As the analysis of the Duqu malware continues to evolve, the picture that’s emerging is becoming more and more intriguing. The latest bits of evidence uncovered show that not only do the attackers create custom files for each individual attack, there is evidence indicating that they might have been working on Duqu in some form since 2007.
The newest analysis of the malware found that there are some drivers associated with the Duqu files that are dated as far back as 2007. Another driver found during the investigation has a date of 2008. The analysis is based on a couple of specific Duqu infections, and, and coupled with the files and drivers that have been discovered previously, researchers say that it now looks certain that whoever is behind Duqu is tailoring each attack specifically to each new target, right down to creating new files for the attacks on the day that they’re performed.
Duqu infections are multi-stage operations, but they begin much like many others: with a targeted phishing email. In the cases analyzed by researchers at Kaspersky Lab, the email contains a Word file that includes the exploit code. Once a victim opens the file, the exploit fires in the background and begins the installation process. The malware becomes resident in the machine’s memory, but it doesn’t actually do anything for a few minutes, until the user goes idle. When that happens, the shellcode, which is contained in an embedded font called Dexter Regular, starts its work.
“The driver loaded by the exploit into the kernel of the system had a compilation date of August 31, 2007. The analogous driver found in the dropper from CrySyS was dated February 21, 2008. If this information is correct, then the authors of Duqu must have been working on this project for over four years,” Kaspersky chief malware expert Aleks Gostev wrote in his analysis.
The analysis is based on what is believed to be the first known Duqu infection, the attack in Iran earlier this year that Iranian officials said was the result of a piece of malware they called Stars. It now appears that Stars was in fact an earlier version of Duqu, Gostev said in his analysis.
“Most probably, the Iranians found a keylogger module that had been loaded onto a system and which contained a photo of the NGC 6745 galaxy. This could explain the title Stars given to it. It’s possible that the Iranian specialists found just the keylogger, while the main Duqu module and the dropper (including the documents that contained the then-unknown vulnerability) may have gone undetected,” he wrote.
The shellcode used by Duqu changes with each new target, as does the Word file that’s included in the attack email. Each one is tailored to the individual target. And, it looks as if each new attack uses a separate command and control server. At least one of the known C&C servers, which was located in India, has been taken offline. The location of the newest control server isn’t being made public at this point, but Gostev said that it appears that it may not be working at this point.