Anatomy of the Duqu Attacks


[Stuxnet](<https://threatpost.com/stuxnet-authors-made-several-basic-errors-011811/>) has become the bogeyman of Internt security and cyberwar, showing up in marketing pitches, PowerPoint presentations and press releases from Washington to Silicon Valley to Tehran. But while Stuxnet has been garnering headlines for more than a year now, the far more serious threat in terms of ![](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07064817/costin_raiu_2.thumbnail_01.jpg)potential long-term damage has turned out to be [Duqu](<https://threatpost.com/anatomy-duqu-attacks-112111/>). The malware first came to light in September, but it may have been circulating four or five months before that. Its customizable, modular architecture has been a challenge for researchers seeking to understand its operation and its creators’ intentions. Threatpost editor Dennis Fisher spoke with Costin Raiu, one of the main researchers working on Duqu at Kaspersky Lab, about the relationship between Stuxnet and Duqu, the possible identity of the attackers and the investigation into its architecture. **Dennis Fisher**: So, let’s try and start at the beginning here. Duqu first sort of popped up a few weeks ago. How exactly was it found? And how did it initially start getting connected to Stuxnet? **** **Costin Raiu**: Right. Okay, so, to be honest, the first reports of Duqu came up in September actually, not October. And we heard about it in a very interesting way. A colleague working for another company sent us a binary, and we searched for the MD5 of that binary on the Internet. So, we found a very interesting weblog page which was apparently maintained by a Hungarian researcher. And he was saying something like, “Looking for friends or foes of this specific MD5 to talk about it.” So, we thought it was very curious, very interesting. We looked at the binary. And the binary itself was interesting. First of all, there was, like, no Internet connection whatsoever. So, the only thing which the binary was doing when called with a special parameter called XXX. So, if you have executed this binary without putting the XXX parameter, then nothing happens. But, if you invoke it with this specific marker, then interesting things happen such as intercepting keystrokes, taking captures of the screen, dumping the configuration of your computer. And all this basically happens in background. And also, data is written to a file in your temporary folder. And this file, first of all, it is compressed. And it collects all this information. So, basically, it grows bigger and bigger and bigger. And this file has a very interesting name which is the tilde character and then DQ and then a number dot TMP. So, basically, we observed this this specific Trojan, which we received back in September, it was collecting all sorts of information from your system and dumping it into this file, but not sending it anywhere. So, that was very, very interesting. Why would anybody write a Trojan which steals information but doesn’t send it anywhere? **** **Dennis Fishe**r: Right? **** **Costin Raiu**: So, that seemed very odd to us. And to be honest, we didn’t think it was really important or anything special simply because it didn’t seem to do anything malicious except collect information about your system in a local file. **** **Dennis Fisher**: And so, after that, a deeper analysis sort of uncovered the fact that that was only one component of the malware, right? **** **Costin Raiu**: Right. So, later – basically, one month later, there was a public news about the Duqu and the fact that there were multiple components. And the file which we received in September was just one of the modules of this sophisticated hacking toolkit. So, then you understand that the way Duqu was written is to make it very hard to detect. Every single component by itself could be meaningless. But when you put them together, basically, interesting things start to happen. So, this Trojan, the info stealer – the so-called “info stealer” component – which collects information from your system, does not get installed in the initial attack. So, you get infected with Duqu, and this only happens through a targeted attack. So – and by the way, I think it’s very important to point out that if you got infected with Duqu, and if you’re listening to us right now, then the first thing that you should know that you’re probably part of a very, very limited number of people in the world. You’re part of an elite, so to say, which had the privilege and the – okay – bad luck of getting infected with this sophisticated cyber espionage tool. **** **Dennis Fisher**: So, you should feel special. **** **Costin Raiu**: Absolutely. Actually, we pretty much think that every single victim of Duqu is special from a specific point of view, which we cannot disclose for obvious reasons. **** **Dennis Fisher**: Yeah. **** **Costin Raiu**: But I hope that, actually, we will be able to tell it at some point in time. And basically, when you get infected with Duqu, it’s simple, let’s say, the basic infrastructure. And then it connects to a command-and-control center which is hardcoded into its configuration files, and it begins – it starts to receive new modules like the info stealer. And the info stealer, as I was saying, it doesn’t do many suspicious things except, okay, intercepting keyboard or, like, making screenshots. But, the file is stored to disk. So, the other, let’s say, components, basically, the Duqu infrastructure is responsible for transferring the file from your disk to the command-and-control center and from there to the attacker. And I guess, it’s also important to point out that, due to the way the Duqu, let’s say, infrastructure has been designed, they created it in such a way that they leave as little footprints, fingerprints, as possible. So, dynamic process injection, no temporary files, no – especially for executables and modules no temporary files are created. So, they get the module from the command-and-control, and they inject it directly into another process without creating any temporary files, and they launch the code there. So, very, very careful, I think, they’re very careful to make sure that these parts, these modules of Duqu, do not get left behind and they do not get discovered. **** **Dennis Fisher**: Okay. It appears that they’re using not only a different command-and-control for just about every attack, but they’re creating separate drivers and different files for each target that they’re going after. Is that the way it’s working? **** **Costin Raiu**: Yes. And this is – well, basically, this is all related to the encryption which is employed in Duqu. So, it’s a – if you’re familiar with the nesting dolls, the Russian matryoshkas, we can pretty much say the