Duqu

Security experts are warning of a new malware threat that it says could be a precursor to the next Stuxnet. 

The new threat, dubbed W32.Duqu, is a remote access Trojan (RAT) that appears to have been written by the authors of Stuxnet, or at least by someone who has access to Stuxnet source code, Symantec said in a report released today.

It was confirmed that Duqu is a threat nearly identical to Stuxnet, but with a completely different purpose. Duqu’s purpose is to steal data from manufactures of industrial control systems that can then be used to craft attacks against entities using such systems.

Analysis shows that the Trojan is “highly targeted” at a limited number of organizations. Though Duqu uses a lot of the same code as Stuxnet, its payload is completely different.

While Stuxnet is designed to sabotage industrial control systems, Duqu is simply a Trojan with remote access capabilities that appears to have been created specifically to gather information about industrial control systems.

News of the new Trojan is sure to reinforce concerns about targeted cyberattacks against the industrial control systems used in critical infrastructures, such as power plants, water treatment facilities and chemical plants.

The Stuxnet worm , which some security researchers call the most sophisticated malware program ever written, has already affected industrial control systems in many countries.

The worm is noteworthy as the first piece of malware known to have morphed into physical destruction of a resource,

Attackers have used Duqu to install keystroke loggers and network enumerators for stealing information that can be used in future attacks. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control system.

Duqu has already been used to carry out attacks against a handful of companies that manufacture industrial control systems.

In at least one case, the attackers were unsuccessful in their attempts to steal such data. But information is not yet available on all cases where Duqu has been used to launch an attack.

Attacks using Duqu and its variants may have been going on since last December 2010 based on a review of file-compilation times. Duqu cannot replicate or propagate on its own, Haley said. It is configured to run for 36 days after which it removes itself from the infected machine.

Note that Duqu’s propagation techniques are still unknown, there is nothing in Duqu that says it comes from USB, or look for a network share and take me there.
It just sits there and works as a remote access tool.

The new malware is named Duqu because it creates files with filenames having the prefix “DQ”.

The Trojan consists of three files — a driver file, a dynamic link library and a configuration file. The files need to be installed by a separate executable which has not yet been recovered.

Besides the link between Duqu and Stuxnet, there is no other information on who might be behind the Trojan.

Duqu uses HTTP and HTTPS to communicate with a command & control server hosted in somewhere in India.

Attackers have been using the C&C server to download key loggers, network enumerators and other information stealing programs. The stolen information is stored on a “lightly encrypted’ file and then uploaded back to the server.

reference : Symantec

Don’t you know that computer viruses can….

  • make your computer behave abnormally?
  • make your computer run slower?
  • rename your files?
  • or in worst cases, delete your files?
  • fight for its survival?
  • steal your files?
  • steal confidential information?
  • slowdown the network?
  • disconnect your computer from the network?
  • make your hard disk full?
  • destroy your RAM?
  • or in worst cases, destroy your computer’s CMOS?
  • evade detection?
  • cause your anti-virus software to stop? 
  • disable your computer’s dos prompt?
  • disable your computer’s registry editor?
  • attach itself to all files? even pictures, movies and music?
  • be acquired from a website?   
  • be transferred from a USB flash disk?
  • be transferred within the network?
  • be transferred via e-mail?
  • lie there inside your computer for years? and is triggered to run in a specific date and time?
  • not just be removed by a simple scan and clean?
  • now be found in mobile phones?
  • destroy programs? which makes it easier to replicate during program execution?
  • delete everything in your hard disk?   
  • crash your computer?
  • bring down your network?
  • make your computer useless?
  • even exist in servers?
  • even exist in androids, symbians, macOS and Linux?
  • destroy your privacy?
  • destroy your schedules?
  • drive you crazy?     
  • make you sick too?
  • ruin your life?

Our prognosis? Do not use your computer. Or if you cannot avoid it, see to it that your anti-virus program is updated regularly. Observe vigilance. Be proactive.

And yes, BACKUP AS OFTEN AS YOU CAN.