PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Trojan

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet

DUQU is made up of several components. These components interact with each other in order to achieve its main prupose: to steal information and deliver stolen information to a C&C server. The components consist of some rootkits and information stealers.

DUQU is believed to be created by the same cybercriminals behind STUXNET because of the codes used. However, DUQU does not target SCADA systems unlike STUXNET.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Steals information

Autostart Technique

This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\JmiNET3
ImagePath = "\??\%System% \Drivers\jminet7.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\cmi4432
ImagePath = "\??\%System%\Drivers\cmi4432.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{malware name}
ImagePath = "\??\{malware path}\{malware name}.sys"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{malware name}\Security
Security = "{hex value}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{malware name}\Enum
0 = "Root\LEGACY_1\0000"

NOTES:

It arrives as a dropped file of another malware. It uses any of the following file names:

  • %System%\Drivers\cmi4432.sys
  • %System%\Drivers\jminet7.sys

It also arrives with the following files:

  • %Windows%\inf\cmi4432.pnf
  • %Windows%\inf\cmi4464.pnf
  • %Windows%\inf\netp191.pnf
  • %Windows%\inf\netp192.pnf