How the Duqu Authors May Have Erred

Duqu has been called the spawn of Stuxnet, or maybe some sort of stepchild or second cousin. That initial analysis came from some similarities in the code of the two attack tools, and now that researchers have had more time to pull Duqu apart and see how it works, it seems more and more likely that the two were written by the same group. In the second part of an interview with Costin Raiu, who has done a lot of research on Duqu, Threatpost editor Dennis Fisher talks with Raiu about the similarities to Stuxnet, the targets for Duqu and why the authors may have made a key mistake.

Duqu has been called the spawn of Stuxnet, or maybe some sort of stepchild or second cousin. That initial analysis came from some similarities in the code of the two attack tools, and now that researchers have had more time to pull Duqu apart and see how it works, it seems more and more likely that the two were written by the same group. In the second part of an interview with Costin Raiu, who has done a lot of research on Duqu, Threatpost editor Dennis Fisher talks with Raiu about the similarities to Stuxnet, the targets for Duqu and why the authors may have made a key mistake.

Dennis Fisher:  So when Duqu was first publicized, there was a lot of talk about how it was very closely related to Stuxnet.  Can you talk a little bit about what the similarities are to Stuxnet and maybe in your opinion whether you think it was actually written by either the same group or somebody who is related to them?

Costin Raiu: Yeah.  So, well, according to my knowledge, the people at CrySyS, the research lab in Hungary, they’re the first one to point the similarities between Duqu and Stuxnet, and they were the first to postulate that both Duqu and Stuxnet are written by the same people.  But later, it’s interesting that other people, they were not so convinced, and they started writing and claiming that Duqu and Stuxnet were written by different people. So, there was – I think, there was a lot of noise, and I’m sure you’re aware of that. And obviously, the big question here is what is true? Who is right and who is wrong?  And before going any further, I will say that we are pretty sure that they have been written by the same people. And let me explain why. First of all, they have a lot of things in common. And here, I will point out the usage of various encryption keys including encryption keys which haven’t been made public prior to Duqu. So, there are quite a lot of very good public reports on Stuxnet, such as, for instance, the one by Symantec. But, they do not point out the specific encryption keys which were used – all of them that were used in Stuxnet. And it’s quite interesting to see that those encryption keys, those specific magic constants, they’re also used in Duqu.

So, up to this point, you can say that the guys who wrote Duqu, they also analyzed Stuxnet in a very, very deep way. And probably they knew more or they even dug further than the public reports on Stuxnet. But then again, we have more stuff such as the injection techniques which are similar between Duqu and Stuxnet. They use the same manner deal with the way they use RPC experts, the kind of communication infrastructure, the usage of zero-day exploits, the usage of stolen certificates. And there are – actually, there are a few more pointers, which I cannot publically disclose, which make us pretty sure that they have been written by the same guy. But, here I would agree with some of the people who said that, “Actually, you know, they’re not identical.” That’s for sure. There are differences. And one very good example, I guess, is to point out that, let’s say, that we have the Microsoft Office and Microsoft Windows. And if you look at the code, you will see differences for sure. But, both Office and Microsoft Windows are from the same publishing house. So, I would say that Duqu and Stuxnet, they are exactly the same. They might have not been written by exactly the same programmers, but they’re – for sure, they come from the same publishing house.

Dennis Fisher: Okay. And that’s kind of an important point, because that also lends a little bit of credence to the fact that this is, essentially, a professional operation. This is not an ad hoc group of people doing this.  This is somebody with an – some kind of goal in mind, whatever it is, and they’re being very professional in their pursuit of that goal.

Costin Raiu: Absolutely. There is no shame to say that the Duqu guys, they are top class. They are some of the best exploit writers in the world, some of the best researchers, security researchers, in the world. At the same time, they have very, very good expertise in creating malicious code and knowing how to stay under the radar. So, to be honest, I believe that a lot of money have been invested both in Stuxnet and Duqu.  And by a lot of money, I mean tens of millions of dollars. And I suspect that, actually, Duqu shows that they eventually learned some lessons from the Stuxnet fiasco. Why I call it a fiasco is because, okay, from the ISIS report, we know that Stuxnet was successful in slowing down the nuclear program of Iran. So, according to the ISIS report, Stuxnet damaged about 1,000 centrifuges at the uranium enrichment plant at Natanz. But, we also suspect that these guys are very, very upset when the news broke about Stuxnet. And obviously, huge investment, a lot of money basically went down the drain. So, where was the mistake? Why do you think there was a mistake in the case of Stuxnet?

Dennis Fisher:  Well, wouldn’t the mistake have been that it, at some point, started infecting Windows machines, and so it came to the attention of people who never should’ve known about it, right?

Costin Raiu: Right. Correct. The fact that Stuxnet was self-replicating, so I think that was a big mistake that whenever you write a piece of code that is self-replicating, you cannot control it. And for instance, I think Robert Morris Jr. learned this the hard way. Replicating code cannot be contained. So, sooner or later, people will find out about the replicating code. So, this was a big lesson they learned from Stuxnet, and this is why Duqu is no longer replicating. Duqu is a Trojan which is designed to be very, very silent, stay under the radar, and avoid detection. But nevertheless, what I think that was their mistake in the case of Duqu, they attacked the wrong people. So, the victim, which the Hungarian CrySyS lab helped, was not such a good idea for them to attack.

Dennis Fisher:  And none of these victims has been made public at this point, right?

Costin Raiu:    No, no. They’re all confidential to protect their privacy.

