DUQU Uses STUXNET-Like Techniques to Conduct Information Theft

Written by: Joahnna Marie Hipolito

What is DUQU?

Dubbed as "STUXNET 2.0," the malware DUQU made IT security industry headlines in the middle of October 2011, after it was called as "the precursor of a future Stuxnet-like attack".

This threat was given the name DUQU because its created files were found having the prefix "~DQ".

DUQU is believed to be written by the same authors of STUXNET. STUXNET, which was spotted in July 2010, targeted SCADA systems—critical control systems that run complex infrastructure such as those that run transportation systems, water systems, and oil refineries, among others.

However, based on analysis, DUQU does not have any capability to access SCADA systems.

According to reports, DUQU was also found to exploit a zero-day vulnerability in Microsoft Word to drop its installers, which in turn, decrypt and drop its components. Microsoft has already released a security advisory about the said vulnerability.

The threat may have initially arrived through email messages sent to employees of a particular organization. This verifies that DUQU is likely a part of a highly targeted attack that aims to exfiltrate information from targeted entities.

How does DUQU work?

DUQU arrives as a Microsoft Word document that initiates a zero-day kernel exploit. Once exploited, the said Microsoft Word file drops the installer files that will load the other DUQU components.The installer files are composed of the following:

  • RTKT_DUQU.B - .SYS file that loads TROJ_DUQU.B onto the system
  • TROJ_DUQU.B - drops and decrypts the DUQU components

These components connect to each other in order to execute its routines. So far, we have been able to identify and analyze these other components of DUQU:

Upon execution, RTKT_DUQU.A decrypts a configuration file found in its body to get the registry path containing the location of TROJ_DUQU.ENC, as well as the process where TROJ_DUQU.ENC will be injected into.

Once found, RTKT_DUQU.A decrypts TROJ_DUQU.ENC. The decryption will result to a DLL file, which is detected as TROJ_DUQU.DEC. TROJ_DUQU.DEC, once loaded, accesses TROJ_DUQU.CFG to collect information related to its routines. Such information include location paths of other component files, websites it will connect to for DNS checking, as well as processes where it will inject TROJ_DUQU.ENC into.

Analyzing TROJ_DUQU.CFG, it is revealed that TROJ_DUQU.DEC is set to use the sites kasperskychk.dyndns.org and www.microsoft.com to check for an Internet connection. Furthermore, if found running in the affected system, TROJ_DUQU.DEC will inject itself into the following processes:

  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • pccntmon.exe

This injection into legitimate processes is done by DUQU to remain unobtrusive, and is commonly employed by other malware as a part of their stealth routine.

Once the said routines are executed, TROJ_DUQU.DEC is then finally able to communicate with its command-and-control server to receive commands. The nature of the sent commands are not yet known, though have been reported to include downloading other malware into the affected system.

One of the reported malware that DUQU downloaded was TROJ_SHADOW.AF – a malware capable of collecting a variety of information about any affected system.

What does it do?

Based on analysis, DUQU is a sophisticated threat that employs many encrypted components whose main purpose is to establish a connection with its command-and-control server.The actual commands sent from the C&C server, however, have not been identified. Reports suggest that DUQU had been used to download information stealing malware, detected as TROJ_SHADOW.AF, into affected systems.

How does it arrive onto systems?

DUQU arrives via a Microsoft Word document that triggers a zero-day kernel exploit and acts as the dropper for DUQU, as confirmed by the Hungary-based security laboratory, who initially reported the said threat. Considering this new finding, it is likely that this was initially deployed via email messages sent to employees of the targeted organization.. For more information on how highly targeted attacks are conducted, users may check the following reports:

How is DUQU similar to STUXNET?

Our analysis shows that the coding style and structure are the main similarities between DUQU and STUXNET. The main difference on the other hand, is the absence of the SCADA code in DUQU.

DUQU and STUXNET are also similar in other aspects, such as:

  • Checking of safe mode and kernel debugger
  • Injection of malware process into AV-related processes
  • Injection of the DLL to a target process by the SYS component
  • Usage of a SYS file for loading
  • Usage of API hooks
  • Usage of multiple components that communicate with one another
  • Usage of packer UPX
  • Usage of RPC (remote procedure call)
  • Usage of 2 configuration files

This suggests that DUQU was created by the same people as the ones who created STUXNET, or if not, people who have had access to STUXNET's source code.

Who are affected by this threat?

As mentioned, initial analysis of DUQU suggests that it is part of a highly targeted attack, and that was indeed used to exfiltrate information from certain targets.

What is the main purpose of this threat?

Based on the routines of TROJ_SHADOW.AF -- DUQU's known payload -- the main purpose of DUQU is to collect information from target systems.

TROJ_SHADOW.AF is a remote access tool (RAT) capable of executing a variety of commands, depending on the parameters sent by a remote user. The commands sent include collecting information, saving the collected information, and deleting itself.

Information collected by TROJ_SHADOW.AF include:

  • Drive information (free space, drive device name)
  • Information on currently open files, and on the local computer
  • Running processes and their parent process
  • Screenshots
  • Serial numbers for removable drives
  • Window names

Does DUQU affect SCADA systems?

DUQU does not have code that suggests it was built to affect SCADA systems.

How does this threat utilize processes related to antivirus products?

DUQU makes use of processes related to antivirus products at various points in its routines. All instances of the mentioned usage involve the injection of malicious code into the processes. This injection of malicious code into legitimate processes is commonly done by malware as part of its stealth routine.

Are Trend Micro users protected from this threat?

Yes. Trend Micro provides a multi-layered protection from DUQU through the Trend Micro™ Smart Protection Network™. The file reputation technology detects all of DUQU's components, preventing them from executing their malicious routines. Access to all of the related URLs used by DUQU, as well as its C&C center, is already blocked through the Web reputation technology. This means that in the event that a different file is used to connect to the C&C, any attempt by the protected system to communicate or relay information to the bad URL/site will be blocked.

Additionally, Trend Micro Threat Discovery Appliance (TDA), a major component of Trend Micro™ Threat Management System, also protects enterprise networks by blocking malicious packets, such as C&C communication and upload of stolen information. Enterprises using Trend Micro™ Deep Security are also further protected from DUQU, as it can detect the changes made by DUQU to the system.