The Duqu installer is a Microsoft Word document (file extension: .doc) that exploits a zero day kernel vulnerability, said researchers at the Laboratory of Cryptography and Systems Security (CrySyS).
Microsoft is working to issue a patch and advisory for this vulnerability, according to a report from Symantec that also indicates the malicious Word document was specially crafted to target the intended receiving organization. This appears to support the assertion that Duqu was highly targeted.
Once infected, attackers can infect other computers in secure zones and control them through a peer-to-peer command and control (C&C) protocol.
Duqu continues to confound security professionals as it still remains a bit of a mystery.
This week, Symantec and CrySyS released updated reports identifying possible affected organizations, the dropper used to infect systems, and a new command and control C&C IP address.
Symantec confirmed six possible infected organizations in eight countries including France, Netherlands, Switzerland, Ukraine, India, Iran (2), Sudan, and Vietnam. Symantec notes the organizations are only traceable back to an ISP. Other security vendors have reported infections in Austria, Hungary, Indonesia, United Kingdom, and Iran. At this point, a comprehensive list of infected organizations is not available.
ICS-CERT, in close coordination with Symantec and the original researchers, determined after additional analysis neither industrial control systems nor vendors/manufacturers were the target of Duqu. In addition, there is no evidence based on current code analysis that Duqu presents a specific threat to industrial control systems, ICS-CERT said.
On October 18, Symantec released a Security Response Report saying the original sample of W32.Duqu came from a research organization based in Europe and that additional variants also came from a second organization in Europe.
The attackers, Symantec said, were looking for information, such as design documents, that could see use in a future attack on an industrial control facility.
This threat focused on a limited number of organizations, apparently to exfiltrate data concerning their specific assets; officials do not know the propagation method yet. Symantec said W32.Duqu is not self-replicating.
Symantec reported other attacks could be ongoing using undetected variants of W32.Duqu. Symantec said they are continuing to analyze additional variants of W32.Duqu.
Key points from the report include:
• The executables share some code with the Stuxnet worm, and they came after the recovery of the last Stuxnet sample.
• There is no ICS specific attack code in the Duqu or infostealer.
• No one knows the primary infection vector for Duqu deployment. (Duqu does not self-replicate or spread on its own).
• There seems to be a limit on targeted organizations.
• The malware employed a valid digital certificate (revoked as of October 14, 2011)
• The malware self-deletes after 36 days.
• The Command and Control servers are in India.
McAfee Labs has also published a blog entry on the Duqu malware.
Duqu uses HTTP and HTTPS to communicate with a command and control (C&C) server at 22.214.171.124. This server is in India and the ISP disabled it.
In addition, Symantec identified a new C&C server hosted in Belgium. The IP address reported is 126.96.36.199. This C&C server has been disabled by the hosting provider.
Organizations should check network and proxy logs for any communication with this IP address. If users find any communication, contact ICS-CERT for further guidance.
Symantec provided sample names and hashes for the files identified as part of this threat:
• File name, cmi4432.pnf, MD5 Hash, 0a566b1616c8afeef214372b1a0580c7
• File name, netp192.pnf, MD5 Hash, 94c4ef91dfcd0c53a96fdc387f9f9c35
• File name, cmi4464.PNF, MD5 Hash, e8d6b4dadb96ddb58775e6c85b10b6cc
• File name, netp191.PNF, MD5 Hash, b4ac366e24204d821376653279cbad86
• File name, cmi4432.sys, MD5 Hash, 4541e850a228eb69fd0f0e924624b245
• File name, jminet7.sys, MD5 Hash, 0eecd17c6c215b358b7b872b74bfd800
• File name, Infostealer, MD5 Hash, 9749d38ae9b9ddd81b50aad679ee87ec
• File name, keylogger.exe, MD5 Hash, 9749d38ae9b9ddd81b50aad679ee87ec
• File name, Recon DLL pushed by C&C server, MD5 Hash, 4c804ef67168e90da2c3da58b60c3d16
• File name, Lifetime updater pushed by C&C server, MD5 Hash, 856a13fcae0407d83499fc9c3dd791ba
• File name, Reduced functionality infostealer pushed by C&C server, MD5 Hash, 92aa68425401ffedcfba4235584ad487
• File name, nfred965.sys, MD5 Hash, c9a31ea148232b201fe7cb7db5c75f5e f60968908f03372d586e71d87fe795cd
• File name, nred961.sys, MD5 Hash, 3d83b077d32c422d6c7016b5083b9fc2
• File name, adpu321.sys, MD5 Hash, bdb562994724a35a1ec5b9e85b8e054f
The full extent of the threat posed by W32.Duqu is currently under evaluation. At this time, no specific mitigations are available; however, organizations should consider taking defensive measures against this threat. One measure organizations should do is to update antivirus definitions for detection of the Duqu Trojan.