Dennis Fisher: Yeah. So, if you’re talking about somebody who invested millions or tens of millions of dollars in this, that narrows the potential creators down to a fairly small pool of people, doesn’t it?

Costin Raiu: I guess so, yeah. Well, basically, it narrows the pool, basically, to the pool of rich people.

Dennis Fisher: Or rich governments perhaps?

Costin Raiu: Perhaps, perhaps. We do think that given all these specific details and a lot of facts that they could have not been created without support from some nation state, one or two three of them.

Dennis Fisher: Which is a really interesting conclusion. And it’s, I think, something that a lot of people have been convinced has been going on for years now, but we haven’t necessarily seen any concrete evidence of it until now.

Costin Raiu: I’m not sure that even know that we have some concrete evidence, because, well, these guys are very, very careful.  And all the steps which I mentioned and the fact they’re burning the bridges behind them, they’re very hard to track. But, they’re very professional, so it’s possible we may never find out who these guys were.  It’s like some of the big mysteries of history like the Kennedy assassination maybe.

Dennis Fisher: Costin, are you aware of whether law enforcement in the relevant countries is looking into this?

Costin Raiu: Yes, I think so. So, for sure, law enforcement in some countries is looking into this. It’s possible that the law enforcement is other countries is kind of ignoring it.

Dennis Fisher: Sort of looking the other way?

Costin Raiu: Correct.

Dennis Fisher: So, one of the things that always intrigues me about these kinds of stories, whether it’s Stuxnet or Duqu or whatever it happens to be, is these – like you said, the Stuxnet authors made a pretty key mistake.  And if they had accomplished the goal that they set out to do, we may never have really known what happened. We might not have really heard of Stuxnet if they had been really quiet about it. And these guys, the Duqu authors, like you said, maybe chose the wrong victim or something. But, since there are a couple of these out there that we know about, don’t we need to assume that there’s a lot of highly-targeted, custom pieces of malware like this being used that we haven’t heard of yet?

Costin Raiu: It’s possible. Everybody wondered when we saw Stuxnet one year ago, everybody wondered if Stuxnet was the first of its kind. And later, obviously, everybody wondered if there’s going to be another malware like Stuxnet in the future. And to be honest, when you look at Stuxnet and when you look at Duqu, you see a kind of sophistication, let’s say, which you do not usually see in your average Chinese piece of malware like Poison Ivy, malware which has been used to spy into RSA, the malware which has been using the Aurora tech.

If you compare that to Duqu, it’s like you could say it’s like amateurs versus world champions, something like this.  And this kind of sophistication that you see in Stuxnet and Duqu, and for the trained eye, you see a little bit more than just code.  You see very high precision.  You see order.  You see – how to say – a very, let’s say, high intelligence at work and which is leaving, let’s say, some clues behind.  And actually, they love to put all sort of clues into the malware like magic constants.  They use this magic constants a lot.  It’s like they’re trying to send a message or just to send us the wrong way.  But, there is a kind of huge difference between your average malware and Duqu and Stuxnet.

Dennis Fisher: Okay, all right. Well, I think we’ve scared everyone half to death with this which is good.

Costin Raiu: Well, not necessarily. As I was saying, if you’re – let’s say, if you’re a corporation or even a small and medium business, I seriously doubt that you have to worry about Duqu, because the number of victims around the world is so small. On the other hand, if you have been hit by Duqu and actually can find that out by scanning your computer with a security solution, or the nice folks at CrySyS, they have put together a toolbox which contains some interesting programs that will help you diagnose, let’s say, your system to see if you have been hit by Duqu maybe at a previous time.

And this is important, because let’s say, if you were infected in April, and Duqu has a self-destruct timer which can be something like 30 days. We have also seen 36 days. We have also seen 100 – sorry, 120 days. So, after that timer passes, Duqu removes itself. But, here, I think that they did a mistake. And the mistake is that they do not remove the – all the files, and they do not remove the DQ files, the DF files, DL files which have the stolen information from your PC. And those files have a specific format.

And using the CrySyS lab tools, you can search for this kind of files in your network. So, in the case that you find such files, as I was saying, first of all, do not panic. The worst has already passed. They have most likely already stolen what they were after.

Dennis Fisher: They already have your product plans.

Costin Raiu: Absolutely. They most likely they already collected everything they needed from you. And actually, I thought it was funny that I saw a couple of days ago news which said that Iran now claims to have Duqu under control.

Dennis Fisher: Right.

Costin Raiu: Which is a bit strange in my opinion given that most of the attacks happened in April, and they were probably gone by June or August. So, they have already finished collecting what they were after maybe three or four months ago. So, yeah, okay, you may have it under control now, but who cares? All the data is gone.

This is second part of an edited transcript of a podcast with Costin Raiu. The first part ran on Monday.

Suggested articles

Discussion

  • Anonymous on

    Duqu binaries download: http://thaf0realblog.co.cc

     

    I decided to put it on my site.

    Thanks to contagiodump.blogspot.com/ for the samples

     

    inside 7-zip password:duqu

  • Anonymous on

    Duqu binaries download link for anyone interested:

    http://thaf0realblog.co.cc

    I posted this on the site.

    I am not a professional security researcher. I am an aspiring IT Security person, hobbyist, and ethical hacker.

     

    Thanks to "contagiodump.blogspot.com" for the samples.

  • Anonymous on

    poison ivy is swedish malware, not chinese.

     

  • MiKKiETECH on

    Yes, PI is Swedish, it seems to be a classic mistake that some refer to it as being Chinese. Ghost on the other hand is/was a classic Chinese RAT/Trojan which there are now many variants of.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.