The security industry is currently buzzing with talks about a threat dubbed as the precursor to the next STUXNET.
According to a Symantec analysis, portions of the code are very similar to STUXNET, and was likely written by the same cybercriminals as the well-known threat. Unlike STUXNET, however, Duqu does not have code that suggests it was developed to access SCADA systems. Instead, its final payload appears to be inclined toward information theft.
Duqu is made up of several components. The SYS file, which is detected as RTKT_DUQU.A, is responsible for activating the malware, and triggering the execution of its other routines. Based on analysis, however, the main goal of the said files is to establish a connection with its C&C server. It is said that Duqu delivered an information-stealing malware, detected as TROJ_SHADOW.AF, into the affected systems through this connection. We have also verified that DUQU has codes very similar to that of STUXNET.
Upon execution, TROJ_SHADOW.AF enumerates the processes currently running on the system. It also checks if it matches any of the following security-related processes:
- avp.exe (Kaspersky)
- Mcshield.exe (McAfee)
- avguard.exe (Avira)
- bdagent.exe (Bitdefender)
- UmxCfg.exe (CA)
- fsdfwd.exe (F-Secure)
- rtvscan.exe and ccSvcHst.exe (Symantec)
- ekrn.exe (ESET)
- tmproxy.exe (Trend Micro)
- RavMonD.exe (Rising)
If found, TROJ_SHADOW.AF launches the same process in a suspended state, then patches the malware code before resuming the execution. In effect, there will be two AV processes; the first being the original, and the second being the patched one.
TROJ_SHADOW.AF requires command lines in order to execute properly. Available commands include: collecting information on the affected system, terminating malware processes, and deleting itself. It can steal a wide array of information on any affected system, such as:
1. Drive information such as:
- Drive device name
3. Running Processes and Owner of Running Processes
4. Network Information such as
- IP address
- IP routing table
- TCP and UDP table
- DNS Cache table
- Local Shares
5. Local shared folders and connected users
6. Removable drives serial number
7. Window names
8. Information on open files on local computer using NetFileEnum
We will be updating this blog entry for further developments. While our investigation is currently ongoing, preliminary information indicates that Trend Micro’s products protect against TROJ_SHADOW.AF. Smart Feedback from the Smart Protection Network™ indicates that no Trend customers have been affected by this threat. Trend Support has not received any infection notifications.
Trend Micro products have been updated to provide protections against this latest threat through updated signature as well as by blocking access to malicious control servers with Web Reputation Services.
Users may refer to our Knowledge Base page to read up on how to protect systems from this threat.
Update as of October 20, 2011, 8:00 a.m. (PST)
Upon execution, RTKT_DUQU.A decrypts a configuration file in its body to get the registry path containing the location of TROJ_DUQU.ENC, and the process where to inject the DLL. From our analysis, the decrypted registry path in the two samples are HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesJmiNET3 and HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicescmi4432, respectively.
These registry paths contain the “FILTER” entry, which contains encrypted data which RTKT_DUQU.A will decrypt to get the path of TROJ_DUQU.ENC, as well as a process name where TROJ_DUQU.ENC will be injected.
Decrypting TROJ_DUQU.ENC results into a DLL file that is injected in the process specified in the registry. The decrypted DLL is detected as TROJ_DUQU.DEC. Once TROJ_DUQU.DEC is loaded, it accesses <a TROJ_DUQU.CFG to get configuration information.
Information contained in the configuration file include:
- Service registry key
- File path of component files
- Websites it will try to connect to for DNS checking
- Processes wherein TROJ_DUQU.DEC will inject itself into
TROJ_DUQU.DEC communicates with the C&C server to receive and execute commands. These commands include downloading other malicious files, which in this case, appears to be the infostealer TROJ_SHADOW.AF.
We’re still continuing to monitor this threat, and will update this once more info becomes available.
Update as of October 21, 2011, 5:02 a.m. (PST)
Enterprise networks are also protected from DUQU through the Trend Micro Threat Discovery Appliance, which detects the malware’s connection to the C&C server through the rule 473 TCP_MALICIOUS_IP_CONN. Also, Deep Security is able to detect the changes made inside the Drivers folder (%Window%system32drivers) by DUQU variants,through the rule Integrity Monitoring Rule: 1003517 – Microsoft Windows – System driver files modified.