Stars Attack on Iran Was Early Version of Duqu

A few months after the hysteria around Stuxnet had died down, officials in Iran announced in April that some sensitive systems in the government’s networks had been attacked by a new piece of malware, known then as Stars. It now appears that attack was, in fact, the first appearance of an early version of Duqu, the most recent in a line of sophisticated attack tools that experts say have been designed to take out specific targets in a variety of sensitive networks.

An analysis of the April attack shows that some of the machines that were infected by Stars were compromised using the same Windows kernel vulnerability that’s contained in the Duqu installer. That flaw was unknown publicly until this week when information on the vulnerability emerged, which Microsoft later confirmed. The company has released a workaround for the bug, which is in the TrueType font parsing engine, and says it is working on a permanent patch for it, as well.

Some of the targets of Duqu have been compromised using malicious Word documents containing exploit code for the TrueType bug, which is CVE-2011-3402. Researchers have not yet discovered a spreading mechanism for Duqu, if there is one, and it appears at the moment that the malware is being used only for attacks against carefully selected targets in a small number of countries. Among the countries in which infections have been confirmed are Sudan and Iran. Because Duqu is using a Windows kernel vulnerability as its infection method, it does not seem that the attackers are going after control systems at nuclear facilities, as Stuxnet did, but rather are likely going after PCs in key places.

Researchers have found that Duqu has an architecture that is different from Stuxnet’s, although the two tools do share some code-level similarities. Duqu appears to be a customizable attack framework that can be modified for any number of purposes by the individual attacker, and researchers have discovered that many known infected machines contained drivers for Duqu that were unique and not shared by other infected PCs.