By
updated 11/11/2011 7:47:20 PM ET 2011-11-12T00:47:20

Security analysts have found more mysterious but fascinating details in the Duqu Trojan, the so-called "son of Stuxnet" discovered just two months ago.

Moscow's Kaspersky Lab got hold of a different variant of Duqu than the original, and found that the Trojan's creators not only may have been working on Duqu since 2007, but seem to have a sense of humor as well.

According to Kaspersky's Alexander Gostev, the Duqu infection vector is customized for each target, and its code contains a joking reference to "Dexter," the long-running Showtime TV series about a morally ambiguous serial killer.

Kaspersky analyzed a spear-phishing email directed at an undisclosed company, which was attacked by Duqu twice in mid-April of this year but did not realize what hit it until recently.

As with the earlier version of Duqu found in September by Hungary's CrySyS lab, the Kaspersky variant used a "dropper" — a separate piece of malware — to burrow into PCs via a font embedded in a Word document. (The Windows vulnerability, which had not previously been known of, has not yet been patched, but there is a workaround.)

The fictitious font is named "Dexter Regular." Buried in the dropper code is the text string, "Copyright 2003 Showtime Inc. All rights reserved. Dexter Regular version 1.00. Dexter is a registered trademark of Showtime Inc." ("Dexter" actually was first broadcast in 2006. None of this implies that Showtime is behind the Duqu Trojan.)

The next step in the Duqu infection pattern is to load a driver into the Windows kernel. Kaspersky found that its driver was compiled in August 2007, while the one found by Crysys was dated March 2008.

"If this information is correct, then the authors of Duqu must have been working on this project for over four years!" Gostev wrote.

If that's true, then Duqu, dubbed the "son of Stuxnet" because of its startling similarity to the military-grade worm that infected and disrupted Iranian nuclear facilities in 2010, may actually be the father of the more famous bug.

There's another Iranian connection as well, according to Gostev. The April attacks on the unnamed company took place just before Iran announced that it had been attacked by a second piece of malware, which Iranian researchers called the "Stars" worm.

Unfortunately, Iran never shared samples of the Stars worm, which led some in the West to suspect it was mere propaganda from the Islamic Republic. (Samples of Stuxnet were distributed worldwide because an Iranian security researcher emailed a copy to a former colleague in the Ukraine.)

But Gostev thinks the Iranians might have found Duqu without realizing it.

"Most probably, the Iranians found a keylogger module that had been loaded onto a system," he wrote. "It's possible that the Iranian specialists found just the keylogger, while the main Duqu module and the dropper (including the documents that contained the then-unknown vulnerability) may have gone undetected."

Perhaps most ominously, there are enough differences among the known variants of Duqu to lead Gostev to suspect that the Trojan's creators are carefully tailoring the malware package for each specific target as needed, if the compilation dates on the main Trojan component are accurate.

"This fact shows that the authors build a separate set of files for each specific victim, and do so right before the attack," Gostev wrote.

Such fine-tuning would make Duqu and its creators more sophisticated and persistent that the so-called "advanced persistent threat" attacks — widely assumed to be coming from China — that have penetrated Western companies over the past few years.

In those cases, spear-phishing emails also provide the infection vector, but the installed malware does not vary from one target to the next.

© 2012 SecurityNewsDaily. All rights reserved

Discuss:

Discussion comments

,

Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments