By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
SmartData Collective
  • Analytics
    AnalyticsShow More
    data science anayst
    Growing Demand for Data Science & Data Analyst Roles
    6 Min Read
    predictive analytics in dropshipping
    Predictive Analytics Helps New Dropshipping Businesses Thrive
    12 Min Read
    data-driven approach in healthcare
    The Importance of Data-Driven Approaches to Improving Healthcare in Rural Areas
    6 Min Read
    analytics for tax compliance
    Analytics Changes the Calculus of Business Tax Compliance
    8 Min Read
    big data analytics in gaming
    The Role of Big Data Analytics in Gaming
    10 Min Read
  • Big Data
  • BI
  • Exclusive
  • IT
  • Marketing
  • Software
Search
© 2008-23 SmartData Collective. All Rights Reserved.
Reading: What You Need to Know About Duqu
Share
Notification Show More
Latest News
ai in automotive industry
AI Is Changing the Automotive Industry Forever
Artificial Intelligence
SMEs Use AI-Driven Financial Software for Greater Efficiency
Artificial Intelligence
data security in big data age
6 Reasons to Boost Data Security Plan in the Age of Big Data
Big Data
data science anayst
Growing Demand for Data Science & Data Analyst Roles
Data Science
ai software development
Key Strategies to Develop AI Software Cost-Effectively
Artificial Intelligence
Aa
SmartData Collective
Aa
Search
  • About
  • Help
  • Privacy
Follow US
© 2008-23 SmartData Collective. All Rights Reserved.
SmartData Collective > Data Management > Best Practices > What You Need to Know About Duqu
Best PracticesSecurity

What You Need to Know About Duqu

BryanHalfpap
Last updated: 2011/12/16 at 3:00 PM
BryanHalfpap
6 Min Read
SHARE

Duqu is a stealthy computer virus with a hidden agenda…

Everything that you need to know about Duqu:

More Read

Image

CIS Cyber Alert Releases Recommendations to Combat CryptoLocker Malware

Dronegate: The First Casualty is Our Cybersecurity Paradigm

Duqu is a stealthy computer virus with a hidden agenda…

Everything that you need to know about Duqu:

Duqu was reported to antivirus vendors around the 14th of October, 2011, but it has been in the wild since November of 2010. Since then there have been varients (updated copies with additional features or upgrades to code) released.

It has been billed as the next Stuxnet, the son of Stuxnet, or a Stuxnet clone. In reality, Duqu is actually more like a payload of Stuxnet rather than the entire attack campagin, because it is a backdoor package dropped via other means. The reason why Stuxnet was considered to be so advanced was in large part because of its varied numbers of unpatched exploits that it used to ensure successful infection.

Lets take a look at the similarities:

  • Duqu uses code segments that can be identical to or very close to those used in the Stuxnet payload.
  • Both Stuxnet and Duqu use signed code in order to appear to antivirus, Windows, and users as legitimate code.
  • Registers a remote procedure call server in a very similar fashion to Stuxnet
  • Has the same list of antivirus products, in the same order as Stuxnet except one more product was added.
  • Checks for running processes in a manner similar to Stuxnet
  • Both Stuxnet and Duqu use “import by hash” techniques instead of directly importing function names.

These similarities are code similarities, which means that Stuxnet and Duqu seem to share a common resource base, code base, and methodology in loading and running executables. Essentially we can think of the ways Duqu and Stuxnet install and launch themselves as being similar enough to warrant either worry that it is the same perpetrator of Stuxnet, or that they have access to the source code of the Stuxnet threat.

There are plenty of significant differences, however, namely that Duqu only performs information-gathering techniques. In comparison, Stuxnet destroyed industrial equipment, disabled safety systems, and was overtly malicious. Duqu’s most significant malicious payload is its spying ability.

Duqu infections currently have the following functionalities:

  • View processes, accounts, and domain information
  • View drive names/information
  • Ability to take screenshots
  • View network and network setup
  • Keylogger
  • Window name enumeration
  • Share enumeration
  • File exploration on all drives

Duqu sends this information to a command-and-control server currently located in India, the IP address of which is hard-coded into the Duqu payloads. Interestingly enough, Duqu is also set to destroy itself after 36 days of infection, a probable reason for why it has been able to live so long in the wild without detection.

Targets:

Duqu appears to be mostly targeting some industrial control systems and Certificate authorities, probably for the purposes of gaining information to be used in further exploits. CA compromises are also lucrative because of their use in malware.  Duqu itself is a sterling example of the use of compromised CA information because it uses a stolen certificate to sign itself as legitimate software, fooling the operating system, antivirus, and user alike with the ruse.

Infection Methods:

At first, Duqu was largely reported to have come from the same folks who created Stuxnet.  This simply doesn’t have to be the case.  The techniques could have been copied or even stolen wholesale by the malware authors.  Duqu also behaves differently and uses different infection methods.  Whereas Stuxnet was focused on remote exploitation or spread-exploitation, Duqu’s exploit of choice (MS11-087, which has since been patched) is a trojan-horse method that requires a user to open an infected Microsoft Word document.

What Can We Learn From This?

Don’t trust the initial reports, be wary, but try not to buy into the paranoia because it’s important to have measured and rational reactions to security threats so your customers and users don’t view you as the “boy who cried wolf”.  The sad thing about Duqu is that it would be very hard to detect without antivirus signatures.  With it being signed, silent, patient and auto-deleting, it is a threat that is difficult to detect or defend against unless you have the proper security infrastructure (Intrusion detection system, VLANs, exfil firewalls, Data Loss Prevention, ect…).  Use this as an excuse to justify increased security expenditures if you don’t have things up-to-spec.

Related articles
  • Duqu hackers scrub evidence from command servers, shut down spying op (ctolabs.com)
  • Duqu incidents detected in Iran and Sudan (ctolabs.com)
  • Microsoft Releases Temporary Plug For Duqu (bobgourley.com)

TAGGED: virus
BryanHalfpap December 16, 2011
Share this Article
Facebook Twitter Pinterest LinkedIn
Share

Follow us on Facebook

Latest News

ai in automotive industry
AI Is Changing the Automotive Industry Forever
Artificial Intelligence
SMEs Use AI-Driven Financial Software for Greater Efficiency
Artificial Intelligence
data security in big data age
6 Reasons to Boost Data Security Plan in the Age of Big Data
Big Data
data science anayst
Growing Demand for Data Science & Data Analyst Roles
Data Science

Stay Connected

1.2k Followers Like
33.7k Followers Follow
222 Followers Pin

You Might also Like

Image
Uncategorized

CIS Cyber Alert Releases Recommendations to Combat CryptoLocker Malware

3 Min Read

Dronegate: The First Casualty is Our Cybersecurity Paradigm

6 Min Read

SmartData Collective is one of the largest & trusted community covering technical content about Big Data, BI, Cloud, Analytics, Artificial Intelligence, IoT & more.

AI and chatbots
Chatbots and SEO: How Can Chatbots Improve Your SEO Ranking?
Artificial Intelligence Chatbots Exclusive
ai in ecommerce
Artificial Intelligence for eCommerce: A Closer Look
Artificial Intelligence

Quick Link

  • About
  • Contact
  • Privacy
Follow US

© 2008-23 SmartData Collective. All Rights Reserved.

Removed from reading list

Undo
Go to mobile version
Welcome Back!

Sign in to your account

Lost your password?