Duqu is a computer worm discovered on 1 September 2011. It is a remote access trojan (RAT) that is designed to steal data from computers. It creates a series of files and adds the prefix ~DQ to all of these and hence it has been named Duqu by The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary. Symantec the proprietary owner of the Norton Anti Virus after analyzing Duqu has found it very similar to Stuxnet in architecture but vastly different when it comes to the purpose of it being made .
How Duqu works
- Duqu is sent as a word document (.doc) file, which installs and exploits a particular Win32 True Type font parsing engine (a font standard to enable developers to make their own font).
- It attacks this in a zero- vulnerability manner which means that the attack is done even before the developer knows that there is a flaw in the software .
- Duqu installs itself as a 54×54 pixel jpeg file and contains encrypted dummy files to act as temporary storage devices.
- It then steals the various licensing digital certificates and stores them in the dummy files which are then transferred to its own command and control center.
- This collected information can now be used by other virus to register them as secured software and carry out subsequent attacks .
Exhibit: How Duqu works
Beliefs regarding Duqu virus:
- Symantec, finding the similarity between Duqu and Stuxnet believes that Duqu might have been created by the same authors as Stuxnet and if not that the creators of Duqu would have had access to the source code of Stuxnet.
- Research Officer for F-Secure (a Finland based Anti Virus and Computer Security company) also found a striking similarity between Duqu and Stuxnet.
- Dell SecureWorks, on the contrary, does not find that Duqu is related to Stuxnet .
What are the threats and Where are they found?
The Duqu executables or its Dynamic Link Libraries (dll) have been, for now, found in a limited number of organizations, including those involved in the manufacturing of industrial control systems. The license data or other such important data may be used in future to carry out dangerous attacks in the targeted organizations.
Exhibit: Duqu threat areas
How the Duqu developers are working
- The Duqu gang has repeatedly attempted to steal information from these systems on Wednesdays.
- The attackers have also been clever in making sure to avoid being detected. They have used separate command-and-control servers for each unique set of files. They also crafted a unique Word file for each victim and sent the malicious files from anonymous e-mail accounts.
- The authors of the Duqu code have also written inside their code phrases like “DexterRegularDexter” which seems to be with a reference to the TV show Dexter and seems to be mocking it .
No reported damage has been done till now by the Duqu virus but the potential damage can be tremendous. Though the virus has been known to the security departments of various countries and companies, no fool-proof defense has come out. Till then, we can only wait and watch what harm the virus authors can cause.
Check out great deals on anti-virus on Amazon!