OnSwipe redirect code

Saturday, March 10, 2012

Analysis of the Duqu Trojan worm by Kaspersky Labs

I happen to come across the discovery and research of the Duqu Trojan worm, which apparently is the successor of the notorious Stuxnet worm. There are a lot of articles to read and I am feeling a little sleepy now and I may not finish all of them and be awake to write a summary of my understanding. So instead of bookmarking all those tabs I am documenting them here with little metadata to identify what each link talks about.

(Note: Yesterday night I did doze off in the course of writing this post. :P)

  1. The FAQ link - http://www.securelist.com/en/blog/208193178/Duqu_FAQ

    A standard FAQ page, good starting point if you are totally new to Duqu or Stuxnet. Also answers some noob questions. Btw, it mentions that one of the Command & Control center servers was hosted in India.. !!

  2. The mystery of Duqu - Part one - http://www.securelist.com/en/blog/208193182/The_Mystery_of_Duqu_Part_One

    This one provides the bird's eye view of the worm - it's components, the files involved and how they play together, comparison with Stuxnet (with a missile analogy). It also gives a chronological view of the discovery and detection of this worm. More importantly it talks about the various device drivers - signed and unsigned which were used as a disguise.

  3. The Mystery of Duqu: Part Two - http://www.securelist.com/en/blog/208193197/The_Mystery_of_Duqu_Part_Two

    This one talks about the first detected real world infections that these guys detected using their cloud based Kaspersky Security Network. These were in Sudan and Iran, but no direct link to Iran's nuclear program yet. But one thing comes out - the worm was totally different on each infection. Different driver name and different checksum. In one case different size too. So the mystery actually continues.

  4. The Mystery of Duqu: Part Three - http://www.securelist.com/en/blog/208193206/The_Mystery_of_Duqu_Part_Three

    A short entry which corrects a mistake made in previous post about a network attack. What's more interesting is that, this reveals the starting point of this infection - a.k.a the dropper. Turns out that it was a 0-day exploit in Microsoft Word, related to the file win32k.sys (CVE-2011-3402). So the infected word file was sent to specific people via email. Also each infected file is different, which means the file was crafted individually for each target.

  5. The Duqu Saga Continues: Enter Mr. B. Jason and TV’s Dexter - http://www.securelist.com/en/blog/208193243/The_Duqu_Saga_Continues_Enter_Mr_B_Jason_and_TVs_Dexter

    This one gets a little technical and walks us through the modus operandi taking one of the infections mentioned in previous post. It reveals a bunch of things and confirms most of the assumptions made previously - viz : very targeted attack, dynamic modules with little to no trace on target machine, different C&C servers for different targets, etc. It also tells us how the worm authors got creative and created a font named Regular Dexter and named the creator of font as Showtime Inc.

    What is more interesting is the way the comments get even more creative. One comment talks about a new interpretation of a HEX string found in the trojan code - 0xAE790409. Earlier it was thought to be related to the death of Habib Elghanian (http://en.wikipedia.org/wiki/Habib_Elghanian) like in the Stuxnet case. But the new interpretation is that : AE means "Atomic Energy" and (19)79-05-09 is the date on which USA and USSR signed the Salt 2 treaty to limiting nuclear weapons. This is wrong because SALT II was signed on June 18th 1979 - http://en.wikipedia.org/wiki/Strategic_Arms_Limitation_Talks#SALT_II

    Another comment interprets the sender email bjasonxxxx@xxx.com as "Bourne Jason", the ultimate spy/operative from the famous Bourne novel/movie series.

  6. The Mystery of Duqu: Part Five - http://www.securelist.com/en/blog/606/The_Mystery_of_Duqu_Part_Five

    This one dives deep into the structure and layout of the DLL and PNF files of the trojan, the registry entry, the config files, the process it affects, etc.. It gets very technical, and requires knowledge of binary file formats and dll loading mechanism to understand it fully. The loader part is fully disected here, however the payload is still not known. They say it is some C++ code with heavy use of STL and probably a custom framework.

  7. The Mystery of Duqu: Part Six (The Command and Control servers) - http://www.securelist.com/en/blog/625/The_Mystery_of_Duqu_Part_Six_The_Command_and_Control_servers

    This one analyzes the command and control servers used by the Duqu trojan. This is the first post where the details of the India C&C server was mentioned. It belonged to a web hosting company named Webwerks - http://www.web-werks.com/ and http://www.webwerks.in/. The Kaspersky guys say this was the most interesting of all the C&C servers - probably because it was the first one and also the longest serving. Unfortunately they were not able to analyze this as it was cleared off just hours before the hosting company agreed to make an image of this server. Nevertheless they analyzed two servers - one in Vietnam and another in Germany and dug a boat load of information. Final stand is that either OpenSSH 4.3 has a 0-day vulnerability or the server guys had very bad password and hackers cracked it with brute force.

  8. The Mystery of the Duqu Framework - http://www.securelist.com/en/blog/667/The_Mystery_of_the_Duqu_Framework

    This post details the code structure of payload and tries to decipher the programming language and the framework used. Although many parts appear as standard C++ with heavy use of STL the significant portion of the main payload code appears to not have any link to the standard C runtime and does not appear to be compiled with the Microsoft Visual C++ compiler. The code uses the Win32 native API directly bypassing the runtime. This means the trojan authors used a very obscure programming language and compiler or came up with their own. The comments talk about various possibilities but few actually make sense. One commentor is very sure it is one of the big US software companies and pin points IBM as the prime suspect along with his own myriad set of proofs.

The bottom line is that the sponsors of the Duqu worm have deep pockets, are very organized and have very specific targets. Also different parts were probably developed by different teams, with no team knowing the full picture. This very likely means it is state sponsored. My guess is : that information will never come out.

No comments:

Post a Comment