Español | English
rss facebook linkedin Twitter

DUQU: A new threat


General Information

According to the report presented by Symantec, this trojan was detected for the first time on the 14th of October and later, on the 7th of September they found samples of the driver uploaded to VirusTotal.

According to Symantec, this could herald an attack similar to Stuxnet, written by the authors themselves or at least by programmers with access to the source code. However, this Trojan contains code related to industrial control systems.

The main objective of this new threat is to get information about ICS (industrial control systems) manufacturing companies, to help prepare for a subsequent attack against another company.

Duqu is, basically, a RAT (Remote Admin Trojan) that once introduced in a system, functions as a downloader for other trojans. It consists of a Driver, a DLL and a configuration file. These files are installed by another executable that, as yet, has not been identified. This installer registers the driver as a service that must be executed during system startup. Once executed, the driver injects the DLL into the process services.exe and if the injection is made correctly, the DLL extracts other components that are themselves then injected into other processes.

Duqu uses a valid digital certificate that was revoked on the 14th of October. It also waits 15 minutes before activating, once it arrives on a new machine (probably to avoid being detected in a sandbox). It is designed to automatically remove itself after 36 days.


McAfee’s theory is different. They argue that Duqu is being used to steal certificates from CAs in Europe, Africa and Asia, to afterwards be used for signing malicious code.


A Summary of Behaviour

The malware opens a back-door in the infected system which allows the attackers to obtain the following information from the compromised system:
  • A list of the processes currently executing, the details of the user’s account and domain information.
  • Names of the drives and related information, such as shared drives.
  • Screen captures.
  • Network information (routing tables, shared objects etc.).
  • Key strokes (Keylogger).
  • Names of all open windows.
  • A list of shared resources.
  • Exploration of files in all drives, including removable drives.
  • List of all machines in the domain (through NetServerEnum)
  • Name of the current module, PID, session ID, Windows directory, Temp directory.
  • Operating System version, including if it is 64-bit or not.
  • Information about network adapters.
  • Information about local time, including the time zone.

Finally, the malware sends all the extracted information in encrypted form to a predetermined control panel (206.183.111.97), at the same time allowing the download of more malicious content from the control panel.


Possible clues for detection

Network traffic

Duqu uses the HTTP and HTTPS protocols to communicate with the control panel (C&C) found at the IP 206.183.111.97. This server is located in India, and has been disabled by the ISP (Web Werks WEBWRKS-PHLA1).

Communications within the range of IP addresses 206.53.48-61.* have been reported. It is highly recommended that communication device logs are reviewed for communications with this IP or any IP within the indicated range.


Detection on infected machines

Symantec has provided the following hashes and file names that have been identified as part of the threat.

MD5

Name

Purpose

0a566b1616c8afeef214372b1a0580c7

cmi4432.pnf

Principal DLL

94c4ef91dfcd0c53a96fdc387f9f9c35

netp192.pnf

Configuration File

e8d6b4dadb96ddb58775e6c85b10b6cc

cmi4464.PNF

Configuration File

b4ac366e24204d821376653279cbad86

netp191.PNF

Principal DLL

4541e850a228eb69fd0f0e924624b245

cmi4432.sys

Driver

0eecd17c6c215b358b7b872b74bfd800

jminet7.sys

Driver

9749d38ae9b9ddd81b50aad679ee87ec

[TEMP FILENAME]

Infostealer

c9a31ea148232b201fe7cb7db5c75f5e

Dropper



Duqu drivers have also been detected using the following file names which were not included in the Symantec report:

nfrd965.sys
adpu321.sys

The driver load is performed by adding some of the following keys to the Windows registry:

HKEY _ LOCAL _ MACHINE\SYSTEM\CurrentControlSet\Services\JmiNET3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432

The detection of these entries in the registry of a Windows system is a clear indication that the machine is infected by Duqu.

S21sec e-crime team

0 comentarios:


(+34 902 222 521)


24 hours a day, 7 days a week



© Copyright S21sec 2013 - All rights reserved


login