The still-unidentified group of attackers behind Stuxnet and Duqu have drawn quite a bit of attention to themselves in the last couple of years with their creations. Researchers, law enforcement and some particularly angry governments all would like to have a long talk with the crew. But that attention apparently hasn’t persuaded the group that it’s time to tone down their pursuits, as evidenced by the fact that researchers have discovered a newly compiled driver for Duqu within the last couple of days.
One of the unique things about Duqu is that the malware appears to be specifically tailored to each new victim. Rather than writing one piece of malware and spreading it out to a large potential victim base, the crew behind Duqu had a small, specially selected group of targets, each of which got its own specifically crafted components and drivers. Researchers say that the number of known victims of Duqu is quite small, perhaps fewer than 50.
“There are a number of different drivers and different modules which are responsible for extracting the Duqu components to disk. And basically, there are three files which get created on disk. There is one SYS driver file. There is a small PNF file, a configuration file. There is a big PNF file, so the extension is .PNF. And by the way, Stuxnet used the same extensions and this kind of similar mechanism to infect computers and install – basically, to install itself in computers,” Costin Raiu, one of the researchers who did the initial analysis of Duqu at Kaspersky Lab, said in an interview after the malware’s discovery.
Researchers spent a lot of time analyzing and poring over the drivers and the individual components of Duqu and think that they have a pretty good handle on the way that the malware works now. But that doesn’t mean that it’s fully understood yet. Just this week another piece of the puzzle came together when researchers found that an odd programming language used in one part of Duqu was heavily modified C combined with some object-oriented programming components.
And now researchers at Symantec have found a newly compiled driver for Duqu, leading to speculation that the attackers are still tweaking and modifying their original work.
“Found newly compiled #Duqu driver (Feb 2012) mcd9x86.sys, no new functionality, Stuxnet attackers very much still at it,” Symantec’s Security Response team said on Twitter Monday.
Early Tuesday Raiu said that while the new driver didn’t have any new functionality, there are indications that it’s not just new but aimed at evading existing detection techniques for Duqu.
“The new #Duqu variant discovered by @threatintel last night has been engineered to escape detection by @CrySySLab tools,” he said on Twitter, referring to CrySyS Lab, the group of researchers in Hungary who originally found Duqu and developed a detection toolkit for the malware.