Computerworld - The hacker group behind Duqu may have been working on its attack code for more than four years, new analysis of the Trojan revealed Friday.
Moscow-based Kaspersky Lab published some findings today from a recent rooting through Duqu samples provided by researchers in the Sudan, saying that one driver included with the attack payload was compiled in August 2007, extending the timeline of the gang's work.
Schouwenberg added that the August 2007 driver was most likely created specifically for Duqu by the group responsible for the attacks, and was not an off-the-shelf file built by others, because the driver has not been spotted elsewhere.
Other researchers have found files amongst those used by Duqu that carry build dates of February 2008, but actual attacks have been tracked back only to April 2011.
That was also the month that the Sudan-provided samples indicated attacks took place against an unnamed target in that country, according to Kaspersky, which reported two separate attempts one on April 17, the second on April 21 to plant malware on Windows PCs.
The first attack failed because the email message carrying a malicious Word document was blocked by a spam filter; the second was successful.
Microsoft has confirmed that the Duqu campaign exploits a vulnerability in a Windows kernel-mode driver -- specifically "W32k.sys," and its TrueType font parsing engine -- to gain rights on the compromised PC sufficient to install the malware.
Although Microsoft has yet to patch the bug, it has urged customers to disable the font parser to protect themselves.
Kaspersky's other notable discovery was that each of the dozen Duqu attacks it knows of used a custom-created set of files compiled immediately before the malware was aimed at a target.
Although Kaspersky's newest analysis differs in some ways from that conducted by other security firms -- notably Symantec, which was the first to disclose Duqu's existence -- neither Schouwenberg or a Symantec director saw a conflict.Symantec echoed that Duqu has been characterized by Symantec and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that last year sabotaged Iran's nuclear program.While some have disputed that, Kaspersky is firmly in the Stuxnet-connection camp.
There are certainly differences Stuxnet was an attack tool, Duqu seems designed to be part of an intelligence-gathering operation but Schouwenberg said there were even more similarities. One such similarity: a line between Stuxnet and Duqu's infection process that, he said, showed the authors of the former learned important lessons that they then applied to the latter.
More information about Duqu (download PDF) can be found on the website of U.S.-CERT, the cyber-defense agency that's part of the Department of Homeland Security, and in an updated report from Symantec (download PDF).
Related Links:
Microsoft issues temporary 'fix-it' for Duqu zero-day
- 2