Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

New Duqu Sample Found in the Wild

Created: 20 Mar 2012 23:04:42 GMT • Updated: 23 Jan 2014 18:16:36 GMT • Translations available: 日本語
Symantec Security Response's picture
+1 1 Vote
Login to vote

We recently received a file that looked very familiar. A quick investigation showed it to be a new version of W32.Duqu. The file we received is only one component of the Duqu threat however—it is the loader file used to load the rest of the threat when the computer restarts (the rest of the threat is stored encrypted on disk). The component we received has been highlighted below (Driver file .sys) in an image taken from our Duqu whitepaper:

As you can see, the component we received is only one small part of the overall attack code and we continue to monitor for related components and new versions.

The compile date on the new Duqu component is February 23, 2012, so this new version has not been in the wild for very long. Checking the code we can see the authors have changed just enough of the threat to evade some security product detections, although this appears to have only been partially successful.

One of the more significant changes to the code is the encryption algorithm they use to encrypt the other components on disk. The difference in the algorithm is shown below:

Another difference is the old driver file was signed with a stolen certificate—and this one is not. Also the version information is different in this new version compared to the previous version we have seen. In this case, the Duqu file is pretending to be a Microsoft Class driver:


 

In previous versions we saw fake version information used from other well-known companies.

This is the first version of Duqu that we have found in 2012. Previously, we saw unique versions of Duqu released on the following dates:

2010-11-03
2010-11-03
2011-10-17

We also saw evidence that older versions had been used.

Although we do not have all of the information regarding this infection, the emergence of this new file does show that the attackers are still active. Without the other components of the attack it is impossible to say whether any new developments have been added to the code since we last saw a release from the group in November 2011.

We will update this blog with more information when it becomes available.