Explore Newsletters from ECT News Network » View Samples | Subscribe
Welcome Guest | Sign In

Duqu 2.0 Makes Other Malware Look Clunky

By Richard Adhikari
Jun 12, 2015 10:33 AM PT

Duqu 2.0 may have just snatched the title of "most sophisticated malware ever," according to Kaspersky Lab, which published a report on the new threat this week.

Duqu 2.0 Makes Other Malware Look Clunky

Kaspersky discovered Duqu 2.0 after the malware penetrated its own internal networks.

"The philosophy and way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT world," said Kurt Baumgartner, principal security researcher at Kaspersky.

"Its level of sophistication surpasses even the Equation Group -- supposedly the 'crème de la crème' in this sphere," he told TechNewsWorld.

The Equation Group, a secretive computer espionage gang widely suspected of having ties to the United States National Security Agency, has infected the computer systems of at least 500 carefully selected targets in 42 countries, Kaspersky reported earlier this year.

Son of Duqu

Israel reportedly used Duqu 2.0 to spy on the U.S.-Iran nuclear talks.

Duqu 2.0 is an updated version of the Duqu malware that discovered in 2011, and it is believed to have been issued by the same actors who launched the infamous Stuxnet worm.

Israel and the United States are believed to have been behind Stuxnet.

"Attribution of cyberattacks over the Internet is a difficult thing," Baumgartner said.

The creators of Duqu 2.0 "use multiple proxies and jumping points to mask their connections, [which] makes tracking an extremely complex problem," he explained.

"However, we are absolutely sure that Duqu 2.0 is an updated version of the infamous 2011 Duqu malware, which is associated with an APT group that went dark in 2012."

Why Duqu 2.0 Is Dangerous

Duqu 2.0 exists only in system memory, making detection by antimalware software difficult, Baumgartner said.

Unlike other malware, it does not connect directly to command-and-control servers to receive instructions. Instead, it infects network gateways and firewalls by installing malicious drivers that proxy all traffic from internal networks to its C&C servers, he noted.

That makes discovery even more difficult.

The hackers "are confident enough to create and run an entire cyberespionage operation just in system memory, and can survive within an entire network of compromised computers without relying on any persistence mechanism at all," Baumgartner remarked. "That approach is much more sophisticated and demonstrates a different mentality."

Further, the creators of Duqu 2.0 use unique encryption algorithms, filenames and methods for each attack to avoid detection, he pointed out, and make it difficult to track even if one of the attacks has been detected.

How Duqu 2.0 Attacks

The malware relies heavily on zero-days, which "could mean that the attackers were pretty confident that should one vulnerability be patched, they'd implement another," Baumgartner said.

After the attackers infect one machine, they move laterally into the network and use various strategies to infect other computers, mainly by preparing Microsoft Windows Installer Packages and deploying them remotely to the other targets.

The advent of the Internet of Things is likely to increase Duqu 2.0's impact.

"With its ability to move laterally through exploited networks, Duqu 2.0 will potentially make navigating through IoT devices and networks very dangerous for all connected devices, as detection will be difficult until after the damage is done," said Secure Channels CEO Richard Blech.

"The IoT space, as it is currently positioned, is a sitting duck for this malware," he told TechNewsWorld.

Who Has Been Hit

Kaspersky discovered the malware after one of its staff in a remote office was hit.

There are other victims in the West, the Middle East and Asia, Baumgartner said.

"There is no doubt that this attack has a much wider geographical reach and many more targets," he continued, "but judging from what we know, Duqu 2.0 has been used to attack a complex range of targets at the highest levels with similarly varied geopolitical interests."

More Trouble Ahead

One major weakness of antivirus and definition-based security products is that "they all seem to lack the ability to detect lateral movement, as stated by Kaspersky," said Stealthbits CIO Brett Fernicola.

"It's imperative that security professionals keep a close watch on authentication traffic and monitor for suspicious lateral behavior," he told TechNewsWorld. "It's this lack of security practices that can allow an attacker to go unnoticed, often for years."

Richard Adhikari has written about high-tech for leading industry publications since the 1990s and wonders where it's all leading to. Will implanted RFID chips in humans be the Mark of the Beast? Will nanotech solve our coming food crisis? Does Sturgeon's Law still hold true? You can connect with Richard on Google+.

Subscribe to Tech News Flash Newsletter
Which Big Tech CEO that testified at the Congressional Antitrust Hearing on July 29 is the most trustworthy?
Jeff Bezos of Amazon
Mark Zuckerberg of Facebook
Sundar Pichai of Google
Tim Cook of Apple
All of them are equally trustworthy to some extent.
None of them are trustworthy whatsoever.