Duqu - Stuxnet 2

[Jack]

A new backdoor created by someone who had access to the source code of Stuxnet has been found.

Stuxnet source code is not out there. Only the original authors have it. So, this new backdoor was created by the same party that created Stuxnet.

Unlike Stuxnet, the new backdoor, known as Duqu, does not target automation or PLC gear. Instead, it's used for reconnaissance. Duqu collects various types of information from infected systems for a future attack. It's possible we'll eventually see a new attack targeting PLC systems, based on the information gathered by Duqu.

The code similarities between Duqu and Stuxnet are obvious. Duqu's kernel driver (JMINET7.SYS) is actually so similar to Stuxnet's driver (MRXCLS.SYS) that our back-end systems actually thought it's Stuxnet

Stuxnet drivers were signed with stolen certificate belonging to Taiwanese companies called RealTek and JMicron.

Duqu has a driver signed with a stolen certificate belonging to a Taiwanese company called C-Media Electronics Incorporation.

The driver still claims to be from JMicron, though.

The best research into Duqu so far has been done by Symantec. They've been at it for a while, and have today published a 46-page whitepaper on it.

via F-Secure

 

[savit]

[Mcafee Labs] The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu

 

[Deleted member 178]

duqu? doku? sith? palpatine? empire? norton?

 

[moonshine]

Another piece of malware to be careful from,

 

[jamescv7]

Seems this malware would spread rapidly in a definite time.

 

[WinAndLinuxTutorials]

I agree with jamescv7. BTW, this post reminded me of Sudoku, one of my best games. Thanks for reminding me about it

 

[Deleted member 178]

I agree with jamescv7. BTW, this post reminded me of Sudoku, one of my best games. Thanks for reminding me about it

looool

 

[AyeAyeCaptain]

Which in turn was dished out by Verisign/Symantec, and took 44 days to be revoked since being discovered on September 1st?!! lmao

 

[NathanF1]

From MalwareCity

Duqu: Not the Son of Stuxnet, but the Vanguard of a New Generation?

The code of the rootkit is extremely similar to the one we identified in Stuxnet more than a year ago, and judging by the first impression, one could imagine that the guys behind the Stuxnet incident are back with another tool to finish what they started in 2010.

However, a less known aspect is that the Stuxnet rootkit has been reverse-engineered and posted on the Internet. It’s true that the open-sourced code still needs some tweaking, but an experienced malware writer could use it as inspiration for their own projects. We believe that the team behind the Duqu incident are not related to the ones that released Stuxnet in 2010, for a number of reasons:

1. The purpose of this new threat is different. While Stuxnet has been used for military sabotage, Duqu is merely gathering information from compromised systems and should be regarded as nothing short of a sophisticated keylogger. Since criminal gangs rarely change their primary specialty, we are inclined to say that a gang focused on military sabotage would not move their focus to civilian enterprises.

2. Code re-use is a bad practice in the industry, especially when this code has been initally seen in legendary e-threats such as Stuxnet. By now, all antivirus vendors have developed strong heuristics and other detection routines against industry heavy-weights such as Stuxnet or Downadup. Any variant of a known e-threat would likely end up caught by generic routines, so the general approach is "hit once, then dispose of the code".

Even though this might not be the creation of the team behind Stuxnet, we advise computer users to keep an open eye when surfing the web, as well as to install an antivirus solution.

If you suspect any infection with the Duqu.A rootkit, download and run our dedicated removal tool that is freely available in the Removal Tools section of Malware City.