Cyber warfareDuqu mystery deepens as Iran admits infection

Iran recently revealed that the Duqu virus, a possible pre-cursor to a Stuxnet-like attack, has been discovered in its computer network.

“We are in the initial phase of fighting the Duqu virus,” said Gholamreza Jalali, the head of Iran’s civil defense program. “The final report which says which organizations the virus has spread to and what its impacts are has not been completed yet.” Iran’s semi-official Fars News Agency reported that Iran has developed anti-virus software to combat the virus and according to Jalali, “all the organizations and centers that could be susceptible to being contaminated are being controlled.” 

News of Duqu was first released in October by the cybersecurity company Symantec. The virus contains code similar to Stuxnet, the computer worm that reportedly crippled Iran’s nuclear program by attacking industrial control systems used to operate its centrifuges.

Symantec says that while Stuxnet was designed to cause direct damage to Iran’s nuclear program, Duqu is different in that it gathers data that could be used for a future attack. In a report issued last month, the company stated,“Duqu is essentially the precursor to a future Stuxnet-like attack. Instead of being designed to sabotage an industrial control system, the new virus is designed to gain remote access capabilities.”

The virus accomplishes its goal by exploiting a “zero-day vulnerability,” or a previously undiscovered security loophole, in Microsoft Word. It utilizes a separate piece of malware known as a “dropper” to infect computers through a font embedded in a Word document.

Stuxnet utilized four such vulnerabilities, an unprecedented feat which led experts to speculate that the worm was created by hackers with government backing. It is widely believed that Israel’s Mossad as well as the United States military was responsible for the cyberattack.

Further analysis into Duqu reveals that its creators have a sense of humor. According to the Moscow-based Kaspersky Lab, the e-mail which infected an unnamed company with Duqu in April was sent by a Mr. B. Jason, an apparent reference to the Jason Bourne spy novels by Robert Ludlum.

Additionally in one of the virus’ strings of code is the phrase “Copyright 2003 Showtime Inc. All rights reserved. Dexter Regular version 1.00. Dexter is a registered trademark of Showtime Inc.” Dexter Regular is the name of the font used to exploit targeted systems. Dexter is a television series about a CSI doctor who is also a serial killer.

Iran has claimed that  Duqu is the third piece of malware to strike the country. In April, Iranian officials said they had detected a virus, dubbed “Stars,” in its networks.

Kaspersky believes that Stars might actually be a product of Duqu. Just prior to the Iranian announcement, an unnamed company was contaminated with Duqu through an infected e-mail.

According to Alexander Gostev, the head of the Global Research and Analysis team at Kaspersky, “most probably, the Iranians found a keylogger module that had been loaded onto a system,” he wrote. “It’s possible that the Iranian specialists found just the keylogger, while the main Duqu module and the dropper (including the documents that contained the then-unknown vulnerability) may have gone undetected.”

Symantec believes that attacks using Duqu may have begun as early as December 2010.

Subsequent research into the virus by Kaspersky found discovered drivers in the Duqu code compiled as far back as 2007.

“If this information is correct, then the authors of Duqu must have been working on this project for over four years!” said Gostev.