Newly Compiled Driver Shows Duqu Authors Still At Work

The still-unidentified group of attackers behind Stuxnet and Duqu have drawn quite a bit of attention to themselves in the last couple of years with their creations. Researchers, law enforcement and some particularly angry governments all would like to have a long talk with the crew. But that attention apparently hasn’t persuaded the group that it’s time to tone down their pursuits, as evidenced by the fact that researchers have discovered a newly compiled driver for Duqu within the last couple of days.

DuquThe still-unidentified group of attackers behind Stuxnet and Duqu have drawn quite a bit of attention to themselves in the last couple of years with their creations. Researchers, law enforcement and some particularly angry governments all would like to have a long talk with the crew. But that attention apparently hasn’t persuaded the group that it’s time to tone down their pursuits, as evidenced by the fact that researchers have discovered a newly compiled driver for Duqu within the last couple of days.

One of the unique things about Duqu is that the malware appears to be specifically tailored to each new victim. Rather than writing one piece of malware and spreading it out to a large potential victim base, the crew behind Duqu had a small, specially selected group of targets, each of which got its own specifically crafted components and drivers. Researchers say that the number of known victims of Duqu is quite small, perhaps fewer than 50.

“There are a number of different drivers and different modules which are responsible for extracting the Duqu components to disk.  And basically, there are three files which get created on disk. There is one SYS driver file. There is a small PNF file, a configuration file.  There is a big PNF file, so the extension is .PNF. And by the way, Stuxnet used the same extensions and this kind of similar mechanism to infect computers and install – basically, to install itself in computers,” Costin Raiu, one of the researchers who did the initial analysis of Duqu at Kaspersky Lab, said in an interview after the malware’s discovery.

Researchers spent a lot of time analyzing and poring over the drivers and the individual components of Duqu and think that they have a pretty good handle on the way that the malware works now. But that doesn’t mean that it’s fully understood yet. Just this week another piece of the puzzle came together when researchers found that an odd programming language used in one part of Duqu was heavily modified C combined with some object-oriented programming components.

And now researchers at Symantec have found a newly compiled driver for Duqu, leading to speculation that the attackers are still tweaking and modifying their original work.

“Found newly compiled #Duqu driver (Feb 2012) mcd9x86.sys, no new functionality, Stuxnet attackers very much still at it,” Symantec’s Security Response team said on Twitter Monday. 

Early Tuesday Raiu said that while the new driver didn’t have any new functionality, there are indications that it’s not just new but aimed at evading existing detection techniques for Duqu.

“The new #Duqu variant discovered by @threatintel last night has been engineered to escape detection by @CrySySLab tools,” he said on Twitter, referring to CrySyS Lab, the group of researchers in Hungary who originally found Duqu and developed a detection toolkit for the malware.

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.

Discussion

  • Erwin on

    What about the digital signature of the driver, signed by another code signing certificate? I would assume all previously discovered ones have been revoked by their respective CAs by now. If so, they seem to have a large spully of code signing certificates.

  • Anonymous on

    Why is everyone shining these kinds of malwares in a bad light? Honestly, IF malware like Duqu and Stuxnet are written for the sake of national security, then we should be glad that the government is using malware to make our country a safer place. People need to look past the technicalities of the malware and see legitimate purpose in these potentially beneficial malware programs.

    Also, many people will argue that government sponsored malware code allows the code to be used by writers of more general cybercrime malware, but how many cybercriminals have the technical skills or time to reverse engineer code components from a heavily obfuscated (not even packed, just obfuscated) and hard to come by government malware file? None!

  • S. on

    Malware is shown in a bad light simply because it is MALware. It's not designed to be good. It may benefit us because it's harming people who aren't friendly towards us. But it may equally harm us if it lands on our systems, or encourages others to do the same. This belief that "All's fair" isn't going to wind up anywhere we want it to go. Condoning software attacks leads to retaliation that thwarts efforts to have an open net. I'm not looking forward to a day when I need a passport to visit a website. But if we wind up building a "defensive" firewall, that may wind up being the case.
  • Anonymous on

    It was mentioned that Simple Object Oriented C (SOO C) could not have been used because it was still in development while Duqu was in the wild. Then why couldn't Duqu's developers have had access to the early version of SOO, or perhaps they were helping develop SOO? That way they could customize it along the way to do what they wanted in Duqu...

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.