NEWS FROM THE LAB - Wednesday, November 2, 2011

Duqu Attack's Installer Discovered Posted by Sean @ 12:57 GMT

Hungarian security firm CrySyS Lab has located the installer for Duqu, which is now well known for its connection to the infamous Stuxnet. The installer arrived via e-mail as a document which then launches an exploit against a zero-day Windows kernel vulnerability. Very heavy stuff…

Symantec was given the installer for analysis, and they've updated their whitepaper.

There's quite a bit of additional detail:

Duqu comparisons

Some advice before reading the whitepaper: while Symantec's technical analysis is excellent, you should disregard the speculation as to the attacker's motivations. The first version of Symantec's whitepaper claimed that Duqu was identical to the Stuxnet "worm", but also, totally different (they have different payloads).

The new text is more clear — but some of the original speculation remains.

Better to think of it like this: the "Duqu attacks" use a component that is identical to one used by the "Stuxnet attack". But that does not mean that the attacks are the same. Actually, the attacks are not all that similar. And the "Stuxnet worm" is not the same thing as the "Duqu backdoor".

In fact, you could say that the Duqu attacks are kind of extraordinary ordinary targeted attacks. Which is to say, the targeted attack methodology is very common (an e-mail with attachment), but the tools used by the attack are very advanced (one bad-ass exploit in the attachment…).

Q: So, what were the motives behind the Duqu attacks?
A: You'll have to ask the attackers themselves. Only they know for sure.