same. So, basically, you get a Word document by e-mail. And this Word document contains the exploit for the CVE-2011-3402 vulnerability. And the – inside the Word document, there is an embedded TrueType font file. The embedded TrueType font file which contains the exploit for this vulnerability, basically, inside this TrueType font file, the exploit is encrypted. So, the exploit decrypts itself in memory, does a number – a couple of checks, and then it fires up a loader. So, basically, at every single point, they make sure that they delete whatever steps happened before, and they transfer control to the next module. And there are a number of different drivers and different modules which are responsible for extracting the Duqu components to disk. And basically, there are three files which get created on disk. There is one SYS driver file. There is a small PNF file, a configuration file. There is a big PNF file, so the extension is .PNF. And by the way, Stuxnet used the same extensions and this kind of similar mechanism to infect computers and install – basically, to install itself in computers. **** **Dennis Fisher**: Okay. **** **Costin Raiu**: So, yet another thing which is similar between Duqu and Stuxnet. And the reason why they’re using unique – kind of unique sets for each target, I guess they also use different encryption, so this makes it harder to detect. Imagine that you add detection for one specific version of the toolkit without knowing that there are other victims. All the other victims, basically, they all have sets encrypted with different keys. So, it’s very tailored. It’s very, very targeted. And as I was saying, not just the encryption is different, but almost in every single case, they use a different command-and-control center. **** **Dennis Fisher**: Which makes it, obviously, harder to backtrack to the CnC servers. And I know that one was taken down in India, and some others have been identified, but that’s after the fact, right? It’s after the targets have already been compromised. **** **Costin Raiu**: Yeah, absolutely. And well, as far as I know, there is only one – just one organization in the world which has the chance to see and kind of to play with a live Duqu command-and-control center, and that was the Hungarian research lab CrySyS. So, they had a couple of days during which they could play with the command-and-control in India, this one that you mentioned. And according to their research, this server was up for a kind of long time. So, for some specific reason, they kind of prefer this command-and-control server in India. But as you were saying, we’re also aware of other command-and-control center which Duqu used. And actually, at the moment, we are kind of looking into this issue very, very deeply, so to say. Probably, I guess the number of command-and-control centers should be close to a dozen, I guess. **** **Dennis Fisher**: Can you estimate the number of infections that you know about at this point? Can you give us a range, like, between 1 and 100? **** **Costin Raiu**: Yes. I would suspect less than 50. **** **Dennis Fisher**: Wow. **** **Costin Raiu**: Of course, I may be wrong, but this is what I suspect – somewhere less than 50 infections around the world. So, very, very, very small number, actually, and very, very specific targets. **** **Dennis Fisher**: And you mention that there’s – it took a while to figure out the complete picture of what Duqu was doing, because at first you just saw the info stealer component, and then you started seeing these other components. Are you confident at this point that you’ve found all of the components of at least the one specific version of Duqu? **** **Costin Raiu**: No, definitely not. **** **Dennis Fisher**: Okay. **** **Costin Raiu**: So, actually, I’m sure of the opposite. I’m sure that we haven’t seen all the single components. And basically, we are aware of only two different info stealer components. One of them is the original one that was located by CrySyS, and it’s a very, very strange case and a big question mark for everybody what happened in that case. So, on the machine where they found this file on disk, and remember that I said that they do not create these files on disk. Instead, they run them directly from memory. But, what I think that happened here is the following. Basically, if you download the modules from the command-and-control server and you run them dynamically, then the next time the system is rebooted, they lose the ability to intercept what’s going on. And for probably for very high profile targets, they need this capability. They need this persistence. So, they need to be able to continue to sniff passwords and to make screenshots and to steal files even after reboot, so they need to survive after reboots. And I suspect that in that case they dumped the info stealer component to disk and choose – forced it to execute every time they needed it or on every boot. So, I think this could be one explanation, because the other info stealer that we are aware of that was intercepted on 18th of October, that one was never written to disk. So, it was, basically, sniffed from the network traffic. **** **Dennis Fisher**: Wow. **** **Costin Raiu**: And how do I know that actually there are more info stealer components? Basically, it’s easy. The info stealer component that we have creates files, as I was saying, with the DQ name. But, we have also been able to identify compromised, like infected, customers which had files, now not just DQ files, but also DF files and DO files. And these are very interesting, particularly the DF files, because the DF files, they are a bit different from the DQ files from the point of view that they have documents inside. So, they must have been created by a specific version of the info stealer which was collecting documents from disk, documents such as Word files, Excel files, source codes, AutoCAD documents and so on. And this specific version which creates the DF files and steals documents, we do not have. And this probably exist at the – I – we suspect that it existed somewhere around April, May, June. But later, it kind of disappeared, so the guys behind Duqu stopped using it. **** **Dennis Fisher**: So, for one reason or another, they moved onto a different tactic? **** **Costin Raiu**: Yeah, they removed this functionality from the info stealer. **** **Dennis Fisher**: So, that’s a fairly good indication that they’re obviously paying attention to what’s going on, and they’re adjusting as they go along for each specific target that they’re interested in. **** **Costin Raiu**: Absolutely. _This is part one of an edited transcript of a [podcast with Costin Raiu](<https://threatpost.com/costin-raiu-duqu-stuxnet-and-targeted-attacks-111611/>). The second part will run tomorrow._