W32.Duqu: 15 Unanswered questions by Symantec
Today Symantec announced that they obtained a new type of Stuxnet virus. The new virus is called Duqu. This remote acces Trojan (RAT) does not contain any code related to industrail control systems. Symantec released the PDF file containing some unanswered questions. I have posted these questions here. Maybe we can get a view on this new virus.
Some additional resources:
Duqu is essentially the precursor to a future Stuxnet-like attack. Thethreat was written by the same authors, or those that have access to theStuxnet source code, and appears to have been created after the last Stuxnet file we recovered. Duqu’s purpose is to gather intelligence data andassets from entities such as industrial control system manufacturers inorder to more easily conduct a future attack against another third party.The attackers are looking for information such as design documents thatcould help them mount a future attack on an industrial control facility.Duqu does not contain any code related to industrial control systemsand is primarily a remote access Trojan (RAT). The threat does not selfreplicate. Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.The attackers used Duqu to install another infostealer that can record keystrokes and collect other system information. The attackers were searching for information assets that could be used in a future attack. In one case, the attackers did not appear to successfully exfiltrate any sensitive data, but details are not available on all cases. Two variants were recovered and, in reviewing our archive of submissions, the first recording of one of the binaries was on September 1, 2011. However, based on file-compilation times, attacks using these variants mayhave been conducted as early as December 2010.
- Is there any exploit, especially 0‐day in Duqu?
- How does Duqu infect computers?
- What are the differences in the RPC functions of Duqu and Stuxnet. And between jminet and cmi4432?
- How is the netp191.pnf 0x9200 .zdata section compressed, and what is it’s goal? Is it a copy of the DLL 302 resource itself?
- What is the reason for having the two separate types: jminet and cmi4432?
- What is the exact communication protocol for the covert channel? Where is TLS?
- What’s inside? When does it generate self‐signed cert?
- How does it check remote cert?
- Is there anything more interesting in the keylogger, any novel method, trick?
- Exactly how is the keylogger controlled? What is saved at starting time, what is saved
- periodically and how to control the keylogger?
- How exactly the keylogger commands work: quit,v,restart,in,out, etc.
- Where is the initial delay of the kernel driver specified?
- Where is the expiry of the worm specified?
- Exactly what is the goal of the strings of the Config‐3 of the code, how does it relate
to the removal of the malware after it’s expiry? How does it identify it’s own files in drivers and inf directories