Thursday, March 22, 2012

Reworked version of Stuxnet relative Duqu worm found in Iran

Did you rest assured that Duqu might be finally done with when I posted this article the other day? Well this might come as bad news to you.

It appears that another new Duqu variant has been spotted in Iran by researchers from the security firm Symantec, the people behind the popularly known Anti-Virus suite Norton. This marks the reappearance of the virus after 5 months of dormancy.

The finding indicates that the unknown creators of Stuxnet - suspected by many to be the intelligence services of the U.S., of Israel or of both - are still at work.

In a Symantec blog posting Tuesday, the company identified a new component of the malware, a driver used to load Duqu onto computers when they restart. Analyzing the driver's code -"only one small part of the overall attack code" - Symantec's researchers found that the malware authors had reworked it to better evade detection by security products.

Duqu's builders also changed its encryption algorithm and rigged the malware loader to pose as a Microsoft driver. (The old driver was signed with a stolen Microsoft certificate.)
"Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active," Symantec wrote. 

First spotted in September 2011, with code that traces back to 2007, Duqu is closely related to the Stuxnet worm, which in the summer of 2010 infected and crippled Iran's Natanz nuclear-fuel processing facility.

One thing that is still unclear about the Duqu virus is its true intentions. No one knows what exactly what it was created for, but there is many guesses. Some think that it was created to is designed to steal data from critical industrial-control systems in Iran and Europe, similar to the energy facilities Stuxnet targeted. Others believe it is meant to the steal authentication certificates that websites use to verify their identities. 

Whatever its intent, countries including Iran, Sudan, India, Vietnam, Ukraine, Switzerland, France and the Netherlands have confirmed Duqu infections.

The latest Duqu component, Symantec said, was complied Feb. 23, indicating it hasn't been in the wild for very long. The last unique version of Duqu that Symantec had previously spotted was compiled on Oct. 17, 2011.
Dennis Fisher from Kaspersky Lab, which has spent numerous hours studying Duqu, wrote in a blog posting March 20 that, based on the new Duqu variant, it appears that the worm is specifically tailored to each target.
"Rather than writing one piece of malware and spreading it to a large potential victim base, the crew behind Duqu had a small, specially selected group of targets, each of which got its own specifically crafted component and drivers," Fisher wrote.

So I guess this means that you have to watch yourself again. You should always have a anti-virus running on your system anyway, but just sayin'. If you want a great anti-virus, I advise you get Microsoft Security Essentials. It is free, and is backed by Microsoft and its partners.

No comments:

Post a Comment

Note: This is Blogger's comment system. This system is a backup for when Disqus can't be reached by your computer, such as when your network blocks connections to The comment policy still applies regardless.