CybersecurityDuqu 2.0: New, menacing programming concept

In 2011, the security world was rocked by the announcement of a newly discovered virus named Stuxnet. This malware, unlike previous viruses, was targeted at one particular victim. That target was Iran’s nuclear program.

Stuxnet’s capability was to infect supervisory control and data acquisition (SCADA) systems and intercept communication between a controller and remote equipment and send false information. For example, Stuxnet might intercept a message from the controller to a centrifuge refining nuclear raw material, telling it to speed up to a point where the centrifuge is seriously damaged. The controller, however, would then receive a Stuxnet-generated message from the centrifuge that the machine was performing within normal parameters, when it was actually spinning out of control.

Following on the heels of Stuxnet was a variant named Duqu. Duqu code is so closely related to Stuxnet code that some analysts consider them to have been written by the same authors, a joint effort by the United States and Israel.

Duqu is different from Stuxnet, however, in that it was designed to gather information for future attacks, rather than perform the attack itself.

Both of these worms were written to infect only one target, nuclear programs. Speculation is that only one program was targeted, that being Iran’s nuclear program. Since the Iranian network was a closed system isolated from the Internet, the only way they could have infected that network was for them to have been introduced manually. Once one computer was infected, the worm spread through the entire network.

According to Dan Goodin writing in Ars Technica, Moscow-based Kaspersky Labs researchers returning from a security conference in Cancun, Mexico this past February discovered that the company’s network had been infiltrated by a derivative of Duqu, now known as Duqu 2.0.

Duqu 2.0 was introduced into Kaspersky Labs’ network via an infected computer in the company’s network. It appears that the sole purpose of Duqu 2.0 is essentially spy on the network infiltrated. There is evidence that the malware was used to gather information on the U.S. talks with Iran over the Iranian nuclear program.

The developers of Duqu 2.0 had planted several false flags in the software to lead investigators to conclude that the worm had been developed in China. The challenges that the malware presents are manifold.

The malware is difficult to track, or even to detect, because of the way it functions. It operates in system memory, making it difficult to detect by normal antimalware software.

It never makes a connection to its command and control servers to get instructions. Instead, it infects network gateways and firewalls by injecting malicious drivers, which then proxy internal network traffic to its command and control servers. This again makes it difficult to detect.

Since this worm is able to move laterally, and runs only in system memory, a given computer can be easily re-infected from elsewhere in the home network, without using any mechanisms that would provide persistence. This adds to the difficulty of detecting its presence.

Duqu 2.0 relies heavily on “zero-day” vulnerabilities, software weaknesses that have not yet been discovered and patched by the software’s developer.

When a “zero-day” defect is discovered, the worm uses the defect to drop itself into the kernel, where it can run directly within the operating system, where it is very difficult to detect.

Duqu 2.0 represents programming concepts never used before that make it extremely dangerous.