Exploring the Duqu Bot


The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

Duqu vs Stuxnet

AttributeDuquStuxnet
Infection Methods
Unknown
USB (Universal Serial Bus)
PDF (Portable Document Format)
Dropper Characteristics
Installs signed kernel drivers
to decrypt and load DLL files
Installs signed kernel drivers
to decrypt and load DLL files

Zero-days Used
None yet identified
Four

Command and Control
HTTP, HTTPS, Custom
HTTP
Self Propagation
None yet identified
P2P (Peer to Peer) using RPCs
(Remote Procedure Call)
Network Shares
WinCC Databases (Siemens)
Data Exfiltration
Add-on, keystrokelogger for
user and systeminfo stealing
Built-in, used for versioning
and updates of the malware

Date triggers to infect or exit
Uninstalls self after 36 days
Hard coded, must be in the following range:
19790509 => 20120624

Interaction with Control Systems
None
Highly sophisticated interaction
with Siemens SCADA control systems


Like Stuxnet, Duqu attacks Windows systems using a zero-day vulnerability. The installer file is aMicrosoft Word (.doc) that exploits the Win32k TrueType font parsing engine and allows execution. Duqu Malware targets one of the problems in T2EMBED.DLL, which is a TrueType font parsing engine.

How Does Duqu Spreads ? 

Duqu doesn't spread on its own. In one known case, Duqu was installed by a document attachment which was delivered via an e-mail message.

What are indicators of a Duqu infection?

Duqu contains a backdoor that steals information. Infostealers need to send the stolen info back somehow. Careful infostealers try to make the transfer look innocent in case somebody is watching network traffic. Duqu hides its traffic by making it look like normal web traffic. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.
Duqu connects to a server (206.183.111.97 a.k.a. canoyragomez.rapidns.com – which used to be in India) and sends an http request. The server will respond with a blank JPG image. After which Duqu sends back a 56kB JPG file called dsc00001.jpg and appends the stolen information (encrypted with AES) to the end of the image file.Read more about the jpeg here


NameFile SizeMD5

jminet7.sys
24,960 bytes
0eecd17c6c215b358b7b872b74bfd80

netp191.pnf
232,448 bytes
b4ac366e24204d821376653279cbad8

 netp192.pnf
6,750 bytes
94c4ef91dfcd0c53a96fdc387f9f9c3

 cmi4432.sys
29,568 bytes
4541e850a228eb69fd0f0e924624b24

 cmi4432.pnf
192,512 bytes
0a566b1616c8afeef214372b1a0580c

 cmi4464.pnf
6,750 bytes
e8d6b4dadb96ddb58775e6c85b10b6c

  <unknown>
  (sometimes referred to as keylogger.exe)
85,504 bytes
9749d38ae9b9ddd81b50aad679ee87e

   nfred965.sy
24,960 bytes
c9a31ea148232b201fe7cb7db5c75f5

   nred961.sys
unknown
f60968908f03372d586e71d87fe795c

   adpu321.sy
24,960 bytes
3d83b077d32c422d6c7016b5083b9fc

  iaStor451.sys
24,960 bytes
bdb562994724a35a1ec5b9e85b8e054f

(The byproducts in the Table  have been collected from multiple Duqu variants and would not be present on a single infected computer.)

Why DUQU

The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.

References - 


Subscribe To Our Articles