gather intelligence from a private entity to aid future attacks on a third party. While suspected, no similar precursor files have been recovered that predate the Stuxnet attacks.”