Duqu

Duqu is a collection of spyware and backdoor Trojan components that give remote attackers access to both the infected PC and the rest of its network, including associated hardware such as routers, firewalls, etc. There exist two versions of Duqu with substantial differences in their internal structures that appear due to the threat actors' team desiring avoidance of detection during their infiltrations. This extremely high-level threat may be state-sponsored, and users should isolate compromised hardware immediately and remove all Duqu components with appropriate, updated anti-malware solutions.

All the Fuss that Hackers Go to for Hiding Their Crimes

Duqu is a collection of spyware-related threats with historical connections to campaigns as different as those of the industry-sabotaging Stuxnet (from which it borrows some of its code), as well as the Equation Malware, the Flowershop Malware framework, and the Flame worm. Although it's a high-level threat in apparent state-based spying operations, examining some of its techniques and features provides readers with an ample glimpse at some of the security hazards that threatening software can put into play. Malware experts can only confirm two versions of Duqu, although it's likely that its future use will involve similar updates and shifts in its methodology.

Duqu may compromise Windows systems via disguised e-mail or similar tactics. However, surety of its infection method is difficult to come by due to Duqu's traditional deletion of files on the first PC that it infects, sometimes up to the point of wiping the contents of entire drives. This function doesn't damage the rest of Duqu's payload, which involves using zero-day software exploits for spreading laterally throughout networks, intercepting their traffic, and granting threat actors a privileged position for spying on the users.

The Duqu 2.0 build contains rebuilt elements that involve hijacking certificates, memory injection, and other tricks for hiding itself, even from previous Duqu detection metrics significantly. It also, unlike most backdoor Trojans, doesn't contact its C&C (Command and Control) servers directly. As a stealthier alternative, it compromises networking devices such as firewalls and gateways and reroutes all of the target network's traffic through the C&C. The lack of contact between a compromised PC and Duqu's control server could work around some security solutions, such as packet sniffers, while Duqu's threat actors freely monitor the situation and collect data at their leisure.

Duqu's Big Pivot from One Industry to Another

Duqu's starting fame, like that of Stuxnet, is for its targeting of networks that have relationships with sensitive industrial control systems. The second version of the threat is even more noteworthy for attacking cyber-security company Kaspersky in what is a likely attempt at gathering data for avoiding detection during future operations. Ironically, these attacks gave Kaspersky sample-collecting opportunities for re-evaluating the new version of Duqu and implementing appropriate protection measures.

Even though it shares many features and internal strings with the highly-damaging Stuxnet worm, malware experts stress that Duqu doesn't cause intentional hardware damage, besides the wiping of data on compromised computers that covers its infection techniques. The threat remains covert and hopes to avoid detection while giving its threat actors access to all of the network's data. Users should assume that passwords and similar, confidential information are in the attacker's hands and use anti-malware services for remedying the immediate situation by removing Duqu before re-securing the network and all hardware appropriately.

Duqu uses hijacked certificates, a custom programming language, and a C&C strategy that goes to great lengths for keeping itself out of sight. With so few cues for a user's eyes to pick up on, the value of 'hands-off' protection from high-level threats only skyrockets.