Abingdon, UK, 24 October 2011 – The spread across the Internet of several versions of the malicious program Duqu has become a main news item in the IT Security industry. In no small part, this is due to some similarities between this new worm and last year’s infamous Stuxnet worm. What is alarming in this case however is that the ultimate objective of Duqu remains unknown. Anti-malware experts at Kaspersky Lab have carried out their analysis of the new malware, the main findings of which are as follows.
The Duqu worm was first detected in early September 2011, after a user in Hungary uploaded one of the components of the malicious software to the Virustotal website, which analyses infected files with anti-virus programs of different manufacturers (including Kaspersky Lab’s). However, this first-detected sample of Duqu turned out to be just one of several components that make up the whole of the worm. A little later, in a similar way, the Kaspersky Lab anti-malware experts received a sample of another module of the worm via Virustotal, and it was specifically its analysis that permitted finding a resemblance with Stuxnet.
Though there are some overall similarities between the two worms Duqu and Stuxnet, there are also significant differences. Shortly after several variants of Duqu had been found, the Kaspersky Lab experts started to track in real time infection attempts by the worm among users of the cloud-based Kaspersky Security Network. What was surprising was that during the first 24 hours only one system had been infected by the worm. Stuxnet, on the other hand, infected tens of thousands of systems all around the world; it is assumed that it had, however, a single ultimate target - industrial control systems used in Iran’s nuclear programs. The ultimate target of Duqu is as yet unclear.
The only infection with the worm among users of the Kaspersky Security Network is an infection with one of the several modules that presumably make up the Duqu worm. Instances of infection by the second module, which is, in essence, a separate malicious program – a Trojan-Spy – have not yet been found. It is specifically this module of Duqu that possesses the malicious functionality - it gathers information about the infected machine and also tracks key strokes made on its keyboard.
Alexander Gostev, Chief Security Expert with Kaspersky Lab, said: “We’ve not found any instances of infections of computers of our clients with the Trojan-Spy module of Duqu. This means that Duqu may be aimed at a small quantity of specific targets, and different modules may be used to target each of them.”
One of the yet-to-be-solved mysteries of Duqu is its initial method of penetration into a system: the installer or “dropper” needed for this has not yet been found. The hunt for this module of Duqu continues, and it is specifically this module that will help us in finding the ultimate target of this malicious program.
All revealed versions of the Duqu worm at present are detected by Kaspersky Lab anti-virus products. More information about this malware can be found in the articles of Alexander Gostev and Ryan Naraine at Securelist.
Kaspersky Lab Newsroom
Kaspersky Lab has launched a new online newsroom, Kaspersky Lab Newsroom Europe (http://newsroom.kaspersky.eu/en), for journalists throughout Europe. The newsroom is specifically designed to serve many of the media’s most common requests, making it easier for journalists to find product and corporate information, facts and figures, editorial copy, images, videos and audio files, as well as details about the appropriate PR contacts.
About Kaspersky Lab
Kaspersky Lab is the largest antivirus company in Europe. It delivers some of the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. The company is ranked among the world’s top four vendors of security solutions for endpoint users. Kaspersky Lab products provide superior detection rates and one of the industry’s fastest outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. Learn more at www.kaspersky.co.uk. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit http://www.securelist.com.
Follow us on Twitter
Like us on Facebook
Telephone: 0118 909 0909
Fax: 0118 988 6911
1650 Arlington Business Park
RG7 4SA, Reading
Kaspersky Lab UK
Telephone: 0871 789 1633
Milton Business Park
OX14 4RY, Oxford
© 2011 Kaspersky Lab. The information contained herein is subject to change without notice. The only warranties for Kaspersky Lab products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Kaspersky Lab shall not be liable for technical or editorial errors or omissions contained herein.