A Duqu Briefing

By Narainder Chandwani.

Background

The landscape of malware has drastically changed in the last few years. It has hardly been a year since the security community identified Stuxnet, which some believe was the most menacing malware in history… And now we have Duqu making the news. The Laboratory of Cryptography and System Security (CrySyS) at Budapest University of Technology and Economics identified a worm on October 14th 2011 and named the threat Duqu [dyü-kyü] because it creates files with the name prefix “~DQ”.

Duqu carries build dates of February 2008 and its drivers go back to August 2007. From this it would appear to seem that its creators have worked on the code for at least 4 years. The driver was most likely created specifically for Duqu by the group responsible for the attacks. It is also believed that the Duqu team had access to the Stuxnet code or both pieces of malware were authored by the same team. Duqu is far more sophisticated than Stuxnet and corrects a number of the mistakes that were observed in Stuxnet. Duqu unlike stuxnet is not self replicating.

Although CrySys first detected the Duqu worm in October 2011, traces of it can be dated back to April of 2011. This corresponds to when Iran detected a virus and called it ‘Stars’. Researchers in Iran only found a key logger along with a photo of the NGC 6745 galaxy.

Many organizations have fallen victim to Duqu. The names of the organizations have not been revealed but it is believed that corporations in Austria, Iran, Sudan and America have been its victims. Further, each instance of Duqu identified has been a variant. Each of the dozen Duqu binary’s are part of a multifunctional framework which is able to work with any number of any modules. Duqu is thus highly customizable and designed to evade easy detection. Duqu attacks also appear to have been custom-created with the set of files compiled immediately before the malware was aimed at a target. The differences between two Duqu attacks while relatively minor, do contain unique files tailor-made for each operation. The names of registry keys and files used are also different, often with unnecessary code removed from each version. Each and every attack had its own command-and-control [C&C] server, with its location embedded in the configuration of the malware. Location of C&C server changes with every attack. In the past few weeks, C&C servers have been identified at various places like Mumbai and Belgium and have been brought down promptly.

Vulnerability & Exploit

Duqu’s purpose is to gather intelligence data and assets from entities. It looks for information such as design documents that could help mount a future attack on various industries. It uses a Microsoft’s Window kernel 0 day vulnerability. Microsoft confirmed that the Duqu campaign exploits a vulnerability in a Windows kernel-mode driver specifically "W32k.sys," and its TrueType font parsing engine to gain rights on the compromised PC sufficient and install the malware. The font exploited is called Dexter Regular and has been created by Showtime Inc. This seems to be in references to the television series Dexter the Showtime cable channel.

All the attacks have involved a social engineering aspect in it. An individual at a victim’s organization receives an email with a Microsoft Word document attachment. Once the attachment is opened, the exploit starts working. The exploit does not do anything unless there is no keyboard or mouse activity for ten minutes. The exploit has 3 components i.e. a driver, DLL library, and a configuration file. Different instances of Duqu found have had different drivers as well as the main DLL file. In general, however the exploit process is for the driver to be loaded initially which then injects the main DLL into services.exe. The DLL in turn then references the configuration file to obtain the customized exploit information.

Remediation

While Microsoft has yet to patch the bug, it has urged customers to disable the font parser to protect themselves. Microsoft pushed out an emergency workaround on the 3rd of November, 2011 which shuts off access to T2EMBED.DLL, the dynamic link library that allows applications to display TrueType fonts. Besides this, CrySys has also come up with a toolkit to detect Duqu infections on a computer or on the whole network.


It was observed that the driver igdkmd16b.sys has a new encryption key with every install, which means that existing detection methods of known PNF files (main DLL) are rendered useless. Further the DLL itself is encoded differently in every single attack. Existing detection methods from the majority of anti-virus vendors are able to successfully detect Duqu drivers, but the main DLL component often goes undetected due to these stealth measures.

All being said, some of the ways to protect oneself against Duqu are:

1. Install the hotfix released from Microsoft
2. Run the toolkit from CrySys to detect Duqu infected computers/networks.
3. Beware of malicious Microsoft Word documents from strangers or unexpected sources.
4. Monitor your network traffic for files that bear the ~DQ files extension.
5. Run updated anti-virus software