source code of the new driver has been reshuffled and compiled

Security researchers have discovered a new variant of the Symantec duqu driver cyberespionage malware that was designed to evade detection by antivirus products and other security tools. Researchers from Symantec announced the discovery of a new Symantec duqu driver, the component responsible for loading the malware's encrypted body, on Monday via Twitter. The driver is called mcd9x86.sys and was compiled on Feb. 23, said MrVikram Thakur, principal security response manager at Symantec. Originally discovered in October 2011, Symantec duqu driver is related to the Stuxnet industrial sabotage worm, with which it shares portions of code. However, unlike Stuxnet, which was created for destructive purposes, Symantec duqu's driver primary goal is stealing sensitive information from particular organizations around the world. The discovery of the new driver is a clear indication that the Symantec duqu driver authors are continuing their mission, said MrVikram Thakur. "No amount of public awareness about Symantec duqu driver has deterred them from using it to accomplish their objective." "I think when you invest as much money as invested into Symantec duqu driver and Stuxnet to create this flexible framework, it's impossible to simply throw it away and start from zero," said Mr.Costin Raiu, director of Kaspersky Lab's global research and analysis team. "We always said that future variants of Symantec duqu driver and Stuxnet will most likely be based on the same platform, but with enough changes to make them undetectable by security software. Indeed, this is the case here."

The source code of the new driver has been reshuffled and compiled with a different set of options than those used in previous versions. It also contains a different subroutine for decrypting the configuration block and loading the malware's body. "We have seen this technique in October 2011, when the Symantec duqu drivers were recompiled and bundled with new encryption subroutines, following the public disclosure," Raiu said. The Symantec duqu driver variant most likely uses a new C&C (command and control) server, since all previously known ones were shut down on Oct. 20, 2011, Mr.Costin Raiu said. However, neither Symantec nor Kaspersky researchers know the exact address of the new server, because they don't have the component that contains that information. "We do not have the full Symantec duqu driver body, only the loader in the form of the driver. The loader does not contact the C&C directly, it only loads the main body which is stored in encrypted form," Mr.Costin Raiu said. Even if the new server would be known, it would probably be configured in a manner that it wouldn't allow anyone to get too close to the real attackers, MrVikram Thakur said. The Symantec duqu driver authors are confident that the malware will remain non-attributable, he said. The organizations targeted by the new version are also unknown at the moment, but they're probably the same ones as in previous variants, Mr.Costin Raiu said.

Source: Info World