The Duqu worm, which is widely believed to be a close cousin to the Stuxnet worm, could still be active after a new version was found in the wild.
According to Symantec security officials, the new coding indicates the attackers behind the Trojan horse program are still at work.
That discovery comes just as researchers from Kaspersky Lab and elsewhere said they’d finally identified mysterious code in Duqu that Kaspersky had discovered only weeks earlier. The Duqu worm reportedly had been in relative dormancy for the past five months or so, but now appears to be active once again.
According to researchers, Duqu appears to be closely related to Stuxnet, a Trojan apparently designed specifically to attack Iran’s nuclear facilities and equipment. Many believe that either the United States, Israel, or both were behind the Stuxnet worm, hoping to slow or cripple Iran’s controversial nuclear ambitions.
The Trojan has been found in a number of countries, including Iran, Sudan, France, Switzerland and India. Thanks to researchers at both Symantec and Kaspersky, the command and control servers were discovered and shut down in October 2011.
Researchers on March 19 announced that they had finally cracked Duqu’s mystery code. Kaspersky Lab researchers earlier this month asked for help in identifying particular unknown code that controlled the Trojan’s command and control function. Kaspersky got responses from researchers around the world, and a week later, Kaspersky Lab said the mystery had been solved.
In a blog post on the Kaspersky-run Threat Post site, blogger Paul Roberts wrote that the “language identifying the mystery language as ‘C’ source code compiled with Microsoft Visual Studio 2008 and special options for optimizing code size and inline expansion. The code was also written with a customized extension for combining object-oriented programming with C, generally referred to as ‘OO C.’”
A day later, Symantec researchers announced that they had discovered a variant of the Duqu worm after receiving a small component of the overall attack code. In a blog post 20 March, the researchers said they had received a file that turned out to be the loader file that loads the rest of the Duqu malware when the computer restarts. The rest of the threat is stored encrypted on disk, the Symantec researchers said.
The researchers said the compile date on the Duqu component is 23 February, signifying that the new version of the Trojan has not been out very long. In addition, they said, the creators had changed some of the coding in Duqu to help it get around some security product detections. A key change to the code was in the encryption algorithm the creators used to encrypt the other components that are on the disk, Symantec said.
Other changes include the fact that while the old driver file was signed with a stolen certificate, the new version wasn’t.
“Also the version information is different in this new version compared to the previous version we have seen,” the researchers wrote. “In this case, the Duqu file is pretending to be a Microsoft Class driver.”
The evidence shows that Duqu isn’t going away, they said.
“Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active,” the Symantec researchers said. “Without the other components of the attack, it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.”
How well do you know Internet security? Try our quiz and find out!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…