The old new Stuxnet...DuQu?
Last Updated: 2011-10-19 01:36:37 UTC
by Pedro Bueno (Version: 1)
Yes, the tittle probably makes no sense at first, but keep reading...:)
Today was a pretty good day if you like malware and RE...
Symantec, McAfee and F-Secure, to name a few security vendors, released information about what they are calling "DuQu"...yes, I agree that it is a terrible name, but it is because this malware creates some files on the user's temp folder, that starts with ~DQXXX.tmp (where the XXX can be any number)...
There are several common aspects between DuQu and Stuxnet that leads to the conclusion that they were written by the same group.
While the original Stuxnet was focused on Industrial systems, aka SCADA, this DuQu malware is mostly used on a recon process, and being used as an advanced RAT (Remote Administration Tool). Forget about Gh0st RAT or BlackShades RAT, just to name two "famous" ones...those are totally amateurs when compared to DuQu.
DuQu received commands via an encrypted config file, and seems to download a password stealer that is able to record several behaviors from user and machine and send to a Command and Control IP in India.
Like some of the components of the original Stuxnet, this one was also able to decrypt and extract additional components embedded into other PE files...fantastic!
Oh, and like Stuxnet, some components had a VALID digital signature...:)
And before I forget, according Symantec report, new samples with compilation time of October 17th were discovered and are still being checked...
Agree that it is a good day for Reverse Engineers?
Pedro Bueno (pbueno /%%/ isc. sans. org)