What Does Kaspersky Lab Really Know about the Duqu Trojan?

Project Management SoftwareWhat is the Duqu Trojan?

Discovered on 1st September 2011, Duqu is a complex Trojan that is thought to have been created by the same people who came up with the destructive Stuxnet worm. However, the Duqu Trojan is very different from the Stuxnet work because it was formed with an aim of gathering intelligence information relating to its subject, unlike Stuxnet that was designed to perform industrial sabotage through homing in on particular industrial systems. Stuxnet targets systems that control centrifuges of high speed like the ones that Iran uses in its controversial nuclear plants. However, Duqu was mainly created with an aim of fulfilling a different objective whereby it can be used by intruders to hack into SCADA- based systems and steal some confidential data or information.  Visit here to learn more about the Stuxnet Virus.

Duqu is very dangerous because it can steal almost everything from the targeted system. However, it is important to notice that the creators of this malware were very much interested in stealing numerous types of documents or taking screenshots of the desktop with the sole purpose of spying on the actions of the user or simply collecting passwords. No doubt, this Trojan has ushered a new era of cybercrime whereby intruders and criminals can use this data to execute industrial espionage successfully, as well also in carrying out other crimes, such as extortion and blackmail.
A continuous analysis of this new cyber threat shows some similarity of the Trojan to the Stuxnet. A lab report revealed that it looks that the Trojan might have been created by the makers of Stuxnet or people who had access to the Stuxnet code. This is because the kernel driver for Duqu, the JMINET7.SYS has some striking similarities with the MRXCLS.SYS, associated with Stuxnet. The three similarities that were found between the two Trojans include:
• They were both related and targeted the Iran nuclear program
• Components in the two Trojans were signed using stolen digital keys
• The installers usually exploit the vulnerabilities of the Windows kernel, such as zero-day.
When conducting research on Duqu, Kaspersky lab has discovered that it utilizes a puzzling code when communicating with its command and control servers after it has infected or compromised a system. The object-oriented code of Duqu Trojan has baffled most researchers because it is not similar to any other. The unknown section of Duqu was named as the Duqu framework by Kaspersky. This is because unlike the rest of the Trojan, this section is not written using the C++ programming language. The research team in Kaspersky is working hard to unravel this mysterious programming language that the Duqu framework uses.
The researches have so far been able to decipher the task performed by the mystery code. However, they have not made any progress in unraveling the syntax and the grammar of the programming language that Duqu uses. According to the Kaspersky lab report, most likely, Duqu creators might have made use of an in-house framework to formulate the intermediary C code. There is also a possibility that they might have used a totally different programming language altogether. Nevertheless, the Russian anti-virus researchers have at least ascertained that Duqu programming language is object-oriented and also that it executes its own series of correlated activities, which are appropriate for network applications.
The research also showed that Duqu framework language is highly specialized because it allows the Payload DL to function on its own, free from other Duqu modules. This language is also able to connect to its corresponding C&C using numerous paths, such as proxy servers, network sockets and Windows HTTP. The deadly Duqu Trojan permits the Payload DLL to directly route server requests from the HTTP emanating from the C&C, meaning that it can pass on stolen information copies from the infected computer to the C&C. It is also able to share out the other malicious payload with other machines within the network, making it very easy to discreetly spread infections to other machines in a controlled manner.
Kaspersky lab has carried out an extensive research on this malware and they are appealing to the rest of the programming community to chip in and help in analyzing and unraveling this baffling language used in developing Duqu. Given that the Trojan is a real threat to cyber security and has the capability of harming internet users, Kaspersky is eager to get any insight from coders who can come up with a programming language, a toolkit or framework that can formulate a similar code. It is quite clear that a lot of resources were used by the Duqu developers to create a dedicated programming language that is used in the communication modules.

About the Author

Mark Whysall