Duqu is the latest worm making noise in security circles and main stream media.  What’s interesting is how much we still don’t know about it. Even Virus/malware researchers at both Symantec and MacAfee can’t seem to agree specifically on the goal or exact purpose of Duqu.  The alarming thing is not only its modular design and potential to easily deploy with pin point accuracy, but its ability for stealth and modification, offering a significant challenge for the IT security sector.

The worm is composed of two independent modules. The primary module is responsible for installation, and deployment; similar to the Stuxnet worm, which attacked an Iranian nuclear centrifuge control system last year.  Most researchers believe Duqu utilized Stuxnet source code minimally, if not some of the same team.  The secondary module is a separate component, with initial findings showing low association with the main module.  While the secondary module has been a key logger, theoretically it can be replaced with any payload.

The key logger initially triggered antivirus software although the main module passed undetected.  Luckily, those findings would quickly lead to the discovery of the main module by researchers.  There seems to be a split among researchers whether this will attack industrial control systems or be used more for information reconnaissance.  The fact that the secondary module was a key logger, and the first targets may have been certificate authorities is alarming, especially with a perceived rise in similar cyber-attacks against CA’s in general. Currently it is unclear how long Duqu has been in the wild,  and the discovery of its use as a reconnaissance tool, in combination with current threats against CA’s raises serious concern as to the existing level of exploitation.

As of this writing a Command and Control server in India has been identified and black listed by their ISP.  Virus and IDPS signatures for the first variants of this worm have been released. As researchers continue to investigate, I don’t believe we have heard the last of this.








Certificate Authority attacks



Tags: , ,