System driver sample was found in Iran

Duqu, the malware that has been compared to 2010's notorious Stuxnet, is back, security researchers said today. After a several-month sabbatical, the Duqu makers recompiled one of the Trojan's components in late February, said Liam O Murchu, manager of operations at Symantec's security response team. The system driver, which is installed by the malware's dropper agent, is responsible for decrypting the rest of the already-downloaded package, then loading those pieces into the PC's memory. Symantec has captured a single sample of the driver, which was compiled Feb. 23, 2012. Before that, the last time the Duqu gang updated the driver was Oct. 17, 2011. Duqu has been characterized by Symantec -- the first to extensively analyze the Trojan last year -- and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that sabotaged Iran's nuclear fuel enrichment program by crippling critical gas centrifuges. O Murchu said that the functionality of the new driver was "more or less the same" as earlier versions, including the one spotted last October and another from late 2010 that later surfaced. "The functionality hasn't changed," said O Murchu. While O Murchu was hesitant to speculate on why the hackers had returned to action or why they took a five-month break, security researchers at Moscow-based Kaspersky Lab were not as reluctant.

Alexander Gostev, who leads Kaspersky's global research and analysis team, said Tuesday that the Duqu driver was probably modified to slip past security software and Duqu-sniffing programs like the open-source Duqu Detection Toolkit. The detection tool was created by the Laboratory of Cryptography and System Security (CrySys) at the Budapest University of Technology and Economics last November. CrySys was credited with finding Duqu. CrySys updated its Duqu toolkit two weeks ago after Symantec passed along its sample of the malware's new system driver. According to Gostev, the Duqu system driver sample was found in Iran, where the majority of publicly-known attacks have taken place. Duqu's Iran focus has been one reason experts have suspected it is a successor to Stuxnet. By Kaspersky's count, there have been 21 known Duqu infections, with 52% of them traced to Iranian victims. The low number of infections is one of the biggest hurdles security researchers face when they try to piece together the Duqu puzzle. "It's hard to tell whether they really did take several months off, and if so, why," said O Murchu of Symantec in an interview today. "It's installed on a very small number of computers, and that low, low distribution number means that they could have released more attacks between November and February, but everyone missed that. Or it could mean that they have been quiet."

Symantec Security

By nature, targeted attacks - those aimed at specific organizations or in some cases, individuals - are much more difficult to spot, and - once seen -- analyze, O Murchu agreed. "[Duqu] has taken targeting to an extreme," O Murchu said, referring to the extremely low numbers of known infections. Until Symantec or another security firm uncovers more than the new system driver component, it will be difficult to come to any conclusions about the Duqu group's recent actions, said O Murchu. "What we do know is that these guys are still working," he said. "And because they created such targeted attacks, it probably means they've recompiled [the system driver] for a new victim. And that means they may have come up with new techniques [since November], and maybe even have a new zero-day. 

" Last year, Duqu exploited a then-unpatched vulnerability in Windows' kernel-mode drivers using malformed Word attachments. Microsoft patched the bug in its December 2011 monthly security update.

Source: Computer World