malware attacks

The Black Hole exploit kit and the Carberp Trojan have a lovely, symbiotic relationship and they’ve recently decided to take that relationship to the next level. In the last month, there has a been a major spike in the volume of Carberp infections related to attacks from sites hosting Black Hole, mostly exploiting Java vulnerabilities.

Google is expanding the amount and kind of data that it supplies to network operators about potentially malicious activity happening on their networks and elsewhere. The company is now giving operators information on dedicated domains that are being used for malware hosting and distribution.

Duqu has been called the spawn of Stuxnet, or maybe some sort of stepchild or second cousin. That initial analysis came from some similarities in the code of the two attack tools, and now that researchers have had more time to pull Duqu apart and see how it works, it seems more and more likely that the two were written by the same group. In the second part of an interview with Costin Raiu, who has done a lot of research on Duqu, Threatpost editor Dennis Fisher talks with Raiu about the similarities to Stuxnet, the targets for Duqu and why the authors may have made a key mistake.

Stuxnet has become the bogeyman of Internt security and cyberwar, showing up in marketing pitches, PowerPoint presentations and press releases from Washington to Silicon Valley to Tehran. But while Stuxnet has been garnering headlines for more than a year now, the far more serious threat in terms of potential long-term damage has turned out to be Duqu. The malware first came to light in September, but it may have been circulating four or five months before that. Its customizable, modular architecture has been a challenge for researchers seeking to understand its operation and its creators’ intentions. Threatpost editor Dennis Fisher spoke with Costin Raiu, one of the main researchers working on Duqu at Kaspersky Lab, about the relationship between Stuxnet and Duqu, the possible identity of the attackers and the investigation into its architecture.

Researchers are fairly confident now that whoever wrote the Duqu malware also was involved in some way in developing the Stuxnet worm. They’re also confident that they have not yet identified all of the individual components of Duqu, meaning that there are potentially some other capabilities that haven’t been documented yet.

The TDSS rootkit has proven to be more pliable and adaptable than a campaigning politician, and attackers have used it in various forms for the last three or four years for all sorts of different attacks. It shows up in drive-by downloads, targeted attacks and just about everything in between, and one of the newer jobs it’s been assigned is to deliver the DNSchanger Trojan.

As the analysis of the Duqu malware continues to evolve, the picture that’s emerging is becoming more and more intriguing. The latest bits of evidence uncovered show that not only do the attackers create custom files for each individual attack, there is evidence indicating that they might have been working on Duqu in some form since 2007.