W32.Duqu: 15 Unanswered questions by Symantec

Today Symantec announced that they obtained a new type of Stuxnet virus. The new virus is called Duqu. This remote acces Trojan (RAT) does not contain any code related to industrail control systems. Symantec released the PDF file containing some unanswered questions. I have posted these questions here. Maybe we can get a view on this new virus.

Some additional resources:

By Symantec:

Duqu is essentially the precursor to a future Stuxnet-like attack. The

threat was written by the same authors, or those that have access to the

Stuxnet source code, and appears to have been created after the last Stuxnet file we recovered. Duqu’s purpose is to gather intelligence data and

assets from entities such as industrial control system manufacturers in

order to more easily conduct a future attack against another third party.

The attackers are looking for information such as design documents that

could help them mount a future attack on an industrial control facility.

Duqu does not contain any code related to industrial control systems

and is primarily a remote access Trojan (RAT). The threat does not selfreplicate. Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.

The attackers used Duqu to install another infostealer that can record keystrokes and collect other system information. The attackers were searching for information assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available on all cases. Two variants were recovered and, in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file-compilation times, attacks using these variants may

have been conducted as early as December 2010.

Symantecs goal was to make an initial analysis that raises attention to this case of targeted

malware. As we are in academia, we have limited resources to analyze malware behavior.

That means we leave several questions for further investigation. We collected some of these

questions to inspire others:

Is there any exploit, especially 0‐day in Duqu?
How does Duqu infect computers?
What are the differences in the RPC functions of Duqu and Stuxnet. And between jminet and cmi4432?
How is the netp191.pnf 0x9200 .zdata section compressed, and what is it’s goal? Is it a copy of the DLL 302 resource itself?
What is the reason for having the two separate types: jminet and cmi4432?
What is the exact communication protocol for the covert channel? Where is TLS?
What’s inside? When does it generate self‐signed cert?
How does it check remote cert?
Is there anything more interesting in the keylogger, any novel method, trick?
Exactly how is the keylogger controlled? What is saved at starting time, what is saved
periodically and how to control the keylogger?
How exactly the keylogger commands work: quit,v,restart,in,out, etc.
Where is the initial delay of the kernel driver specified?
Where is the expiry of the worm specified?
Exactly what is the goal of the strings of the Config‐3 of the code, how does it relate
to the removal of the malware after it’s expiry? How does it identify it’s own files in drivers and inf directories